How to Setup Cuckoo-Droid Android Malware Analysis System

Cuckoo sandbox is an open-source malware analysis system that can perform the dynamic and static analysis of PC files in real-time. It can gather the following information while running the malicious files in an isolated environment.

  • API call information
  • Network traffic information
  • Memory dumps of target machines
  • Newly generated files by the malware
  • Deleted, downloaded, or modified files by the malicious code
  • Windows screenshots during the malware execution on the target machine

The cuckoo droid is a project of the cuckoo sandbox system that provides similar features for Android malware analysis. It serves as an Android emulator to visualize the malicious behavior of Android applications.

How to Install Cuckoo Droid

In order to build a cuckoo droid malware analysis system, we need to integrate the cuckoo droid with cuckoo sandbox and android SDK (Software Development Kit) tools.

Cuckoo Sandbox and Cuckoo Droid Integration:- The cuckoo droid installation requires the cuckoo sandbox package to be cloned from the following Github repository.

git clone --depth=1 https://github.com/cuckoobox/cuckoo.git cuckoo -b 1.2

cuckoo sandbox cloning

After downloading the sandboxed package, clone the cuckoo droid in the cuckoo directory using the following command.

 git remote add droid https://github.com/idanr1986/cuckoo-droid

cuckodroid cloning

Update the local cuckoo droid repository using the following GIT PULL request.

git pull --allow-unrelated-histories --no-edit -s recursive -X theirs droid master

cuckoodroid git pull

The cuckoo droid contains processing and reporting configuration files in the conf-extra folder. Extract these files to the conf directory and delete the original folder using the following commands.

cat conf-extra/processing.conf >> conf/processing.conf
cat conf-extra/reporting.conf >> conf/reporting.conf
rm -r conf-extra

configuration files

In the next step, generate the cuckoo droid requirements file using the following command.

echo “protobuf” >> requirements.txt

requirements file

We can install the required modules mentioned in the requirements file using the following command.

pip install –r requirements.txt

cuckoo droid requirements installation

Note: Cuckoo droid requires Python2 to operate in Linux operating system.

Android SDK Installation

The cuckoo droid requires the Android emulator, the adb (android debug bridge), and the avd (android virtual device) to operate as an Android malware analysis toolkit. Therefore, the following Android SDK packages must be installed on the host machine to link them with the cuckoo droid.

  • Android SDK tools
  • Android Platform-tools
  • Android SDK platform
  • ARM EABI

First off, download the SDK manager using the following path.

wget http //dl.google.com/android/android-sdk_r23.0.2-linux.tgz

android sdk download

Note: We have downloaded Android-23.0.2 for this demonstration.

After downloading the SDK manager, unzip the package using the following command.

tar -zxvf android-sdk_r23.0.2-linux.tgz

android sdk unzip

Navigate to the Android SDK directory and activate the Android SDK manager.

cd android-sdk-linux
tools/android

android launch

The above command loads the Android SDK manager with all the necessary Android tools and scripts.

andorid sdk manager dashboard

Select the aforementioned Android SDK tools and initiate the installation process from the dashboard. After installing the packages, expand the Tools section in the SDK manager toolbar as shown below.

AVD manage option

Click on Manage AVDs option to open the AVD manager dashboard

Avd manager

The dashboard shows all the available virtual devices created for the experiments. New devices can be created by clicking the create avd button in the side panel of AVD manager. We can set the following options for the dummy Android device.

create AVD window

For demonstration purposes, we have created a virtual Android device with the following configurations.

test avd specs

We can boot the newly created Android device by clicking the start avd option on the screen.

andorid device after boot

We can set the SDK tools’ path in the profile extension (.profile) to manage the emulator and virtual devices from the terminal. Open the user profile page through following command to setup the path for all important SDK tool packages.

gedit .profile
path=”path to desired SDK tools”$path

We can type the following –avd-list command to validate the path defined in the .profile extension.

emulagtor –list-avds

emulator list avd command

Cuckoo Droid Configuration

The following conf folder in the cuckoo directory contains all the configuration files to be modified by the user.

cuckoo config folder

The cuckoo.conf and avd.conf are the core configuration files that require some name and path modifications.

cuckoo.conf configuration: Open the cuckoo configuration (cuckoo.conf) file to modify the virtualization software type and result server IP address as shown in the following screenshots.

Default Virtualization Software = virtualbox

machinery status

Modified Virtualization Software = avd

change virtualbox to AVD

Default result server IP = 192.168.56.1

resultserver status

Modified result server IP = 127.0.0.1

resultserver ip change

avd.conf configuration: The avd.conf file requires the emulator, adb (android debug bridge), and avd (android virtual device) path settings. All these packages are available in the SDK manager folder. Open the avd.conf file and update the emulator_path, avd_path, and adb_path accordingly.

avd adb emulagtor path settings

Besides the aforementioned configurations, there are some optional settings like enable/disable external sniffer in the auxiliary configuration file. After updating the configurations, navigate to the cuckoo directory and run the main (cuckoo.py) Python file to start analyzing the desired virtual device.

cuckoo help menu

Conclusion

The cuckoo droid can be helpful in analyzing Android applications in real-time. The framework is capable of performing the static and dynamic analysis of suspicious Android apps. A complete security audit with a cuckoo droid can be helpful to determine the risk factor of target mobile applications.