Reverse Engineering of Modern Android Malware

2 DAY U_SHORT 16 CPE HOUR TRAINING: FEBRUARY 2022 * WEEK 2: FEB 21-25

Axelle Apvrille

Abstract

In this training, you will learn how to analyze Android malware and understand what they are doing. The training consists in a majority of hands-on lab sessions, with demo and many exercises on real, and recent, Android malware. Of course, you also learn how to deal with those malware safely ;-)

Malware Samples covered during the training

  • Android/Alien
  • Android/Bahamut
  • Android/BianLian
  • Android/Joker
  • Android/EventBot
  • Android/Ghimob
  • Android/Locker
  • Android/Recieve
  • Android/Sandr
  • Android/SpyMax
  • Android/SpySms

Agenda

Session 1: First steps with malware reverse engineering

  • Introduction / Welcome
  • Contents of Android applications: manifest, assets, native libraries...
  • Presentation of Reverse Engineering tools
  • Setup of tools. A dedicated Docker container is provided to attendees.
  • Demo of reverse engineering
  • Reconnaissance tools: DroidLysis, Quark Engine and MobSF
  • Labs: disassemble your own samples + defeat a screen locker

Session 2: Unpacking

  • Dynamically loaded classes
  • Unpacking manually
  • Smart unpacking... or unpacking with luck?
  • Unpacking with Frida, Dexcalibur, House, Frida-Dexdump
  • Difficult cases
  • Recognizing packers
  • Labs: unpacking several samples packed with different mechanisms

Session 3: Deobfuscation

  • Understanding obfuscation algorithms
  • Writing Frida scripts to de-obfuscate
  • Deobfuscation with House
  • Implementing a JEB script to deobfuscate
  • Labs: de-obfuscation of several samples

Session 4: Anti-debug / Native code

  • Malware abusing Accessibility Services
  • Anti-debug/VM tricks
  • Detection with APKiD
  • Modifying default Dexcalibur hooks
  • Re-activating debug messages with a Frida hook
  • Loading native library and disassembly of native code
  • Labs for each of these

Session 5: Network analysis

  • Locating the CnC of a malware
  • Reversing the contents of an obfuscated HTTP Post
  • Tracing URLs and encryption with MobSF
  • Wrap up training with complete analysis of samples
  • Labs with Wireshark, House, MobSF

Tools used during the training

  • Android Studio
  • APKiD
  • Apktool
  • Baksmali / smali
  • Dexcalibur
  • Dex2jar
  • DroidLysis
  • Frida
  • Frida-Dexdump
  • House
  • JADX
  • JD-Gui
  • JEB
  • MobSF
  • Pithus
  • Quark
  • Smalisca

Required Skills

  • Familiarity with Unix command-line tools
  • Basic understanding of Java programming concepts (classes, methods, inheritance, etc.)
  • Be able to write scripts or small programs in a language of your choice (e.g. Python, Java, etc.)
  • OPTIONAL: Familiarity with Docker: pull images, run containers, configure ports and shared directories. This is not strictly mandatory knowledge for the training, but it will help.

System Requirements

  • A working laptop capable of running virtual machines
  • 15 GB free Hard disk space
  • Docker and docker-compose: https://docs.docker.com
  • Training container: 'docker pull cryptax/android-re:latest'
  • SSH, SCP and/or VNC client
  • Recent Java Development Kit (JDK)
  • Android Studio: https://developer.android.com/studio/
  • Python 3.x
  • A programming environment of your choice - Vim, Emacs, Sublime, etc.
  • A build environment
  • Discord