Research Centre

[Virus Bulletin 2021] Reverse Android malware like a Jedi Master

Every Jedi padawan will have reversed Android malware using Apktool, Baksmali and a disassembler. The more experienced among you have written automated plugins or scripts (for Radare, JEB) or implemented hooks using Frida. All those tools are excellent, and they are also useful to everyone - padawan or masters.

But we have a few newcomers like Dexcalibur, House, Quark and MobSF. How useful are they? Let's see how well they perform over a few malicious samples of 2020/2021.

In this presentation, I explain how to use/customize those tools for malware analysis. I highlight what they are good for, and their limitations. 

For example:

- Dexcalibur and House are similar: they help researchers write Frida hooks. We can unpack Android/Alien in a few clicks with them! Or reveal obfuscated strings. Or bypass with anti-debug features of Android/Ghimob.

- Currently, it is however difficult to hook functions inside a dynamically loaded DEX. This is an issue for packed samples, for which the malicious payload is precisely in that DEX.

- House helps you monitor HTTP requests the sample does. But, honestly, Wireshark does as well. The only addition with House is that we can decrypt posted data (example with Android/EventBot).

- Quark and MobSF are useful to get an overview of samples. We customize Quark to detect socket creation of Android/Sandr, and use MobSF to detect where the malware sends SMS messages.

Disclaimer: I am not the author of those tools, but I have used them frequently. So, this presentation provides an un-biased (but perhaps incomplete) feedback from an anti-virus analyst's perspective.