Threat Research

Finding Similarities and Differences at DEX Level

By Axelle Apvrille | July 30, 2012

Some time ago, I analyzed two similar samples of Android/Smsilence.A!tr.spy, a fake Vertu application that spies on its victim. One of the samples was targeting a Japanese audience, while the other sample was for Korean end-users. I was interested in finding their similarities (and differences).
At (decompiled) source code level, I identified for instance a similarity: both samples check incoming SMS messages and download another payload if the message body contains the keyword 113, or deletes it if the SMS comes from 1588366. See below, identical portions of the code are highlighted in a yellow box.
identical 113 jp identical 113 kr
Ok, that's easy :) But where does that map to in the DEX file? That's a bit more difficult to find out perhaps. We need to find out where that part of code starts in the DEX file. 010 Editor is quite handy for this. We load the DEX file of a sample, and apply a DEX template to it.
The code we want to spot is located in a method named onReceive() in class catchsms2. In 010 Editor, we locate the method, and then the structure for its code (code_item). The method's byte-code is contained in an array, named insns[], byte per byte. This array begins at offset 0xb30.
catchsmsonReceive 010
We've not finished yet, because the identical portions we identified are not exactly at the beginning of the method. Let's find their offset within the method. The insns[] table shown by 010 Editor contains the opcodes of each Dalvik instruction in the method. It would be quite a burden to spot the right opcode that way. Instead, we are going to use Androguard. We show the dalvik byte code of onReceive().

$ ./androlyze -s
In [1]: a, d, dx = AnalyzeAPK('', decompiler="dad")
In [2] d.CLASS_Lcom_vertu_jp_catchsms2.METHOD_onReceive.pretty_show()

Within the bytecode, we spot the part where the malware tests if the message body contains keyword 113. Exactly, the part of code we are trying to locate starts with a aget-object instruction. Note the hexadecimal numbers besides it: it is the offset within the method: 0x32a.
djp androguard onreceive
So, our identical code is located in the DEX file at offset 0xb30 + 0x32a = 0xe5a. Want to check? Use my script and decompile the DEX file at that exact location:
djp androdis onreceive
Yes, that's it! (note it starts with the aget-object instruction). And the opcodes for that in the DEX file are: 46 17 0d 06 74 01 0e 00 etc.
-- the Crypto Girl

Join the Discussion