Reverse Engineering of Android Malware


Reverse Engineering of Android Malware

Unpacking Android malware with Medusa, by Axelle Apvrille (no sound)


In this training, you will learn how to analyze Android malware and understand what they are doing. The training consists in a majority of hands-on lab sessions, with demo and many exercises on real, and recent, Android malware. Of course, you also learn how to deal with those malware safely ;-)

Malware Samples covered during the training

The malware samples are from 2022 and 2023. There are samples of:

  • Android/BianLian
  • Cerberus
  • Ghimob
  • Locker
  • SpyBanker
  • SpyC23
  • SandroRAT
  • SpyMax
  • Xenomorph
  • Zanubis


Session 1: Reconnaissance - 3h30

  • Introduction / Welcome
  • Contents of Android application: manifest, assets, native libraries...
  • Certificates and application signature
  • Presentation of Reverse Engineering tools
  • Setup of tools. A dedicated Docker container is provided to attendees
  • 3 Labs: compiling an Android app & disassembling it, use of command line reconnaissance tools such as DroidLysis, Quark

Session 2: Disassembling & Decompiling

  • Use of GUI reconnaissance tools MobSF and Pithus
  • Advanced use of Quark: creation of new rules
  • Disassembling Android/Locker and understanding Smali
  • Decompiling Android/SpyBanker with JADX
  • Dynamically loaded classes
  • Understanding how JsonPacker works
  • Manual de-obfuscation of simple strings and JADX
  • Automated de-obfuscation with JEB

Session 3: Packers - 3h30

  • Grabbing malware payload from adb
  • Creation of Frida hooks
  • Wrapping Frida hooks with Python
  • Automatic creation of Frida snippets with JADX
  • Unpacking packed malware with Dexcalibur

Session 4: De-obfuscation and more packers

  • Other unpacking tools: House, Medusa
  • Detection packers with APKiD
  • Creating Yara rules to detect new packers
  • Hooking inside dynamically loaded code with House
  • Implementing a JEB script
  • Malware abusing Accessibility Services
  • Anti-debug/VM tricks and solutions based
  • Hooking malware at startup with Objection
  • Dealing with native libraries

Session 5: Network activity

  • Capture HTTP and HTTPS flow with MitmProxy
  • Divert flow with a plugin for MitmProxy
  • Creating a fake CnC
  • Disable debug mode with a Frida hook
  • Dynamic analysis with MobSF and Runtime Mobile Security (RMS)

Required Skills

  • Familiarity with Unix command-line tools
  • Basic understanding of Java programming concepts (classes, methods, inheritance, etc.)
  • Be able to write scripts or small programs in a language of your choice (e.g. Python, Java, etc.)
  • OPTIONAL: Familiarity with Docker: pull images, run containers, configure ports and shared directories. This is not strictly mandatory knowledge for the training, but it will help.

System Requirements

  • A working laptop capable of running virtual machines
  • 15 GB free Hard disk space
  • Docker and docker-compose:
  • Training container: 'docker pull cryptax/android-re:latest'
  • SSH, SCP and/or VNC client
  • Recent Java Development Kit (JDK)
  • Android Studio:
  • Python 3.x
  • A programming environment of your choice - Vim, Emacs, Sublime, etc.
  • A build environment
  • Discord