Welcome to the VB2021 conference!

arrow left Back

Reverse Android malware like a Jedi Master

Axelle Apvrille (Fortinet)
Every Jedi padawan has reversed Android malware using Apktool, Baksmali and a disassembler. The more experienced among you have written automated plug-ins or scripts (for Radare, JEB) or implemented hooks using Frida. All those tools are excellent, and they are also useful to everyone - padawan or masters.

But we have a few newcomers like Dexcalibur, House, Quark and MobSF. How useful are they? Let's see how well they perform over a few malicious samples of 2020/2021.

In this presentation, I explain how to use/customize those tools for malware analysis. I highlight what they are good for, and their limitations.

For example:
  • Dexcalibur and House are similar: they help researchers write Frida hooks. We can unpack Android/Alien in a few clicks with them! Or reveal obfuscated strings. Or bypass with anti-debug features of Android/Ghimob.

  • Currently, it is however difficult to hook functions inside a dynamically loaded DEX. This is an issue for packed samples, for which the malicious payload is precisely in that DEX.

  • House helps you monitor HTTP requests the sample does. But, honestly, Wireshark does as well. The only addition with House is that we can decrypt posted data (example with Android/EventBot).

  • Quark and MobSF are useful to get an overview of samples. We customize Quark to detect socket creation of Android/Sandr, and use MobSF to detect where the malware sends SMS messages.

Disclaimer: I am not the author of those tools, but I have used them frequently (reported bugs, etc.). So, this presentation provides an un-biased (but perhaps incomplete) feedback from an anti-virus analyst's perspective.
Axelle Apvrille
Fortinet

Axelle is Principle Security Researcher at Fortinet. She focuses on Android malware and IoT malware. She is also the lead organizer of Ph0wn CTF, a CTF dedicated to smart devices. In a prior life - before she joined Fortinet - Axelle used to implement cryptographic algorithms and protocols.