Android reverse engineering tools: not the usual suspects

Thursday 5 October 11:00 - 11:30, Green room

Axelle Apvrille (Fortinet)

In the Android security field, anti-virus analysts and security researchers have probably all used some of the well-known tools such as apktool, smali, baksmali, dex2jar, and perhaps androguard. These tools are indeed must-haves for Android malware analysis. However, there are other interesting tools, which are seldom covered in conferences, and that's what this talk is about.

We will cover advanced tips and tricks for Android malware analysts and how to cope with specific situations such as those described below:

  • Android emulators often need to be shared with co-workers who typically need to test a given malicious sample but don't have the time to set up the entire Android environment. A docker image is an excellent workaround. However, there are a few tricks to write the image. The talk explains how.

  • JEB is a professional Android application decompiler. Many people in the VB audience will have used it, but what about JEB scripts? Similar to IDA plug-ins for disassembly, JEB scripts are powerful, but difficult to write. There is API documentation and a few examples, but no real tutorial or starting point. The talk explains how to write a string de-obfuscation routine, used for Android/Ztorg samples. (Note: I am not affiliated with PNF Software, the makers of JEB - this is independent advice.)

  • Debugging. Malware analysts all dream of running malware step by step to understand what it does. There are tools to do so: JEB (again) and also CodeInspect. We'll demonstrate, for instance, on Riskware/InnerSnail and decide if the dream can be a reality or not.
  • HTTPS. More and more Android applications use TLS to secure their communication flows. It is then more difficult for analysts to make sense of it. The solution is man-in-the-middle, and we explain how to set it up for Android smartphones.

  • Radare2 is a command-line reverse engineering framework. It supports many architectures, including Dalvik. We'll show how to use it on a malicious sample, and in particular how to find method or field cross references.

 

Axelle-Apvrille-web.jpg

Axelle Apvrille 

Axelle Apvrille is a happy senior researcher at Fortinet, where she hunts down any strange virus on so-called 'smart' devices (smart phones, smart watches or other objects).

Known in the community by her more or less mysterious handle "Crypto Girl", she turns red each time someone mentions using MD5 (or CRC...) for hashing.

@cryptax



Register.jpg

VB2017 OVERVIEW

CALL FOR LAST-MINUTE PAPERS

WHY ATTEND

SPEAKERS

PROGRAMME

REGISTER NOW!

VENUE

BOOK HOTEL

VB2017 DRINKS RECEPTION

VB2017 FOOSBALL TOURNAMENT

2017 PÉTER SZŐR AWARD


Other VB2017 papers

Keynote address: Inside Cloudbleed

John Graham-Cumming (Cloudflare)

In February 2017, Cloudflare was revealed to have been leaking private information including HTTP headers, cookies and POST data…

Mariachis and jackpotting: ATM malware from Latin America

Thiago Marques (Kaspersky Lab)

Fabio Assolini (Kaspersky Lab)

Of all the forms of attack against financial institutions in the world, the ones that are most likely to combine traditional…

The state of cybersecurity in Africa: Kenya

Tyrus Kamau (Euclid Consultancy)

The cyber threats Kenya faces range from basic hacking such as website defacements, financial fraud, social media account…