Workshop: Android malware reverse engineering for the brave

Thursday 4 October 14:00 - 15:30, Small talks

Axelle Apvrille (Fortinet)



This workshop explains how to reverse engineer Android malware. It consists of several guided labs where participants work on real malware within a virtual environment. The malicious samples are all recent - less than a year old.

After a quick tour of the basic skills and tricks to reverse engineer Android samples, the training covers the following topics:

  • Dealing with obfuscated samples
  • Writing Radare2 scripts
  • Hooking the malicious application with Frida

Expected skills:

  • You should be at ease with Unix environments, and able to write quick (and dirty) code
  • There will be special labs that beginners can do at their own pace
  • The other labs (e.g Radare2, Frida, etc.) willl be of interest to more experienced reverse engineers

Equipment:

  • Attendees should bring their own laptop, pre-installed with Docker (see below)
  • Note the workshop mostly consists of labs, so a laptop is necessary


PLEASE FOLLOW THE FOLLOWING INSTALLATION INSTRUCTIONS BEFORE THE LAB!

REQUIREMENTS:

  • 64-bit laptop
  • At least 6 GB of free disk space
  • Docker (community edition is fine)
  • SSH client and/or vncviewer

INSTALL:

  • Install Docker and check it works
  • Pull the lab's image: docker pull cryptax/android-re:latest

That's all!

To test it:

1. docker run -d --name workshop-test -p 5022:22 -p 5900:5900 cryptax/android-re

2. If you use ssh: ssh -X -p 5022 root@127.0.0.1
If you use vncviewer: vncviewer 127.0.0.1::5900
The password is rootpass

3. In the Docker container, run: emulator7 &
Wait (may be long) to ensure the Android emulator opens up correctly

 

Axelle-Apvrille-web.jpg

Axelle Apvrille

@cryptax



Other VB2018 papers

The role of malware in intelligence operations (partner presentation)

Kenneth Geers (Comodo Cybersecurity)

Lightning talks – innovation in threat intel

Sayeed Abu-Nimeh (Seclytics)
Matthias Leisi (DNS Whitelist (DNSWL))

Botception: hire a botnet to spread one's own botnet

Jan Sirmer (Avast Software s.r.o)
Adolf Streda (Avast Software s.r.o)

Back to VB2018 Programme page

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.