The following article will demonstrate how to use “old fashioned” Linux utilities and Termux to trace Android apps.
We’ll use Termux linux VM inside an Android device in order to install common Linux utils alongside Android Apps.
The main tools we will use are:
*Rooted device is needed
What is Termux
Termux is a terminal emulator for Android. It resembles a Linux distribution more than just a terminal application, due to the large number of available packages such as clang, ffmpeg, openssh, python, and vim.
Termux is not an OS or hardware emulator. It shares the same environment as other parts of Android OS.
Why do we need Termux?
Short Answer: APT Package manager.
Long Answer: Android doesn’t have a built in package manager or repositories. If you wish to use binaries like wget or cURL in Android you’ll need to manually look for someone who compiled them, or worst – compile them yourself.
Android has its own implementation for libc (Bionic) that was created to enable App developers to legally have closed source apps. This makes normal ARM binaries from the regular repos to fail and compile new binaries a non trivial task. Termux eliminates all these problems by providing libc user-space that enable to run “normal” ARM binaries.
How to set up Termux
There are 3 major steps:
Useful utilities for Dynamic Analyzing Applications
Strace is a diagnostic, debugging and instructional user-space utility for Linux. It is used to monitor and tamper with interactions between processes and the Linux kernel, which include system calls, signal deliveries, and changes of process state. With very little prior knowledge you can view all file interactions of a specified process
strace -p <pid> -e trace=file
With strace you can analyze unusual memory behavior, process signal and much more. It’s important to note that when dealing with Android apps a lot of logic is done by the JVM, hence a lot of grange calls will be added to your trace.
Jtrace is a fork of strace with Android modification that enables it to hook the binder syscall, which is very useful to trace Android apps due to its binder. The main problem is that the code is buggy and always crashes pretty fast. I found it’s best to use it alongside strace and maximize the result. *no need for Termux for this one
Sometimes strace is not sufficient as you wish to know if/when a file is being used but you are not sure which process is using it. Luckily inotifywatch solves just that. inotifywatch listens for file system events using Linux’s inotify interface, then outputs a summary count of the events received on each file or directory. This way you can trace specific folders and not specific processes.
Chattr (change attributes) allows users to change file attributes.
File attributes are part of a security mechanism similar to Linux permissions (chmod), with more fine grained requests.
For example you can allow a user to add text to a file, but prevent the user from deleting the file using the following command
chattr -a <file_name>
This can be very useful when researching malwares which use temporary files and remove them instantly.
You can also use the command with recursive flag for entire directories:
chattr -Ra /data/data/com.bad.package/files/