Reverse Engineering of Modern Android Malware

2 DAY U_SHORT 16 CPE HOUR TRAINING: FEBRUARY 2022 * WEEK 2: FEB 21-25
Axelle Apvrille
Axelle Apvrille

Abstract

In this training, you will learn how to analyze Android malware and understand what they are doing. The training consists in a majority of hands-on lab sessions, with demo and many exercises on real, and recent, Android malware. Of course, you also learn how to deal with those malware safely ;-)

Malware Samples covered during the training

  • Android/Alien
  • Android/Bahamut
  • Android/BianLian
  • Android/Joker
  • Android/EventBot
  • Android/Ghimob
  • Android/Locker
  • Android/Recieve
  • Android/Sandr
  • Android/SpyMax
  • Android/SpySms

Agenda

Session 1: First steps with malware reverse engineering

  • Introduction / Welcome
  • Contents of Android applications: manifest, assets, native libraries...
  • Presentation of Reverse Engineering tools
  • Setup of tools. A dedicated Docker container is provided to attendees.
  • Demo of reverse engineering
  • Reconnaissance tools: DroidLysis, Quark Engine and MobSF
  • Labs: disassemble your own samples + defeat a screen locker

Session 2: Unpacking

  • Dynamically loaded classes
  • Unpacking manually
  • Smart unpacking... or unpacking with luck?
  • Unpacking with Frida, Dexcalibur, House, Frida-Dexdump
  • Difficult cases
  • Recognizing packers
  • Labs: unpacking several samples packed with different mechanisms

Session 3: Deobfuscation

  • Understanding obfuscation algorithms
  • Writing Frida scripts to de-obfuscate
  • Deobfuscation with House
  • Implementing a JEB script to deobfuscate
  • Labs: de-obfuscation of several samples

Session 4: Anti-debug / Native code

  • Malware abusing Accessibility Services
  • Anti-debug/VM tricks
  • Detection with APKiD
  • Modifying default Dexcalibur hooks
  • Re-activating debug messages with a Frida hook
  • Loading native library and disassembly of native code
  • Labs for each of these

Session 5: Network analysis

  • Locating the CnC of a malware
  • Reversing the contents of an obfuscated HTTP Post
  • Tracing URLs and encryption with MobSF
  • Wrap up training with complete analysis of samples
  • Labs with Wireshark, House, MobSF

Tools used during the training

  • Android Studio
  • APKiD
  • Apktool
  • Baksmali / smali
  • Dexcalibur
  • Dex2jar
  • DroidLysis
  • Frida
  • Frida-Dexdump
  • House
  • JADX
  • JD-Gui
  • JEB
  • MobSF
  • Pithus
  • Quark
  • Smalisca

Required Skills

  • Familiarity with Unix command-line tools
  • Basic understanding of Java programming concepts (classes, methods, inheritance, etc.)
  • Be able to write scripts or small programs in a language of your choice (e.g. Python, Java, etc.)
  • OPTIONAL: Familiarity with Docker: pull images, run containers, configure ports and shared directories. This is not strictly mandatory knowledge for the training, but it will help.

System Requirements

  • A working laptop capable of running virtual machines
  • 15 GB free Hard disk space
  • Docker and docker-compose: https://docs.docker.com
  • Training container: 'docker pull cryptax/android-re:latest'
  • SSH, SCP and/or VNC client
  • Recent Java Development Kit (JDK)
  • Android Studio: https://developer.android.com/studio/
  • Python 3.x
  • A programming environment of your choice - Vim, Emacs, Sublime, etc.
  • A build environment
  • Discord
Great! Next, complete checkout for full access to Ringzer0
Welcome back! You've successfully signed in
You've successfully subscribed to Ringzer0
Success! Your account is fully activated, you now have access to all content
Success! Your billing info has been updated
Your billing was not updated