Unpacking the packed unpacker: reversing an Android anti-analysis library

Presented at VB2018, Oct. 3, 2018, 2 p.m. (30 minutes).

Malware authors implement many different techniques to frustrate analysis and make reverse engineering the malware more difficult. Many of these anti-analysis and anti-reverse engineering techniques attempt to send a reverse engineer down a different investigation path or require them to invest large amounts of time reversing simple code. This talk analyses one of the most robust anti-analysis native libraries we've seen in the *Android* ecosystem. I will discuss each of the techniques the malware authors used in order to prevent reverse engineering of their *Android* native library, including manipulating the Java Native Interface, encryption, run-time environment checks, and more. This talk discusses the steps and the process required to proceed through the anti-analysis traps and expose what they're trying to hide.

Presenters:

  • Maddie Stone - Google
    Maddie Stone Maddie Stone is a reverse engineer on Google's Android Security team where she reverses all the bytes to keep malware off the phones of Android users. She has also spent many years deep in the circuitry and firmware of embedded devices including 8051, ARM, C166, MIPS, PowerPC, BlackFin, the many flavours of Renesas (SH2, SH4, R8C, M16C), and more. Maddie is the creator of the IDAPython Embedded Toolkit. She has previously spoken at international security conferences including REcon Montreal, OffensiveCon, Black Hat USA, and DerbyCon. Maddie has a Bachelor's degree in computer science and Russian language and a Master's degree in computer science, all from Johns Hopkins University. @maddiestone

Links:

Similar Presentations: