Presented at
VB2018,
Oct. 3, 2018, 2:30 p.m.
(30 minutes).
Modern *Android* malware takes full advantage of the internet to execute remote tasks received from command & control servers, to click fraudulent clicks, and even generate cryptocurrency by downloading and running crypto-mining code within the victim's web browser. Existing well-known analysis tools like *JEB*, *Apktool* and *Radare2* are widely used to analyse malicious *Android* apps. However, dealing with packed or obfuscated *Android* apps still remains a very challenging task. Analysis of the network activity can help enormously to understand an obfuscated app's logic. The main challenge here is being able to quickly establish a relationship between decompiled code and network traffic.
Using a packet sniffer in an *Android* environment is not as straightforward as it seems. To support the man-in-the-middle technique, a certificate has to be configured for SSL decryption on a test device or with a packet analyser such as *Wireshark*. *Android-*based packet analysers have the capability of linking packet data with each app on the device but provide clumsy features to download or analyse packets, while computer-based packet analysers are the exact opposite.
In this paper, we will present:
* An overview of the latest *Google Play* and non-*Google Play Android* threats, such as drive-by Cryptominer, Fraudclicker and Dropper, which download remote malicious payloads from a remote server.
* Demonstrations of the several existing packet analysing tools based on either *Android* or computer, then show why they fail to achieve the tasks required in threat research.
* Our practical tools that allow researchers to capture all packets for each app, deeply inspect hundreds of network packets, and highlight potentially suspicious packet lists like HTML, JavaScript, or PHP for a quick and intuitive analysis.
Presenters:
-
Rowland Yu
- Sophos
Rowland Yu Rowland Yu is a senior threat researcher level 2 at Sophos. He joined SophosLabs as a spam analyst in 2006, before moving into the role of virus threat researcher for advanced threat research, reverse engineering and remediation. Rowland had also led anti-spam and DLP research in the Australian SophosLabs. After the first Android malware was revealed in 2012, Rowland believed Android would become 'the new Windows' for malware and dedicated most of his time to Android security. Now Rowland is the primary researcher leading the Android team for malware analysis and emerging threats. He is also a frequent speaker at Virus Bulletin, RSA, and AVAR conferences. @rowlandy
Links:
Similar Presentations: