Case study: Reading logs with adb logcat
For this case study I will be using a dedicated Android device as detailed here and focus on reading Android logs and dumps to find information on both software.
Here’s more detail on the device:
- Google Nexus 4 (mako)
- Cyanogen 13.0-20151231-NIGHTLY-mako
- Android 6.0.1
- TWRP 18.104.22.168
If you would like to update TWRP before you start simply install the official TWRP manager from Google Play. I personally prefer to use fastboot provided by the Android SDK.
Backups are always good. Especially in our case since we will mess things up and we never know what goods apps will bring us. Malware, root kits, trojan, etc. Take your pick.
$ adb reboot recovery
And go to backup and let the thing run. When it’s done restart and save the files on your computer.
$ adb reboot
$ adb pull /sdcard/TWRP
For this case study we will analyze a piece of software that is not allowed on the Google Play store. This software allow to install other software, paid or unpaid, for free. It’s likely that the software contain malicious instructions. We will use various tools to figure out what is going on under the hood.
Installing the app
Visit http://www.aptoide.com/ with your phone browser and install the app. Once installed hit open and let’s use logcat, and a bit of magic, to see what’s going on.
$ adb logcat | grep `adb shell ps | grep cm.aptoide.pt | cut -c10-15`
A lot is happening here. But that’s what we want. Let’s take a closer look at what we got:
- Some app states
- HTTP requests
- Execution errors
- External libraries logs
- OpenGL debug logs
- Adreno GPU logs
- Download manager logs
In this case we can see the app use all of those external libraries:
And all API endpoints called over http:
- Search suggestions query threw an exception.
Other posts from the Android forensics and security analysis series: