Android reverse engineering tools: not the usual suspects

Thursday 5 October 11:00 - 11:30, Green room

Axelle Apvrille (Fortinet)



In the Android security field, anti-virus analysts and security researchers have probably all used some of the well-known tools such as apktool, smali, baksmali, dex2jar, and perhaps androguard. These tools are indeed must-haves for Android malware analysis. However, there are other interesting tools, which are seldom covered in conferences, and that's what this talk is about.

We will cover advanced tips and tricks for Android malware analysts and how to cope with specific situations such as those described below:

  • Android emulators often need to be shared with co-workers who typically need to test a given malicious sample but don't have the time to set up the entire Android environment. A docker image is an excellent workaround. However, there are a few tricks to write the image. The talk explains how.

  • JEB is a professional Android application decompiler. Many people in the VB audience will have used it, but what about JEB scripts? Similar to IDA plug-ins for disassembly, JEB scripts are powerful, but difficult to write. There is API documentation and a few examples, but no real tutorial or starting point. The talk explains how to write a string de-obfuscation routine, used for Android/Ztorg samples. (Note: I am not affiliated with PNF Software, the makers of JEB - this is independent advice.)

  • Debugging. Malware analysts all dream of running malware step by step to understand what it does. There are tools to do so: JEB (again) and also CodeInspect. We'll demonstrate, for instance, on Riskware/InnerSnail and decide if the dream can be a reality or not.
  • HTTPS. More and more Android applications use TLS to secure their communication flows. It is then more difficult for analysts to make sense of it. The solution is man-in-the-middle, and we explain how to set it up for Android smartphones.

  • Radare2 is a command-line reverse engineering framework. It supports many architectures, including Dalvik. We'll show how to use it on a malicious sample, and in particular how to find method or field cross references.

 

Axelle-Apvrille-web.jpg

Axelle Apvrille 

Axelle Apvrille is a happy senior researcher at Fortinet, where she hunts down any strange virus on so-called 'smart' devices (smart phones, smart watches or other objects).

Known in the community by her more or less mysterious handle "Crypto Girl", she turns red each time someone mentions using MD5 (or CRC...) for hashing.

@cryptax


   Download slides

VB2018 MONTREAL!

VB2017 OVERVIEW

VB2017 SPEAKERS

VB2017 PROGRAMME

VB2017 PHOTOS

2017 PÉTER SZŐR AWARD


Other VB2017 papers

The state of cybersecurity in Africa: Kenya

Tyrus Kamau (Euclid Consultancy)

The cyber threats Kenya faces range from basic hacking such as website defacements, financial fraud, social media account…

Walking in your enemy's shadow: when fourth-party collection becomes attribution hell

Juan Andres Guerrero-Saade (Kaspersky Lab)
Costin Raiu (Kaspersky Lab)

Attribution is complicated under the best of circumstances. Sparse attributory indicators and the possibility of overt…

XAgent: APT28 cyber espionage on macOS

Tiberius Axinte (Bitdefender)

This paper provides an in-depth analysis of the macOS version of the APT28 component known as XAgent. We will dissect the…