ABSTRACT
Learn how to reverse Android malware, including packed, obfuscated and native samples. The training consists in a majority of hands-on lab sessions, with exercises on real, recent Android malware. You learn the methodology to analyze such sample, how to deal with them safely, and how to workaround several anti-reverse tricks (packing, obfuscation, emulator detection etc).
The training labs use recent malware, some are taken from January 2024. We explore the most infamous malware families: Android/Ahrat, BianLian, Locker, Cerberus, Chameleon, FluHorse, GodFather, Hook, Joker, Octo, SpyLoan, SpyMax, SpyNote, WyrmSpy, Xenomorph...
NEW THIS YEAR: reverse engineer Flutter applications, malware bypassing Android 13 Restricted Settings, Triage, Kavanoz.
INTENDED AUDIENCE
KEY LEARNING OBJECTIVES
- Learn how to decompile an Android app
- Spot malicious code in malware
- Unpack malicious payload hidden by packers
- De-obfuscate malicious samples
- Reverse engineer malicious code located inside native libraries
- Craft Frida scripts to assist your analysis or use tools such as Objection, Medusa, MobSF etc
- Understand how to deal with Flutter applications
COURSE DETAILS
AGENDA
SESSION 1: RECONNAISSANCE - 3H30
- Introduction / Welcome
- Setup of tools. A dedicated Docker container is provided to attendees
- Contents of an Android application: manifest, assets, native libraries...
- Key development concepts: Activities, Services, Accessibility Services, Restricted Settings of Android 13
- Presentation of the main reverse engineering tools: apktool, baksmali, jadx
Several reconnaissance labs:
- APK Format: LIEF, Androguard
- Intro to Smali and disassembly tools: defeating Locker
- Using reconnaissance tools such as MobSF, Triage, Quark...
- Fixing intentional malware ZIP errors
- Analysis of a sample that bypasses Restriction Settings of Android 13
SESSION 2: PACKERS - 3H30
- How packers work and dynamically load classes
- Detecting packers in the code, or automatically with APKiD
- Unpacking like a pro with Kavanoz and Medusa
- Understanding packers JsonPacker, KangaPack, MultidexPack...
- Native packing
Labs:
- De-obfuscation of GodFather and GosBanker with JEB scripts
- Unpacking Chameleon, Hook and Xenomorph with Kavanoz
- Into the native packer of Octo, and unpacking
- Creating hooks in Medusa
SESSION 3: FRIDA SCRIPTS - 3H
- Anatomy of a Frida hook
- Wrapping hooks with Python
- Frida interceptors
- How to hook in dynamically loaded classes
- Interesting hooks: de-obfuscation, file deletion, enable debug logs...
- How to hook at native level
- Frida-based tools e.g Medusa, House, RMS, MobSF...
Labs:
- Automatic creation of Frida snippets with JEB or JADX
- Medusa modules on BianLian
- Hooking with House, Objection
- Deobfuscating Cerberus
SESSION 4: REVERSING FLUTTER APPLICATIONS - 3H
- Introduction to Dart and Flutter
- Object Pool
- Dedicated registers
- Custom calling convention
- Small Integers and Medium Integers
- Communication from Flutter to Dalvik
Labs:
- Analysis of SpyLoan and FluHorse with JEB and Radare
SESSION 5: ADVANCED ANALYSIS - 3H
- Anti-debug, emulator detection
- Bypassing “Restriction Settings” of Android 13
- Rooting detection
- Firebase databases
- Injections, screencast, doze mode, notification channels, audio mode and other malicious manipulations
- Faking a C&C
Labs:
- Analysis of how WyrmSpy roots its victim
- Anti-analysis tricks of Android/Chameleon
- Analysis of Android/BianLian with a fake C2
- Hooking Retrofit2 in Android/Xenomorph
- Analysis of the Hook botnet
- Network analysis with Runtime Mobile Security
KNOWLEDGE PREREQUISITES
- Be at ease in a Unix environment and autonomous to install standard tools on your host
- Prior experience in programming. You need to understand Java code. You will also have to write some code in Python and Javascript, but only a few lines of code.
- Experience in cybersecurity: malware, trojans, CnC, etc.
- Know how to download and run Docker containers
- A prior experience on disassembly is a plus.
REQUIREMENTS
HARDWARE
In addition to the required software, 10GB of available disk is highly recommended, mostly to install Android emulators. You can do with less, but it will be more complicated for you.
SOFTWARE
- The preferred OS is Linux Debian or Ubuntu. However, any OS should do, provided you know how to tweak it.
- Install Docker, docker-compose, and the training's container: docker pull cryptax/android-re:latest
- JEB Pro: Axelle will supply a build for the workshop, thanks to PNF Software.
- Install the latest Android Studio: https://developer.android.com/studio/
- Install a recent Java Development Kit (JDK) 17+
- Install a Python 3.0+ environment
- Install GIT, SSH, SCP and/or VNC client
- Install the programming environment of your choice (IDE and build tools)
- Install Discord for communication during the training
ABOUT THE TRAINER
Axelle Apvrille is a principal security researcher at fortinet, fortiguard labs. Her research interests are mobile and IOT malware. In addition, she is the lead organizer of ph0wn ETF, a competition which focuses on ethical hacking of smart objects.
In a prior life, Axelle used to implement cryptographic algorithms and security protocols.