Introduction to Android Malware Analysis with Ghidra

Android malware continues to evolve in sophistication, making robust analysis tools indispensable for security researchers and incident responders. Static analysis, the process of examining an application’s code without executing it, is a critical first step in understanding malware behavior. Ghidra, the open-source reverse engineering framework developed by the NSA, has become a formidable tool for this task. While primarily known for native code analysis, its capabilities extend to Java bytecode, making it highly effective for dissecting Android applications. This guide will walk you through the process of setting up Ghidra and using it to statically analyze Android malware, revealing its hidden functionalities.

Prerequisites for Android Malware Decompilation

Before diving into Ghidra, ensure you have the following tools installed and configured:

• Java Development Kit (JDK): Ghidra is Java-based and requires a JDK (version 11 or higher is recommended) to run.
• Android SDK Platform Tools: Essential for ADB (Android Debug Bridge) if you later venture into dynamic analysis, though not strictly required for static analysis in Ghidra itself.
• Ghidra: Download the latest stable release from its official GitHub page.
• apktool: A command-line utility to reverse engineer Android APK files, allowing extraction of resources and the AndroidManifest.xml. Download from Apktool’s website.
• dex2jar: A tool for converting Dalvik Executable (DEX) files, which are native to Android, into Java Archive (JAR) files, which Ghidra’s Java decompiler can readily process. Download from dex2jar’s GitHub.

Step 1: Obtain and Prepare the Android Malware Sample

First, you need an Android Application Package (APK) file suspected of being malicious. These can be sourced from various online malware repositories (e.g., VirusTotal, Any.Run) or your own honeypots.

Decompiling the APK with apktool

Use apktool to extract the APK’s resources and the AndroidManifest.xml. This manifest file is crucial as it declares permissions, components (activities, services, broadcast receivers), and entry points, which will guide your Ghidra analysis.

apktool d example_malware.apk -o malware_extracted

This command will create a directory named malware_extracted containing the decompiled resources, including the `AndroidManifest.xml` and the Dalvik Executable (DEX) files (e.g., classes.dex, classes2.dex) in the `smali` directory.

Step 2: Convert DEX to JAR using dex2jar

Ghidra’s Java decompiler is optimized for Java bytecode within JAR or CLASS files. Android applications, however, use Dalvik bytecode stored in DEX files. Therefore, we need to convert the DEX files to JAR files.

./d2j-dex2jar.sh malware_extracted/classes.dex -o malware_classes.jar

If your malware uses multiple DEX files (e.g., classes2.dex), repeat this process for each one, creating `malware_classes2.jar`, and so on. Consolidating them into a single JAR may also be an option depending on the malware’s structure.

Step 3: Import the JAR into Ghidra

Now, launch Ghidra and set up your project:

1. Create a New Project: In the Ghidra Project Window, go to File > New Project.... Choose
   
   Android Mobile Specs & Compare Directory

   Are you researching mobile hardware properties, processor SoCs, GPU chipsets, or RAM configurations? Access our complete specs catalog to compare up to 5 devices side-by-side!

   Compare Devices Specs →