Untitled


Here are some examples of what the tool can do.

1) It can dump the contents of the DEX file in human-readable form. This tends to result in a lot of output, even when done with relatively small DEX files, so instead of pasting an example here, I'm attaching it ZIPped. It's the classes.dex from one of the FakePlayer variants. The tool even disassembles the bytecode instructions, although doesn't try to produce assemblable source like baksmali. But, unlike with baksmali, you can see the actual code that has produced them.

2) It can list the names of the classes (without anything else) of a DEX file - often this is enough to figure out whether we're dealing with a variant of some known malware or not:

c:>dexdump -c RU.apk
RU.apk->classes.dex (FDB84FF8125B3790011B83CC85ADCE16->A386B4B56E3E5DF95F75D3F816DD44FB)
    org.me.androidapplication1.DataHelper$OpenHelper
    org.me.androidapplication1.DataHelper
    org.me.androidapplication1.HelloWorld
    org.me.androidapplication1.MoviePlayer

3) It can produce identification data for each class:

c:>dexdump RU.apk
RU.apk->classes.dex (FDB84FF8125B3790011B83CC85ADCE16->A386B4B56E3E5DF95F75D3F816DD44FB)
    D7DDB1C1 org.me.androidapplication1.DataHelper$OpenHelper
    B74CB67C org.me.androidapplication1.DataHelper
    A1DC849D org.me.androidapplication1.HelloWorld
    CC829975 org.me.androidapplication1.MoviePlayer
Detected: trojan://AndroidOS/FakePlayer.A (Exact)

4) It can run in identification-only mode, just telling you if the sample is identified exactly as something known or not:

c:>dexdump -t RU.apk
RU.apk->classes.dex    Detected: trojan://AndroidOS/FakePlayer.A (Exact)

5) It can list the names of the malware it is able to identify:

c:>dexdump -l
trojan://AndroidOS/Adrd.A
trojan://AndroidOS/Adrd.B
trojan://AndroidOS/Adrd.C
trojan://AndroidOS/Adrd.D
trojan://AndroidOS/Adrd.E
trojan://AndroidOS/Adrd.F
trojan://AndroidOS/Adrd.G
trojan://AndroidOS/Adrd.H
trojan://AndroidOS/Adrd.I
trojan://AndroidOS/DroidKungFu.A
trojan://AndroidOS/DroidKungFu.B
trojan://AndroidOS/DroidKungFu.C
trojan://AndroidOS/DroidKungFu.D
trojan://AndroidOS/DroidKungFu.E
trojan://AndroidOS/DroidKungFu.F
trojan://AndroidOS/FakePlayer.A
trojan://AndroidOS/FakePlayer.B
trojan://AndroidOS/FakePlayer.C
trojan://AndroidOS/FakePlayer.D
trojan://AndroidOS/FakePlayer.E
trojan://AndroidOS/FakePlayer.F
trojan://AndroidOS/GGTracker.A
trojan://AndroidOS/GGTracker.B
trojan://AndroidOS/Lovetrap.A
trojan://AndroidOS/MobileSpy.A
trojan://AndroidOS/MobileSpy.B
trojan://AndroidOS/MobileSpy.C
trojan://AndroidOS/MobileSpy.D
trojan://AndroidOS/MobileSpy.E
trojan://AndroidOS/MobileSpy.F
trojan://AndroidOS/MobileSpy.G
trojan://AndroidOS/MobileSpy.H
trojan://AndroidOS/MobileSpy.I
trojan://AndroidOS/MobileSpy.J
trojan://AndroidOS/MobileSpy.K
trojan://AndroidOS/MobileSpy.L
trojan://AndroidOS/NikiSpy.A
trojan://AndroidOS/TapSnake.A
trojan://AndroidOS/Zitmo.A

6) It can check its database for duplicates:

c:>dexdump -k
Database OK.

Read the documentation for information where to get the latest official version of the database for it.

The syntax of the above commands assumes you're using the script under Windoze. Linux weenies will have to use it as a script file specified when invoking Perl:

$ perl -f dexdump.bat [options] arguments...


