How to Decompile and Analyze Android Applications
April 29, 2014

I have a love-hate relationship with Android. Perhaps I’m not the most proficient Objective-C developer, but I truly like Java as a language and enjoy creating Android applications.

That said, all of my computers are Macs, I love my iPhone, and the iPad is hands-down the best tablet available in 2014. The late 20th century in computing will be remembered for Microsoft, and the early 21st century will be remembered for Apple. I won’t pretend to try and know the middle or late 21st century. Predicting 5 years out is impossible enough.

Anywho, one thing that makes the iOS ecosystem so much better than Android is the strict control Apple puts on apps that get allowed into their app store. The first barrier is cost- Apple charges $100 to register as an app developer, and they closely analyze apps that get submitted. This greatly reduces the number of spam and useless apps that get released, increasing app quality.

Android has belatedly tried to mimic some of the strictness, with a new $25 app developer fee and some minimal app review policies. However, crap apps still easily get on the Google Play store, such as this crap hangman app I added several years ago after building it to learn the Android platform. I coded it in 3 hours and submitted it later that same day. 10k downloads at 22 reviews later, it’s a 2 star app! I shudder to think about what deserves 1 star.

Recently, the Virus Shield application was exposed as a fraud, with the scammer likely making hundreds of thousands of dollars. It was a “virus scanner” app that actually did nothing but change the app icon when it was tapped. Users loved it.

The mere concept of an Android virus scanner is preposterous in itself. During my master’s degree, I did some research on analyzing Android apps for malicious qualities. The bottom line is, no app currently running on your device is capable of figuring out if an installed app is harmful. Third party analysis tools need to check the app *before* it’s installed on your device to determine this.

Enough rambling prologue. Here is how you can join the effort to analyze and expose Android apps that you suspect of being useless or malicious.

Decompiling and Analyzing Android Apps

The first thing you need to get is the app on your desktop computer. You need the Android SDK tools. If you don’t have them, download them here.

You need to use the “adb” program. Add the platform-tools directory to your PATH variable in the SDK you downloaded, or simply navigate to the [sdk directory]/platform-tools. You should see the adb program.

Now you need to set up your android device for development. In your Settings menu, you should see the “Developer Tools” option. If you don’t, go into Settings -> About menu, and press “Build Number” 7 times (this is ridiculous, I know). This will enable developer mode. Go into the “Developer Tools” menu and enable debugging.

Plug the device into your desktop. Your Android device will prompt you to trust the computer, and you should hit Accept.

Now, in your command line, type “adb devices” (no quotes of course). A device should be listed.

Now, install the app you want to analyze on your device through the Google Play store if you haven’t already.

To extract the installed app (an APK file) from your device onto your computer, with your device plugged in, type this at the command line:

adb shell pm list packages

You should see a list of packages. If one doesn’t match the app you are trying to pull off your device, navigate to the app’s page in your desktop computer’s web browser, and it should contain the package name.

Now, take the package name, and type this command:

adb shell pm path [app.package.name]

Obviously, replace app.package.name with the package name you found with the previous command (no brackets). This will tell you the path to the APK file. Now type this:

adb pull [/data/app/apppath]

Replace the path with the path found from the previous command (no brackets). This will upload the APK file to your computer.

Now, we need to convert this APK file into a JAR so that Java analysis tools can work on it.

Download dex2jar here. This will convert the APK to a jar file. Extract the contents of the zip and navigate to the directory. Copy your APK file to the same directory and then run this command:

d2j-dex2jar.sh MyApp.apk

Replace MyApp.apk with your APK file name. This will output a MyApp-dex2jar.jar file.

Now, we need to analyze the jar file. Download jd-gui here. It works on Mac, Windows, and Linux. Use it to open up the jar file you created from the APK. The view will look like this:

Android JAR file in JD-GUI

Now you can see what is really happening in the app. If you aren’t sure about what’s going on, post it to pastebin or github and see what the community thinks. Let’s expose all of the scam apps! I’m confident that Virus Shield is just the tip of the iceberg.

Good luck!