Unpacking the packed unpacker: reversing an Android anti-analysis library

Wednesday 3 October 14:00 - 14:30, Red room

Maddie Stone (Google)



Malware authors implement many different techniques to frustrate analysis and make reverse engineering the malware more difficult. Many of these anti-analysis and anti-reverse engineering techniques attempt to send a reverse engineer down a different investigation path or require them to invest large amounts of time reversing simple code. This talk analyses one of the most robust anti-analysis native libraries we’ve seen in the Android ecosystem.

I will discuss each of the techniques the malware authors used in order to prevent reverse engineering of their Android native library, including manipulating the Java Native Interface, encryption, run-time environment checks, and more. This talk discusses the steps and the process required to proceed through the anti-analysis traps and expose what they’re trying to hide.

 

Maddie-Stone-web.jpg

Maddie Stone

Maddie Stone is a reverse engineer on Google's Android Security team where she reverses all the bytes to keep malware off the phones of Android users. She has also spent many years deep in the circuitry and firmware of embedded devices including 8051, ARM, C166, MIPS, PowerPC, BlackFin, the many flavours of Renesas (SH2, SH4, R8C, M16C), and more. Maddie is the creator of the IDAPython Embedded Toolkit. She has previously spoken at international security conferences including REcon Montreal, OffensiveCon, Black Hat USA, and DerbyCon. Maddie has a Bachelor's degree in computer science and Russian language and a Master's degree in computer science, all from Johns Hopkins University.

@maddiestone


   Download slides

Other VB2018 papers

Levelling up: why sharing threat intelligence makes you more competitive

Michael Daniel (Cyber Threat Alliance)

Conference closing session

Martijn Grooten (Virus Bulletin)

Analysing compiled binaries using logic

Thais Moreira Hamasaki (F-Secure)

Back to VB2018 Programme page

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.