Abstract
In this training, you will learn how to analyze Android malware and understand what they are doing. The training consists in a majority of hands-on lab sessions, with demo and many exercises on real, and recent, Android malware. Of course, you also learn how to deal with those malware safely ;-)
Malware Samples covered during the training
- Android/Alien
- Android/Bahamut
- Android/BianLian
- Android/Joker
- Android/EventBot
- Android/Ghimob
- Android/Locker
- Android/Recieve
- Android/Sandr
- Android/SpyMax
- Android/SpySms
Agenda
Session 1: First steps with malware reverse engineering
- Introduction / Welcome
- Contents of Android applications: manifest, assets, native libraries...
- Presentation of Reverse Engineering tools
- Setup of tools. A dedicated Docker container is provided to attendees.
- Demo of reverse engineering
- Reconnaissance tools: DroidLysis, Quark Engine and MobSF
- Labs: disassemble your own samples + defeat a screen locker
Session 2: Unpacking
- Dynamically loaded classes
- Unpacking manually
- Smart unpacking... or unpacking with luck?
- Unpacking with Frida, Dexcalibur, House, Frida-Dexdump
- Difficult cases
- Recognizing packers
- Labs: unpacking several samples packed with different mechanisms
Session 3: Deobfuscation
- Understanding obfuscation algorithms
- Writing Frida scripts to de-obfuscate
- Deobfuscation with House
- Implementing a JEB script to deobfuscate
- Labs: de-obfuscation of several samples
Session 4: Anti-debug / Native code
- Malware abusing Accessibility Services
- Anti-debug/VM tricks
- Detection with APKiD
- Modifying default Dexcalibur hooks
- Re-activating debug messages with a Frida hook
- Loading native library and disassembly of native code
- Labs for each of these
Session 5: Network analysis
- Locating the CnC of a malware
- Reversing the contents of an obfuscated HTTP Post
- Tracing URLs and encryption with MobSF
- Wrap up training with complete analysis of samples
- Labs with Wireshark, House, MobSF
Tools used during the training
- Android Studio
- APKiD
- Apktool
- Baksmali / smali
- Dexcalibur
- Dex2jar
- DroidLysis
- Frida
- Frida-Dexdump
- House
- JADX
- JD-Gui
- JEB
- MobSF
- Pithus
- Quark
- Smalisca
Required Skills
- Familiarity with Unix command-line tools
- Basic understanding of Java programming concepts (classes, methods, inheritance, etc.)
- Be able to write scripts or small programs in a language of your choice (e.g. Python, Java, etc.)
- OPTIONAL: Familiarity with Docker: pull images, run containers, configure ports and shared directories. This is not strictly mandatory knowledge for the training, but it will help.
System Requirements
- A working laptop capable of running virtual machines
- 15 GB free Hard disk space
- Docker and docker-compose: https://docs.docker.com
- Training container: 'docker pull cryptax/android-re:latest'
- SSH, SCP and/or VNC client
- Recent Java Development Kit (JDK)
- Android Studio: https://developer.android.com/studio/
- Python 3.x
- A programming environment of your choice - Vim, Emacs, Sublime, etc.
- A build environment
- Discord