Wednesday 3 October 14:30 - 15:00, Red room
Rowland Yu (Sophos)
Modern Android malware takes full advantage of the internet to execute remote tasks received from command & control servers, to click fraudulent clicks, and even generate cryptocurrency by downloading and running crypto-mining code within the victim's web browser. Existing well-known analysis tools like JEB, Apktool and Radare2 are widely used to analyse malicious Android apps. However, dealing with packed or obfuscated Android apps still remains a very challenging task. Analysis of the network activity can help enormously to understand an obfuscated app's logic. The main challenge here is being able to quickly establish a relationship between decompiled code and network traffic.
Using a packet sniffer in an Android environment is not as straightforward as it seems. To support the man-in-the-middle technique, a certificate has to be configured for SSL decryption on a test device or with a packet analyser such as Wireshark. Android-based packet analysers have the capability of linking packet data with each app on the device but provide clumsy features to download or analyse packets, while computer-based packet analysers are the exact opposite.
In this paper, we will present:
Peter Kalnai (ESET)
Michal Poslusny (ESET)
Ya Liu (Qihoo)
Hui Wang (Qihoo)
Masarah Paquet-Clouston (GoSecure)