Every Jedi padawan has reversed Android malware using Apktool, Baksmali and a disassembler. The more experienced among you have written automated plug-ins or scripts (for Radare, JEB) or implemented hooks using Frida. All those tools are excellent, and they are also useful to everyone - padawan or masters.

But we have a few newcomers like Dexcalibur, House, Quark and MobSF. How useful are they? Let's see how well they perform over a few malicious samples of 2020/2021.

In this presentation, I explain how to use/customize those tools for malware analysis. I highlight what they are good for, and their limitations.

For example:

• Dexcalibur and House are similar: they help researchers write Frida hooks. We can unpack Android/Alien in a few clicks with them! Or reveal obfuscated strings. Or bypass with anti-debug features of Android/Ghimob.


• Currently, it is however difficult to hook functions inside a dynamically loaded DEX. This is an issue for packed samples, for which the malicious payload is precisely in that DEX.


• House helps you monitor HTTP requests the sample does. But, honestly, Wireshark does as well. The only addition with House is that we can decrypt posted data (example with Android/EventBot).


• Quark and MobSF are useful to get an overview of samples. We customize Quark to detect socket creation of Android/Sandr, and use MobSF to detect where the malware sends SMS messages.

Disclaimer: I am not the author of those tools, but I have used them frequently (reported bugs, etc.). So, this presentation provides an un-biased (but perhaps incomplete) feedback from an anti-virus analyst's perspective.

Got a question about this presentation? To get in touch with the speaker, contact Axelle by email on [email protected].