Introduction: The Crucial Role of Static Analysis in Android Malware Reversing

Android’s dominance in the mobile market makes it a prime target for malicious actors. Understanding and dissecting Android malware is a critical skill for security researchers and incident responders. While dynamic analysis provides insights into runtime behavior, static analysis, the examination of an application’s code without executing it, forms the bedrock of any thorough reverse engineering effort. Ghidra, a powerful software reverse engineering (SRE) suite developed by the NSA, offers an unparalleled platform for statically analyzing various architectures, including the Dalvik bytecode found in Android applications.

This article provides a practical, expert-level guide to performing static analysis on Android Application Packages (APKs) using Ghidra. We’ll cover the necessary setup, walk through the process of importing an APK, and demonstrate how to leverage Ghidra’s features to uncover malicious functionalities.

Setting Up Your Android Reverse Engineering Lab

Before diving into Ghidra, ensure your environment is properly configured. You’ll need:

• Ghidra: Download the latest version from the official GitHub page. Requires Java Development Kit (JDK) 11 or newer.
• Java Development Kit (JDK): Install JDK 11 or higher.
• Android SDK Tools: Specifically, platform-tools for ADB (Android Debug Bridge).
• apktool: For disassembling and reassembling APKs. Download from its official site.
• dex2jar: A critical tool for converting Dalvik bytecode (DEX) files into Java Archive (JAR) files, which Ghidra can then decompile more effectively. Download from its GitHub repository.

Verify your installations:

java -versionghidraRun # To launch Ghidraapktool --versiond2j-dex2jar.sh # Or d2j-dex2jar.bat on Windows

Understanding Android APK Structure for Static Analysis

An APK is essentially a ZIP archive. Key components for reverse engineering include:

• AndroidManifest.xml: Declares permissions, components (activities, services, broadcast receivers, content providers), hardware features, and minimum SDK version. It’s often obfuscated.
• classes.dex (or classes2.dex, etc.): Contains the Dalvik bytecode of the application. This is our primary target for Ghidra.
• res/: Resources like layouts, strings, images.
• lib/: Native libraries (e.g., .so files) for different architectures (ARM, x86).

Preparing an APK for Ghidra: DEX to JAR Conversion

Ghidra excels at decompiling Java bytecode, but Android uses Dalvik bytecode. The dex2jar tool bridges this gap.

Step 1: Extract the classes.dex file

First, extract the contents of your target APK. You can simply rename the .apk file to .zip and extract it, or use apktool.

unzip malicious.apk -d malicious_extracted# orapktool d malicious.apk -o malicious_decoded

Locate the classes.dex file in the extracted directory (e.g., malicious_extracted/classes.dex).

Step 2: Convert DEX to JAR using dex2jar

Navigate to your dex2jar directory and run the conversion script:

cd /path/to/dex2jar-x.y./d2j-dex2jar.sh /path/to/malicious_extracted/classes.dex -o malicious.jar

This will produce a malicious.jar file, which is now ready for Ghidra.

Importing and Initial Analysis in Ghidra

Step 1: Create a New Ghidra Project

Launch Ghidra. Go to File > New Project..., select