Here is an example (from the documentation) of how an announcement should look like.

One of the Adrd variants in my collection - I'm arbitrarily calling it Adrd.A. It comes in the following Trojanized file:

geinimi.apk->classes.dex (5192AD05597E7A148F642BE43F6441F6->5F86B2E2C2D6BCCA1F580F9B5F444F6D)
    com.tat.cascadeswallpaper.android.CascadesWallpaperService$CascadesEngine$1
    com.tat.cascadeswallpaper.android.CascadesWallpaperService$CascadesEngine
    com.tat.cascadeswallpaper.android.CascadesWallpaperService$Config
    com.tat.cascadeswallpaper.android.CascadesWallpaperService
    com.tat.cascadeswallpaper.android.Log
    com.tat.livewallpaper.dandelion.Dandelion$1
    com.tat.livewallpaper.dandelion.Dandelion$2
    com.tat.livewallpaper.dandelion.Dandelion
    com.xxx.yyy.APNMatchTools$APNNet
    com.xxx.yyy.APNMatchTools
    com.xxx.yyy.ApkReceiver
    com.xxx.yyy.BBBB$LogRedirectHandler
    com.xxx.yyy.BBBB
    com.xxx.yyy.CustomBroadcastReceiver$CustomPhoneStateListener
    com.xxx.yyy.CustomBroadcastReceiver
    com.xxx.yyy.GZipInputStream
    com.xxx.yyy.GZipOutputStream
    com.xxx.yyy.MyAlarmReceiver
    com.xxx.yyy.MyBoolService
    com.xxx.yyy.MyService$APN
    com.xxx.yyy.MyService
    com.xxx.yyy.MyTools
    com.xxx.yyy.NetWorkReceiver
    com.xxx.yyy.UpdateHelper
    com.xxx.yyy.ZipHelper
    com.xxx.yyy.ZipIntMultShortHashMap$Element
    com.xxx.yyy.ZipIntMultShortHashMap
    com.xxx.yyy.ZipUtil
    com.xxx.yyy.adad$1
    com.xxx.yyy.adad
    com.xxx.yyy.ddda
    com.xxx.yyy.qzl$1
    com.xxx.yyy.qzl

You can see the MD5 hashes of the APK file itself and of the classes,dex file inside. They are between the parentheses.

The malware itself resides in the com.xxx.yyy.* subtree of classes. Here is the identification data for it:

trojan://AndroidOS/Adrd.A
    7E8BE144 com.xxx.yyy.APNMatchTools$APNNet
    08EA684E com.xxx.yyy.APNMatchTools
    A490446D com.xxx.yyy.ApkReceiver
    3902FF59 com.xxx.yyy.BBBB$LogRedirectHandler
    25B4A7E3 com.xxx.yyy.BBBB
    7E4A5825 com.xxx.yyy.CustomBroadcastReceiver$CustomPhoneStateListener
    8D27A0C1 com.xxx.yyy.CustomBroadcastReceiver
    5CAB2F0B com.xxx.yyy.GZipInputStream
    016FD1D4 com.xxx.yyy.GZipOutputStream
    DC1AC823 com.xxx.yyy.MyAlarmReceiver
    EC712BE9 com.xxx.yyy.MyBoolService
    E4EA5C7B com.xxx.yyy.MyService$APN
    092E62A6 com.xxx.yyy.MyService
    B6EB634B com.xxx.yyy.MyTools
    9C18FE76 com.xxx.yyy.NetWorkReceiver
    E468FE5A com.xxx.yyy.UpdateHelper
    7ED8B247 com.xxx.yyy.ZipHelper
    96088089 com.xxx.yyy.ZipIntMultShortHashMap$Element
    B780C5D6 com.xxx.yyy.ZipIntMultShortHashMap
    9C230B97 com.xxx.yyy.ZipUtil
    3CE2C554 com.xxx.yyy.adad$1
    123631AD com.xxx.yyy.adad
    0979EFEB com.xxx.yyy.ddda
    485C4EDE com.xxx.yyy.qzl$1
    BE451A3A com.xxx.yyy.qzl