Home 
Watch live 
Watch on demand 
Take a workshop 
Chat 
Contact us 
CTA TIPS 
QI-ANXIN 
Reverse Android malware like a Jedi Master
Threat Intelligence and Cyber Resilience
https://vblocalhost.com/programme/#TIPSJoin the VB2021 Threat Intelligence Practitioners' Summit (TIPS), sponsored by the Cyber Threat Alliance,
and learn how investment in threat intelligence builds cyber resilience, allowing you to be more effective
when addressing today's dynamic threat landscape.
Stay ahead of threats with VirusTotal
https://www.virustotal.com/Stay ahead of the next generation of threats and get relevant insights to solve
the most critical security challenges.
We don’t just talk about sharing. We do it every day.
https://www.cyberthreatalliance.org/about-ctaLearn how to collaborate with the Cyber Threat Alliance to improve your overall cyber resilience.
We are a greater team when we work together; our collective efforts magnifies our success and
ensures that we are and remain cyber resilient.
Looking for performance validation for your product?
https://www.virusbulletin.com/testing/Get an edge over your competitors with Virus Bulletin’s anti-malware & email security certification
programmes, supported by 30+ years of experience. Or take advantage of our bespoke testing service
offering valuable performance feedback for R&D. Email [email protected].
Do you like doing work that matters to you… and really frustrates the bad guys?
https://talosintelligence.com/careersAt Talos, our mission is to make the internet a safer place and fight the good fight for our customers
and users. If you think you have the expertise and attitude to help lead the world in cutting-edge security,
we’d like to talk.
F5 helps find malware hiding in plain sight
https://www.f5.com/company/blog/half-the-world-s-malware-is-now-encryptedEncrypted malware is becoming increasingly common, and daisy-chaining security devices is neither
cost-effective, nor efficient. Detecting and stopping malware doesn’t have to be overwhelming with
F5’s innovative products.
Farsight Security DNSDB® is the world's largest real-time and historical database of DNS resolutions
https://www.farsightsecurity.com/get-started-guide/DNSDB 2.0 introduces Flexible Search support, unlocking both Regular Expressions and Globbing syntaxes for more granular and accurate search results. Get your free DNSDB API key and use it in our newly updated
web GUI, DNSDB Scout as well as your own existing environments. Contextualize everything that is DNS related with one API key - DNSDB.
VirusTotal: Actionable crowdsourced threat intelligence
https://www.virustotal.com/Comprehensive context and cutting-edge functionality to proactively protect from cybersecurity threats.
Calling all Hackers!
https://www.ise.io/careers/#op-470256-hacker-midseniorprincipalWe are hiring mid-senior-principal level hackers!
Remote option • Flex schedule • Unlimited vacation • Opportunities for research and publication
Amazon Information Security - come build the future with us!
https://www.amazon.jobs/en-gb/team/infosecDo you want to work on privacy and security challenges at unprecedented scale?
We have Privacy and Information Security opportunities available now across
the United States, Dublin, Ireland, and Sydney, Australia.
IoT security begins with your Smart TV
https://chomar.link/smarttvCHOMAR Smart TV Security.
Protect your Android Smart TV against malicious activities and use your IoT devices without any worries.
Ransomware prevention starts with zero
https://www.zscaler.com/solutions/security-transformation/ransomware-protectionRansomware attacks are increasing 500% year-over-year.
Learn how Zscaler's Zero Trust Exchange helps minimize exposure, damage, and risk
at every stage of a ransomware attack.
QI-ANXIN Technology Group Inc. Leader of New Generation Cybersecurity
https://ti.qianxin.com/marketing/vb2021/QI-ANXIN Technology Group Inc. offers next generation enterprise-class cybersecurity products
and services to government and businesses. QI-ANXIN is the Official Cyber Security Services and
Anti-Virus Software Sponsor of the Olympic and Paralympic Winter Games Beijing 2022.
Downloads
But we have a few newcomers like Dexcalibur, House, Quark and MobSF. How useful are they? Let's see how well they perform over a few malicious samples of 2020/2021.
In this presentation, I explain how to use/customize those tools for malware analysis. I highlight what they are good for, and their limitations.
For example:
- Dexcalibur and House are similar: they help researchers write Frida hooks. We can unpack Android/Alien in a few clicks with them! Or reveal obfuscated strings. Or bypass with anti-debug features of Android/Ghimob.
- Currently, it is however difficult to hook functions inside a dynamically loaded DEX. This is an issue for packed samples, for which the malicious payload is precisely in that DEX.
- House helps you monitor HTTP requests the sample does. But, honestly, Wireshark does as well. The only addition with House is that we can decrypt posted data (example with Android/EventBot).
- Quark and MobSF are useful to get an overview of samples. We customize Quark to detect socket creation of Android/Sandr, and use MobSF to detect where the malware sends SMS messages.
Disclaimer: I am not the author of those tools, but I have used them frequently (reported bugs, etc.). So, this presentation provides an un-biased (but perhaps incomplete) feedback from an anti-virus analyst's perspective.
Got a question about this presentation? To get in touch with the speaker, contact Axelle by email on [email protected].
Axelle Apvrille
FortinetAxelle is Principle Security Researcher at Fortinet. She focuses on Android malware and IoT malware. She is also the lead organizer of Ph0wn CTF, a CTF dedicated to smart devices. In a prior life - before she joined Fortinet - Axelle used to implement cryptographic algorithms and protocols.