The Hack Lair

Case study: Reading logs with adb logcat

For this case study I will be using a dedicated Android device as detailed here and focus on reading Android logs and dumps to find information on both software.

Here’s more detail on the device:

If you would like to update TWRP before you start simply install the official TWRP manager from Google Play. I personally prefer to use fastboot provided by the Android SDK.

Backing up

Backups are always good. Especially in our case since we will mess things up and we never know what goods apps will bring us. Malware, root kits, trojan, etc. Take your pick.

$ adb reboot recovery

And go to backup and let the thing run. When it’s done restart and save the files on your computer.

$ adb reboot
$ adb pull /sdcard/TWRP

About Aptoide

For this case study we will analyze a piece of software that is not allowed on the Google Play store. This software allow to install other software, paid or unpaid, for free. It’s likely that the software contain malicious instructions. We will use various tools to figure out what is going on under the hood.

Installing the app

Visit with your phone browser and install the app. Once installed hit open and let’s use logcat, and a bit of magic, to see what’s going on.

$ adb logcat | grep `adb shell ps | grep | cut -c10-15`

A lot is happening here. But that’s what we want. Let’s take a closer look at what we got:

In this case we can see the app use all of those external libraries:

And all API endpoints called over http:

Also errors:

Other posts from the Android forensics and security analysis series: