Android reverse engineering tools: not the usual suspects

Presented at VB2017, Oct. 5, 2017, 11 a.m. (30 minutes)

In the *Android* security field, anti-virus analysts and security researchers have probably all used some of the well-known tools such as *apktool*, *smali*, *baksmali*, *dex2jar*, and perhaps *androguard*. These tools are indeed must-haves for *Android* malware analysis. However, there are other interesting tools, which are seldom covered in conferences, and that's what this talk is about. We will cover advanced tips and tricks for *Android* malware analysts and how to cope with specific situations such as those described below: * *Android* emulators often need to be shared with co-workers who typically need to test a given malicious sample but don't have the time to set up the entire *Android* environment. A docker image is an excellent workaround. However, there are a few tricks to write the image. The talk explains how. * JEB is a professional *Android* application decompiler. Many people in the *VB* audience will have used it, but what about JEB scripts? Similar to *IDA* plug-ins for disassembly, JEB scripts are powerful, but difficult to write. There is API documentation and a few examples, but no real tutorial or starting point. The talk explains how to write a string de-obfuscation routine, used for *Android*/Ztorg samples. (*Note: I am not affiliated with PNF Software, the makers of JEB - this is independent advice.*) * Debugging. Malware analysts all dream of running malware step by step to understand what it does. There are tools to do so: JEB (again) and also CodeInspect. We'll demonstrate, for instance, on Riskware/InnerSnail and decide if the dream can be a reality or not. * HTTPS. More and more *Android* applications use TLS to secure their communication flows. It is then more difficult for analysts to make sense of it. The solution is man-in-the-middle, and we explain how to set it up for *Android* smartphones. * Radare2 is a command-line reverse engineering framework. It supports many architectures, including Dalvik. We'll show how to use it on a malicious sample, and in particular how to find method or field cross references.

Presenters:

  • Axelle Apvrille - Fortinet
    Axelle Apvrille Axelle Apvrille is a happy senior researcher at Fortinet, where she hunts down any strange virus on so-called 'smart' devices (smart phones, smart watches or other objects). Known in the community by her more or less mysterious handle "Crypto Girl", she turns red each time someone mentions using MD5 (or CRC...) for hashing. @cryptax

Links:

Similar Presentations: