Unpacking Android malware with Medusa, by Axelle Apvrille (no sound) ## Abstract In this training, you will learn how to analyze Android malware and understand what they are doing. The training consists in a majority of hands-on lab sessions, with demo and many exercises on real, and recent, Android malware. Of course, you also learn how to deal with those malware safely ;-) #### Malware Samples covered during the training The malware samples are from 2022 and 2023. There are samples of: - Android/BianLian - Cerberus - Ghimob - Locker - SpyBanker - SpyC23 - SandroRAT - SpyMax - Xenomorph - Zanubis ## Agenda ### Session 1: Reconnaissance - 3h30 - Introduction / Welcome - Contents of Android application: manifest, assets, native libraries... - Certificates and application signature - Presentation of Reverse Engineering tools - Setup of tools. A dedicated Docker container is provided to attendees - 3 Labs: compiling an Android app & disassembling it, use of command line reconnaissance tools such as DroidLysis, Quark ### Session 2: Disassembling & Decompiling - Use of GUI reconnaissance tools MobSF and Pithus - Advanced use of Quark: creation of new rules - Disassembling Android/Locker and understanding Smali - Decompiling Android/SpyBanker with JADX - Dynamically loaded classes - Understanding how JsonPacker works - Manual de-obfuscation of simple strings and JADX - Automated de-obfuscation with JEB ### Session 3: Packers - 3h30 - Grabbing malware payload from adb - Creation of Frida hooks - Wrapping Frida hooks with Python - Automatic creation of Frida snippets with JADX - Unpacking packed malware with Dexcalibur ### Session 4: De-obfuscation and more packers - Other unpacking tools: House, Medusa - Detection packers with APKiD - Creating Yara rules to detect new packers - Hooking inside dynamically loaded code with House - Implementing a JEB script - Malware abusing Accessibility Services - Anti-debug/VM tricks and solutions based - Hooking malware at startup with Objection - Dealing with native libraries ### Session 5: Network activity - Capture HTTP and HTTPS flow with MitmProxy - Divert flow with a plugin for MitmProxy - Creating a fake CnC - Disable debug mode with a Frida hook - Dynamic analysis with MobSF and Runtime Mobile Security (RMS) ## Required Skills - Familiarity with Unix command-line tools - Basic understanding of Java programming concepts (classes, methods, inheritance, etc.) - Be able to write scripts or small programs in a language of your choice (e.g. Python, Java, etc.) - OPTIONAL: Familiarity with Docker: pull images, run containers, configure ports and shared directories. This is not strictly mandatory knowledge for the training, but it will help. ## System Requirements - A working laptop capable of running virtual machines - 15 GB free Hard disk space - Docker and docker-compose: https://docs.docker.com - Training container: 'docker pull cryptax/android-re:latest' - SSH, SCP and/or VNC client - Recent Java Development Kit (JDK) - Android Studio: https://developer.android.com/studio/ - Python 3.x - A programming environment of your choice - Vim, Emacs, Sublime, etc. - A build environment - Discord
