SANS Penetration Testing

Ghost in the Droid: Reverse Engineering Android Apps

By Joshua Wright

For the past few years I've been invited to speak at the SANS HackFest conference. This is a great opportunity for me to present new research and useful pen testing techniques to a hungry audience.

It's also a highly competitive event among speakers. Each year my stuff needs to be bigger and better than the year before.

Ghost Box app for Android

Over the summer, my daughter and I watched a show about a haunted house, and the reenactor used an Android app to communicate with ghosts. I saw two excellent opportunities:

  • An opportunity to answer the timeless question: can Android apps detect ghosts?
  • An opportunity to get better at Android application reverse engineering.

The Plan

My budget-manager-for-crazy-projects and I agreed that I would spend $200 on Android apps that claim to detect ghosts. I excluded anything that was free, marked as entertainment, or otherwise admitted that they did not actually detect real ghosts. Instead I focused on apps that were labeled professional use, that claim to meet or exceed the capabilities of commercial ghost detection tools, and claim to perform genuine ghost detection.

The apps I chose ranged from $0.99 to $29.99 in price, and are generally categorized as including one or more of 4 ghost detection capabilities:

  • Electromagnetic Frequency Measurement (EMF) tools
  • Electronic Voice Phenomenon (EVP) measurement (ghost audio)
  • Ghost radar and visual identification apps
  • Ghost communication tools

Ghost Detection Apps
I evaluated 20 Android ghost detection apps in total, and at HackFest I revealed my analysis results for 5 apps:

  • Ghost Hunter
  • Joe's Ghost Box
  • Ghost Speaker
  • P-SB7 Ghost Box
  • My Own Ouija Board

Spoiler alert: None of the Android apps could be confirmed as actually capable of identifying ghosts. Sorry to disappoint!

The Tools

My work primarily consisted of dynamic analysis (install the app, capture network traffic, monitor the filesystem, and look at logging messages) followed by static analysis (unzip the Android APK file, examine the embedded resources, decompile and analyze the source code). Somewhat unsurprisingly, I found my usual cache of tried-and-true tools served me well:

  • Android Emulator, Genymotion or Android-x86 to virtualize Android devices (making analysis a bit easier than using a physical Android device)
  • Wireshark for packet capture analysis
  • Burp Suite for proxy interception
  • JadX for static application reverse engineering
  • Android Studio to import, annotate, and refactor decompiled sources
  • Apktool to extract Android resources and decompile low-level Android bytecode
  • 7-zip or any other unzip tool to extract resources from an Android APK file

In particular, I started using Genymotion as my go-to emulator for runtime analysis of Android applications. Genymotion uses VirtualBox as the behind-the-scenes hypervisor to emulate Android devices, but it does so with a very simple user interface. Free for personal use, it's quick and easy to download and install Genymotion on Windows, Mac OS X, Linux.

After starting Genymotion, you'll have the option to create new Android virtual devices, choosing from different Android versions and hardware configurations. From there, it's easy to start the Android device, scale the window, and install or copy files to the virtual device with drag-and-drop.

Screen Shot 2016-12-03 at 4.47.25 PM

Although Genymotion lacks the "-tcpdump" and "-http-proxy" features that come with the official Android Emulator and the Qemu hypervisor, it's easy enough to capture Genymotion network traffic from your guest using Wireshark. HTTP proxy settings can be configured using the Genymotion virtual WiFi interface, or though the Genymotion settings before starting the virtual device.

Screen Shot 2016-12-03 at 4.52.49 PM

The Results

The apps were pretty lame.

Screen Shot 2016-12-03 at 11.36.23 AM

Several of the apps used a random number generator to "detect" ghosts at various intervals, using static images to populate "radar" systems, or to serve up "ghostly" audio clips. Other apps used static wordlists to spook the user into thinking they could communicate with the dead, or otherwise hooked into cloud-based bot communication systems. One app overlaid a picture of a Ouija board with chat directly from, changing each response of "bot" to "spirit", "ghost", "psyche", or "soul".

Screen Shot 2016-12-03 at 11.40.34 AM

"Stay classy, ghost box app developers." -me


My budget-manager-for-crazy-projects asked me if the $200 and hundreds of hours spent analyzing Android ghost box apps was worth it.

Yes! Analyzing crappy ghost box apps was well worth the time and money investment.

Going into this, I hoped I would find evidence of ghost detection capabilities that would defy scientific understanding. Instead, I found developers using the compass as an RNG to graph "energy values that paranormal entities might be projecting". While that was mildly disappointing, I am well-pleased with this project.

I'm a better Android app reverse engineering analyst now than when I started.

Looking at all these apps forced me to improve my understanding of how the Android SDK works. I found bugs in some of my favorite tools, and figured out how to overcome them. I was able to optimize my workflow, to analyze an app in less time, and to produce better results. I was able to leverage Android Studio as a mechanism to aid my reverse engineering efforts, building a better understanding of how these apps work.

Going into this project, I was motivated to find out what I could about ghost box apps, and I wanted to build my skills as a mobile application security analyst. I had clearly defined goals and a strong motivation to keep working through the challenges that inevitably creep up in any project. At the end, I hadn't identified any ghosts, but I felt smarter and more capable to evaluate Android applications, a skill that I can apply in customer pen test engagements going forward.

You can check out my presentation from the SANS HackFest 2016 conference. While you're there, check out the other presentations too.

In the meantime, if you come across a ghost box app that you think actually detects ghosts...then drop me a note in the comments section below.



Upcoming SANS Special Event - 2018 Holiday Hack Challenge


SANS Holiday Hack Challenge - KringleCon 2018

  • Free SANS Online Capture-the-Flag Challenge
  • Our annual gift to the entire Information Security Industry
  • Designed for novice to advanced InfoSec professionals
  • Fun for the whole family!!
  • Build and hone your skills in a fun and festive roleplaying like video game, by the makers of SANS NetWars
  • Learn more:
  • Play previous versions from free 24/7/365:

Player Feedback!

  • "On to level 4 of the #holidayhackchallenge. Thanks again @edskoudis / @SANSPenTest team." - @mikehodges
  • "#SANSHolidayHack Confession — I have never used python or scapy before. I got started with both today because of this game! Yay!" - @tww2b
  • "Happiness is watching my 12 yo meet @edskoudis at the end of #SANSHolidayHack quest. Now the gnomes #ProudHackerPapa" - @dnlongen


Posted December 9, 2016 at 8:03 PM | Permalink | Reply


Trying to look at the JadX tool. Unfortunately, I can't get it to build. I keep getting this error:
Error resolving plugin [id: ''com.github.kt3k.coveralls', version: ''2.3.1']

Posted August 28, 2017 at 6:04 AM | Permalink | Reply

jhony koberaes

Nicely Explained! Your blog has always been a good source for me to get quality knowledge in Android. Thanks once again. Sharing some additional knowledge on APK expansion File.

Post a Comment


* Indicates a required field.