[VB 2017] Android Reverse Engineering tools: Not the Usual Suspects
Presented at Virus Bulletin conference, October 5, Madrid, Spain.
Videos of demos
In the Android security field, anti-virus analysts and security researchers have probably all used some of the well-known tools such as apktool, smali, baksmali, dex2jar, and perhaps androguard. These tools are indeed must-haves for Android malware analysis. However, there are other interesting tools, which are seldom covered in conferences, and that's what this talk is about.
We will cover advanced tips and tricks for Android malware analysts and how to cope with specific situations such as those described below:
Android emulators often need to be shared with co-workers
who typically need to test a given malicious sample but don't have the
time to set up the entire Android environment. A docker image
is an excellent workaround. However, there are a few tricks to write the
image. The talk explains how.
- JEB is a professional Android application decompiler. Many people in the VB audience will have used it, but what about JEB scripts? Similar to IDA
plug-ins for disassembly, JEB scripts are powerful, but difficult to
write. There is API documentation and a few examples, but no real
tutorial or starting point. The talk explains how to write a string
de-obfuscation routine, used for Android/Ztorg samples. (Note: I am not affiliated with PNF Software, the makers of JEB - this is independent advice.)
- Debugging. Malware analysts all dream of running malware step by step to understand what it does. There are tools to do so: JEB (again) and also CodeInspect. We'll demonstrate, for instance, on Riskware/InnerSnail and decide if the dream can be a reality or not.
- HTTPS. More and more Android applications use TLS to secure
their communication flows. It is then more difficult for analysts to
make sense of it. The solution is man-in-the-middle, and we explain how
to set it up for Android smartphones.
- Radare2 is a command-line reverse engineering framework. It supports many architectures, including Dalvik. We'll show how to use it on a malicious sample, and in particular how to find method or field cross references.