Reverse Engineering of Modern Android Malware

2 DAY U_SHORT 16 CPE HOUR TRAINING: AUGUST 2021 * WEEK 3: AUG 23-27

Axelle Apvrille

Abstract

In this workshop, you will learn how to analyze Android malware and understand what they are doing. The workshop consists in a majority of hands-on lab sessions, with demo and many exercises on real, and recent, Android malware. Of course, you also learn how to deal with those malware safely ;-)

Malware Samples covered during the training

  • Android/Alien
  • Android/Bread (Joker)
  • Android/EventBot
  • Android/Ghimob
  • Android/SpyNote
  • Android/Sandr (Sandro RAT)

Agenda

Session 1: Android background and first steps

  • Introduction / Welcome
  • Android malware trends
  • Google Play Protect
  • Contents of Android application: manifest, assets, native libraries...
  • Certificates and application signature
  • Presentation of Reverse Engineering tools
  • Setup of tools. A dedicated Docker container is provided to attendees
  • 3 Labs: compiling an Android app, disassembling it and patching.

Session 2: Reverse engineering of Android Malware

  • Demo of reverse engineering of Android/SpyNote
  • Exercises on other samples
  • Using Quark Engine to spot malicious behaviour
  • Writing custom rules for Quark Engine
  • Using MobSF for an overview and quick analysis of a sample

Session 3: Dynamic loading and obfuscation

  • Dynamically loaded classes
  • Unpacking packed malware with Dexcalibur
  • Decrypting obfuscating string with Frida

Session 4: Advanced reverse engineering

  • De-obfuscation like a Pro
  • Using House
  • Implementing a JEB script
  • Malware abusing Accessibility Services
  • Anti-debug/VM tricks and solutions based
  • Detection with APKiD
  • Modifying default Dexcalibur hooks
  • SSdeep and dexofuzzy to find similar samples

Session 5: Malicious network activity

  • Locating the CnC of a malware
  • Reversing the contents of an obfuscated HTTP Post
  • Searching through classes with Smalisca
  • Re-activating debug messages with a Frida hook
  • Dealing with native libraries

Tools used during the training

  • Androguard
  • Android Studio
  • APKiD
  • Apksigner
  • APKTool
  • Baksmali / Smali
  • Dexcalibur
  • Frida
  • House
  • JADX
  • JD-GUI
  • JEB
  • MobSF
  • Quark
  • Smalisca
  • Pithus

Required Skills

  • Familiarity with Unix command-line tools
  • Basic understanding of Java programming concepts (classes, methods, inheritance, etc.)
  • Be able to write scripts or small programs in a language of your choice (e.g. Python, Java, etc.)
  • OPTIONAL: Familiarity with Docker: pull images, run containers, configure ports and shared directories. This is not strictly mandatory knowledge for the training, but it will help.

System Requirements

  • A working laptop capable of running virtual machines
  • 15 GB free Hard disk space
  • Docker and docker-compose: https://docs.docker.com
  • Training container: 'docker pull cryptax/android-re:latest'
  • SSH, SCP and/or VNC client
  • Recent Java Development Kit (JDK)
  • Android Studio: https://developer.android.com/studio/
  • Python 3.x
  • A programming environment of your choice - Vim, Emacs, Sublime, etc.
  • A build environment
  • Discord