Reverse Engineering of Android Malware

Online Training date: October 21-22, 2021.

Abstract

Learn how to reverse engineer Android malware through practice with numerous labs.

Description

Participants learn how to analyze Android malware. The majority of sessions consist in hands-on labs, with exercises on recent Android samples we caught. We focus on typical questions for malware analysts:

  • How to reverse malware safely?
  • How to find out, as quickly as possible, if a given sample is malicious or not?
  • How to locate the remote CnC?
  • How to deal with obfuscated classes, strings and junk code
  • How to unpack malware without pain

Day 1: Reverse engineering of Android Malware - Getting started

  • Introduction / Welcome
  • Android malware trends
  • Contents of Android application: manifest, assets, native libraries…
  • Presentation of Reverse Engineering tools
  • Setup of tools. A dedicated Docker container is provided to attendees
  • Several labs: disassembling an app and patching it, using Smalisca, Quark and MobSF

Day 2: Dynamic load and obfuscation

  • Dynamically loaded classes
  • Unpacking malware with Dexcalibur, House, MobSF
  • Decrypting obfuscating strings with Frida
  • Implementing a JEB script
  • Malware abusing Accessibility Services
  • Anti-debug/VM tricks and solutions based
  • Detection with APKiD
  • Nearly 100% labs!
  • Conclusion

Optional content: Network activity and native libraries

  • Locating the CnC of a malware
  • Reversing the contents of an obfuscated HTTP Post
  • Re-activating debug messages with a Frida hook
  • Dealing with native libraries
  • Training exam

About the Speaker