Reverse Engineering of Modern Android Malware

2 DAY U_SHORT 16 CPE HOUR TRAINING: AUGUST 2021 * WEEK 3: AUG 23-27
Axelle Apvrille
Axelle Apvrille

Abstract

In this workshop, you will learn how to analyze Android malware and understand what they are doing. The workshop consists in a majority of hands-on lab sessions, with demo and many exercises on real, and recent, Android malware. Of course, you also learn how to deal with those malware safely ;-)

Malware Samples covered during the training

  • Android/Alien
  • Android/Bread (Joker)
  • Android/EventBot
  • Android/Ghimob
  • Android/SpyNote
  • Android/Sandr (Sandro RAT)

Agenda

Session 1: Android background and first steps

  • Introduction / Welcome
  • Android malware trends
  • Google Play Protect
  • Contents of Android application: manifest, assets, native libraries...
  • Certificates and application signature
  • Presentation of Reverse Engineering tools
  • Setup of tools. A dedicated Docker container is provided to attendees
  • 3 Labs: compiling an Android app, disassembling it and patching.

Session 2: Reverse engineering of Android Malware

  • Demo of reverse engineering of Android/SpyNote
  • Exercises on other samples
  • Using Quark Engine to spot malicious behaviour
  • Writing custom rules for Quark Engine
  • Using MobSF for an overview and quick analysis of a sample

Session 3: Dynamic loading and obfuscation

  • Dynamically loaded classes
  • Unpacking packed malware with Dexcalibur
  • Decrypting obfuscating string with Frida

Session 4: Advanced reverse engineering

  • De-obfuscation like a Pro
  • Using House
  • Implementing a JEB script
  • Malware abusing Accessibility Services
  • Anti-debug/VM tricks and solutions based
  • Detection with APKiD
  • Modifying default Dexcalibur hooks
  • SSdeep and dexofuzzy to find similar samples

Session 5: Malicious network activity

  • Locating the CnC of a malware
  • Reversing the contents of an obfuscated HTTP Post
  • Searching through classes with Smalisca
  • Re-activating debug messages with a Frida hook
  • Dealing with native libraries

Tools used during the training

  • Androguard
  • Android Studio
  • APKiD
  • Apksigner
  • APKTool
  • Baksmali / Smali
  • Dexcalibur
  • Frida
  • House
  • JADX
  • JD-GUI
  • JEB
  • MobSF
  • Quark
  • Smalisca
  • Pithus

Required Skills

  • Familiarity with Unix command-line tools
  • Basic understanding of Java programming concepts (classes, methods, inheritance, etc.)
  • Be able to write scripts or small programs in a language of your choice (e.g. Python, Java, etc.)
  • OPTIONAL: Familiarity with Docker: pull images, run containers, configure ports and shared directories. This is not strictly mandatory knowledge for the training, but it will help.

System Requirements

  • A working laptop capable of running virtual machines
  • 15 GB free Hard disk space
  • Docker and docker-compose: https://docs.docker.com
  • Training container: 'docker pull cryptax/android-re:latest'
  • SSH, SCP and/or VNC client
  • Recent Java Development Kit (JDK)
  • Android Studio: https://developer.android.com/studio/
  • Python 3.x
  • A programming environment of your choice - Vim, Emacs, Sublime, etc.
  • A build environment
  • Discord
Great! Next, complete checkout for full access to Ringzer0
Welcome back! You've successfully signed in
You've successfully subscribed to Ringzer0
Success! Your account is fully activated, you now have access to all content
Success! Your billing info has been updated
Your billing was not updated