Instrumenting system applications on Android stock images

Presented at REcon 2022, June 3, 2022, 1 p.m. (30 minutes)

Android has the largest install base on the mobile landscape, with it there are a lot of vendors and telecom operators that install system applications on stock images. These are usually background applications running with high privileges, which the user can’t uninstall and in some cases can’t even disable. A reverser can get the source code of these applications and do static analysis, however doing dynamic analysis is a different story. These are applications running on stock images. Which often don’t have an initial activity to actually begin executing their main code. Using Google Play Protect Services has a demo application, I will show how system applications can be instrumented using Frida for analysis on stock images with as little changes to the images as possible. The presentation will show the several approaches tried, what their limitations were and why they ultimately fail in my purpose. The different approaches may work differently depending on the applications and the Android version, as such even though they didn’t work for Google Play Protect Services they still represent some interesting techniques that can be applied to different contexts. The presentation will culminate in the approach which actually made it possible for me to instrument Google Play Protect Services and be able to perform dynamic analysis of the Google Play Protect Services application, which also opens the door for future research around the Google Play Protect Services application itself.


Presenters:

  • Vitor Ventura
    Vitor Ventura is a Cisco Talos security researcher and manager of the EMEA and Asia Outreach team. As a researcher, he investigated and published various articles on emerging threats. Vitor has been a speaker in conferences, like VirusBulletin, NorthSec, Defcon’s Crypto and Privacy Village, among others. Prior to that he was IBM X-Force IRIS European manager where he was the lead responder on several high profile organizations affected by the WannaCry and NotPetya infections. Before that he did penetration testing at IBM X-Force Red, leading projects like Connected Car assessments and ICS security assessments, custom mobile devices. Vitor holds a BSc in Computer Science and multiple security related certifications like GREM, CISM.

Links:

Similar Presentations: