This presentation introduces Android Tamer, a comprehensive virtual machine environment designed as a one-stop toolkit for Android security operations, presented at ClubHack 2011. Anant Shrivastava describes it as a “Swiss Army knife for Android security” β a BackTrack-like VM that consolidates the dozens of tools security professionals previously had to download and configure individually. The talk covers the Android market context, the security challenges driving the project, the VM’s architecture and bundled toolset, and a prescient prediction about the future of Android malware.
Summary
The presentation opens by establishing why Android security matters: with 40%+ phone market share (conservatively β possibly 80%+) and growing corporate integration, Android devices are essentially computers running an operating system with software on top. Anant draws a direct parallel to the PC malware lifecycle, arguing that the progression from simple trojans to rootkits to obfuscated executables will inevitably repeat in the mobile domain β and that malware is already appearing on both Android and iPhone platforms, with one demonstrated at MalCon just days before the talk.
The core problem Android Tamer addresses is fragmentation of the security toolkit. The standard approach at the time required downloading the SDK, NDK, proxy tools, decompilers, and then manually configuring everything. On one side, OWASP was working on mobile security standards; on the other, Anant was building the complete toolchain in a single VM.
Android Tamer is built on Ubuntu 10.04 LTS with all non-essential software removed, designed as a complementary OS that coexists with the user’s primary system. A deliberate design decision limits foreign repositories to just two PPAs (Firefox and a menu PPA) to avoid the upgrade failures that plague systems with many third-party sources. The VM includes a personal repository for distributing tool updates β if a new version of a decompiler is released, users simply run “update my system” rather than manually downloading and configuring the new version.
The toolset spans multiple security disciplines. For application pentesting, the VM includes OWASP ZAP with a transparent socket proxy (T-Proxy) that solves the tricky problem of intercepting non-browser application traffic, and an emulator pre-configured with ZAP’s root CA certificate so proxy-based testing works immediately. For malware analysis, DroidBox provides automated tracing of file system changes, parameter modifications, and log generation, while APKInspector and four different decompilers (Dex2jar, JD-GUI, JAD, and SMALI/Baksmali) offer multiple analysis approaches. Androguard rounds out the malware analysis suite.
ROM analysis receives significant attention in the talk. Anant discusses the XDA Developers ecosystem of custom ROM cookers and raises the Carrier IQ scandal as a concrete example of why ROM analysis matters β a company that tracked not just call metadata but keystrokes and data traffic, transferred to remote servers. The VM includes DSIXDA Android Kitchen for comprehensive ROM customization, YAFFS2 tools for analyzing the standard Android filesystem format, and Split Boot Image for separating kernel and initial RAM disk from Android boot images. The talk also covers the development side, with Eclipse, NDK, CodeSourcery G++ Lite (an ARM compiler), and the then-newly-released ARM DS5 Community Edition.
Comparing Android Tamer to the recently launched Android Reverse Engineering Toolkit by Hyet, Anant highlights three differentiators: smaller size, broader scope beyond just reverse engineering, and deeper integration with pre-configured paths and default settings. The VM also ships with pre-loaded browser bookmarks for commonly needed resources.
The talk concludes with a striking prediction: Anant foresees a malware landscape where malicious code resides inside NDK binaries β C binaries performing tasks in the background invoked by a single Java call β making detection significantly harder than the relatively straightforward Java-based malware of 2011.
Key Themes
- Consolidated Tooling: The fundamental value proposition is eliminating the time and error involved in manually assembling an Android security toolkit, following the same philosophy as BackTrack for general penetration testing
- Pre-configured Integration: Beyond bundling tools, Android Tamer pre-configures certificates, proxy settings, paths, and bookmarks to eliminate setup friction
- Repeating History: The PC malware lifecycle is repeating in mobile, making proactive security tooling essential rather than reactive
- ROM Security Concerns: Custom ROMs from the XDA ecosystem and manufacturer firmware (Carrier IQ) represent an underappreciated attack surface requiring dedicated analysis tools
- Future Malware Direction: NDK-based malware using native C binaries would be significantly harder to detect than Java-based threats β a prediction that proved accurate
Notable Points
- At the time, 10% of publicly accessible S3-era Android buckets β er, rather 10% of the tablet market β was Android, with phone market share at 40%+ and climbing rapidly
- T-Proxy (transparent socket proxy) was the key innovation for intercepting application-level traffic that couldn’t be redirected through browser proxy settings alone
- The personal repository approach enabled automatic tool updates, solving the maintenance problem that plagues manually assembled security environments
- SMALI/Baksmali provided an alternative decompilation approach using a different format than Java, useful when standard decompilers produced incomplete results
- Future plans included adding Agnitio for source code review and a dedicated forensics section, with community contributions welcome
