ringzerø

Abstract

Learn how to reverse Android malware, including packed, obfuscated and native samples. The training consists in a majority of hands-on lab sessions, with exercises on real, recent Android malware. You learn the methodology to analyze such sample, how to deal with them safely, and how to workaround several anti-reverse tricks (packing, obfuscation, emulator detection etc).

The training labs use recent malware, some are taken from January 2024. We explore the most infamous malware families: Android/Ahrat, BianLian, Locker, Cerberus, Chameleon, FluHorse, GodFather, Hook, Joker, Octo, SpyLoan, SpyMax, SpyNote, WyrmSpy, Xenomorph...

NEW THIS YEAR: reverse engineer Flutter applications, malware bypassing Android 13 Restricted Settings, Triage, Kavanoz.

Key learning objectives

• Learn how to decompile an Android app
• Spot malicious code in malware
• Unpack malicious payload hidden by packers
• De-obfuscate malicious samples
• Reverse engineer malicious code located inside native libraries
• Craft Frida scripts to assist your analysis or use tools such as Objection, Medusa, MobSF etc
• Understand how to deal with Flutter applications

Intended audience

Malware analysts, security researchers, vulnerability researchers, Android application developers, system administrators

Detailed Agenda

Session 1: Reconnaissance - 3h30

• Introduction / Welcome
• Setup of tools. A dedicated Docker container is provided to attendees
• Contents of an Android application: manifest, assets, native libraries...
• Key development concepts: Activities, Services, Accessibility Services, Restricted Settings of Android 13
• Presentation of the main reverse engineering tools: apktool, baksmali, jadx

Several reconnaissance labs:

• APK Format: LIEF, Androguard
• Intro to Smali and disassembly tools: defeating Locker
• Using reconnaissance tools such as MobSF, Triage, Quark...
• Fixing intentional malware ZIP errors
• Analysis of a sample that bypasses Restriction Settings of Android 13

Session 2: Packers - 3h30

• How packers work and dynamically load classes
• Detecting packers in the code, or automatically with APKiD
• Unpacking like a pro with Kavanoz and Medusa
• Understanding packers JsonPacker, KangaPack, MultidexPack...
• Native packing

Labs:

• De-obfuscation of GodFather and GosBanker with JEB scripts
• Unpacking Chameleon, Hook and Xenomorph with Kavanoz
• Into the native packer of Octo, and unpacking
• Creating hooks in Medusa

Session 3: Frida scripts - 3h

• Anatomy of a Frida hook
• Wrapping hooks with Python
• Frida interceptors
• How to hook in dynamically loaded classes
• Interesting hooks: de-obfuscation, file deletion, enable debug logs...
• How to hook at native level
• Frida-based tools e.g Medusa, House, RMS, MobSF...

Labs:

• Automatic creation of Frida snippets with JEB or JADX
• Medusa modules on BianLian
• Hooking with House, Objection
• Deobfuscating Cerberus

Session 4: Reversing Flutter applications - 3h

• Introduction to Dart and Flutter
• Object Pool
• Dedicated registers
• Custom calling convention
• Small Integers and Medium Integers
• Communication from Flutter to Dalvik

Labs:

• Analysis of SpyLoan and FluHorse with JEB and Radare

Session 5: Advanced analysis - 3h

• Anti-debug, emulator detection
• Bypassing “Restriction Settings” of Android 13
• Rooting detection
• Firebase databases
• Injections, screencast, doze mode, notification channels, audio mode and other malicious manipulations
• Faking a C&C

Labs:

• Analysis of how WyrmSpy roots its victim
• Anti-analysis tricks of Android/Chameleon
• Analysis of Android/BianLian with a fake C2
• Hooking Retrofit2 in Android/Xenomorph
• Analysis of the Hook botnet
• Network analysis with Runtime Mobile Security

Knowledge prerequisites

• Be at ease in a Unix environment and autonomous to install standard tools on your host
• Prior experience in programming. You need to understand Java code. You will also have to write some code in Python and Javascript, but only a few lines of code.
• Experience in cybersecurity: malware, trojans, CnC, etc.
• Know how to download and run Docker containers
• A prior experience on disassembly is a plus.

Hardware Requirements

In addition to the required software, 10GB of available disk is highly recommended, mostly to install Android emulators. You can do with less, but it will be more complicated for you.

Software Requirements

• The preferred OS is Linux Debian or Ubuntu. However, any OS should do, provided you know how to tweak it.
• Install Docker, docker-compose, and the training's container: docker pull cryptax/android-re:latest
• JEB Pro: Axelle will supply a build for the workshop, thanks to PNF Software.
• Install the latest Android Studio: https://developer.android.com/studio/
• Install a recent Java Development Kit (JDK) 17+
• Install a Python 3.0+ environment
• Install GIT, SSH, SCP and/or VNC client
• Install the programming environment of your choice (IDE and build tools)
• Install Discord for communication during the training