I have been reading a lot about how malware writers repackage an existing benigh android .apk and repackage it to add malicious functionality.
Now, according to my understanding of the .apk file structure, each .apk file contains a single .dex file which is essentially java byte converted to .dex format. Also, the application has a binary XML called manifest.xml and other resource file and assets. If we have to add extra malicious functionality to the application then we have to modify the manifest.xml (which can be easily done by converting the binary xml back to normal xml), resources (which can be just replaced) and the .dex file.
But the .dex file has a particular structure. According to me any modification done to it should break the code. What techniques do the tools use to prevent the code from breaking because if are adding some malicious functionality to the original app, we are, in essence, adding an extra module.
What are some tools out there that support .apk file repackaging?
Thanks.
Edit: Some members might find it offending to discuss about reverse engineering. Iam research student working on Android Security. I need to know how .apk file repackaging works because this is my research topic. Also, talking openly about reverse engineering isn't a malicious act - books have been written on reverse engineering - using reverse engineering for malicious purposes is malicious :)
Enable proguard in release mode. This will make it harder for reverse engineering. Also check this developer training documentation on security.
(from comment on this question)
You can verify if a package has been repackaged by checking the signature. Some articles to help with that:
Retrieving APK signature during runtime.
Self checking an APK signature.
How to check APK signature.
(originally posted ad Verify Android apk has not been repackaged?)
I answered a question about decompiling DEX code in the past. My original answer might be outdated by now but the question has been kept up to date by others. Here is an overview of some of the tools listed there.
A more complete version of fred's answer:
Manual way
First you need a tool to extract all the (compiled) classes on the DEX to a JAR. There's one called dex2jar, which is made by a chinese student.
Then, you can use jd-gui to decompile the classes on the JAR to source code. The resulting source should be quite readable, as dex2jar applies some optimizations.
1: http://code.google.com/p/dex2jar/
2: http://java.decompiler.free.fr/?q=jdguiAutomatic way
You can use APKTool. It will automatically extract all the classes (
.dex
), resources (.asrc
), then it will convert binary XML to human-readable XML, and it will also dissassemble the classes for you.
Disassembly will always be more robust than decompiling, especially with JARs obfuscated with Pro Guard!Just tell APKTool to decode the APK into a directory, then modify what you want, and finally encode it back to an APK. That's all.
Important: APKTool dissassembles. It doesn't decompile. The generated code won't be Java source. But you should be able to read it, and even edit it if you're familiar with jasmin. If you want Java source, please go over the Manual way.
(original question: decompiling DEX into Java sourcecode)