Introduction: Unlocking Android Malware with Ghidra

Android’s dominance in the mobile market unfortunately makes it a prime target for malicious actors. Understanding and dissecting Android malware is a critical skill for security researchers and threat hunters. While dynamic analysis provides valuable runtime insights, static analysis—examining the application’s code without executing it—offers a foundational understanding of its capabilities, command-and-control (C2) mechanisms, and obfuscation techniques. This guide will walk you through a comprehensive workflow for statically analyzing Android APKs using Ghidra, a powerful open-source reverse engineering framework.

Ghidra, developed by the NSA, provides a suite of tools for disassembling, assembling, decompiling, graphing, and scripting various binaries. Its extensibility and support for multiple architectures, including Dalvik bytecode, make it an indispensable tool for Android malware analysis.

Setting Up Your Ghidra Environment for Android Analysis

Prerequisites

• Java Development Kit (JDK): Ghidra requires Java 11 or later.
• Ghidra: Download the latest stable release from the official Ghidra website.
• Android SDK (optional but recommended): For accessing tools like adb and understanding Android APIs.
• Ghidra-APK-Loader Plugin: This plugin significantly streamlines the process of loading APKs directly into Ghidra. It handles DEX extraction and import.

Ghidra-APK-Loader Installation

To install the Ghidra-APK-Loader plugin:

1. Download the latest release JAR file from its GitHub repository (e.g., Ghidra-APK-Loader-X.X.jar).
2. Open Ghidra and go to File > Install Extensions...
3. Click the green ‘Add Extension’ button (plus icon) and navigate to the downloaded JAR file.
4. Restart Ghidra for the plugin to be active.

Decompiling the APK: Preparing for Ghidra

An Android Application Package (APK) is essentially a ZIP archive containing all application components. The core executable code for Android apps is found in .dex (Dalvik Executable) files. While the Ghidra-APK-Loader plugin handles this automatically, understanding the manual steps is crucial for troubleshooting or specific scenarios.

Manual DEX Extraction (if not using Ghidra-APK-Loader)

You can use `apktool` or `dextool` to extract the DEX files from an APK:

# Using apktool to unpack the APK and get classes.dex files
apktool d -f malicious.apk -o unpacked_malware

# DEX files will be in unpacked_malware/classes.dex and classes2.dex (if multi-DEX)

Alternatively, you can just rename the .apk to .zip and extract classes.dex directly from the archive.

Importing and Initial Analysis in Ghidra

With the Ghidra-APK-Loader, the process is straightforward:

1. Launch Ghidra and create a new project (File > New Project...). Choose Non-Shared Project.
2. Go to File > Import File... and select your malicious.apk.
3. The Ghidra-APK-Loader will detect the file type and prompt you. Confirm the import.
4. Ghidra will then ask if you want to perform auto-analysis. Always choose Yes and select the default analysis options, especially Decompiler Parameter ID and Propagate Scalar Parameters, as these significantly improve pseudocode readability. Click Analyze.

If you’re importing a raw .dex file, Ghidra will prompt you to select the language. Choose Dalvik:LE:32:default.

Navigating the Ghidra Interface for Android Code

Once analysis is complete, Ghidra’s powerful interface comes into play:

• Symbol Tree (Left Panel): This hierarchical view lists classes, methods, and fields. For Android analysis, focus on the Classes section.
• Listing Window (Middle-Left): Displays the disassembled Dalvik bytecode.
• Decompiler Window (Middle-Right): Ghidra’s crown jewel. It transforms Dalvik bytecode into readable Java-like pseudocode, making analysis significantly faster.
• Data Type Manager (Left Panel): Contains information about standard Android SDK data types, crucial for understanding function signatures.
• References (Bottom Panel): Shows cross-references to and from the currently selected item (method call, variable use, etc.), vital for tracing execution flow.

Start by expanding the Classes node in the Symbol Tree. You’ll see packages and classes, often obfuscated with short, meaningless names.

Key Static Analysis Techniques for Android Malware

1. Identifying Entry Points

Malware, like any Android app, relies on standard entry points. Look for classes extending or implementing:

• android.app.Application
• android.app.Activity (especially the main launcher activity specified in AndroidManifest.xml or its derivatives)
• android.app.Service
• android.content.BroadcastReceiver
• android.content.ContentProvider

These components’ lifecycle methods (e.g., onCreate(), onStartCommand(), onReceive()) are excellent places to begin tracing execution.

2. Reviewing Permissions

Although the AndroidManifest.xml is the authoritative source for permissions, Ghidra’s decompiled code can often reveal their usage. Permissions like RECEIVE_SMS, READ_CONTACTS, CALL_PHONE, RECORD_AUDIO, SYSTEM_ALERT_WINDOW, and full network access are red flags.

3. Searching for Suspicious API Calls

Malware often interacts with sensitive Android APIs. Use Ghidra’s