Reverse Engineering of Android Malware

Trainer Name: Axelle Apvrille

Title: Reverse Engineering of Android Malware

Duration: 3 Days

Dates: Sept. 27, 2021 To Sept. 29, 2021

Time: 12:30 p.m. To 4:30 p.m.


Training objective

Participants learn how to analyze Android malware.
The majority of sessions consist of hands-on labs, with exercises on recent Android samples we caught. We focus on **typical questions for malware analysts**:

  • How to reverse malware safely?
  • How to find out, as quickly as possible, if a given sample is malicious or not?
  • How to locate the remote CnC?
  • How to deal with obfuscated classes, strings, and junk code
  • How to unpack malware without pain ;)

Participants learn to use famous tools such as Apktool / Smali / Baksmali / JADX. Yet, one of **the originality of this training is the introduction to "modern" advanced tools such as Dexcalibur, House or Quark**.

Training level: Intermediate

Training preview
https://mega.nz/file/adwnVKRD#aUFvPEPnqWDNtG4LpSwSnNiVGpV7afT4g0Flfd1yf3A

Training outline

Day 1: Reverse engineering of Android Malware - Getting started

  • Introduction / Welcome
  • Android malware trends
  • Contents of Android application: manifest, assets, native libraries.
  • Presentation of Reverse Engineering tools
  • Setup of tools. A dedicated Docker container is provided to attendees
  • Several labs: disassembling an app and patching it, using Smalisca, Quark, and MobSF

Day 2: Dynamic load and obfuscation

  • Dynamically loaded classes
  • Unpacking malware with Dexcalibur, House, MobSF
  • Decrypting obfuscating strings with Frida
  • Implementing a JEB script
  • Malware abusing Accessibility Services
  • Anti-debug/VM tricks and solutions based
  • Detection with APKiD
  • Nearly 100% labs!

Day 3: Network activity and native libraries

  • Locating the CnC of a malware
  • Reversing the contents of an obfuscated HTTP Post
  • Re-activating debug messages with a Frida hook
  • Dealing with native libraries
  • Training exam
  • Conclusion
  • Nearly 100% labs!

(the outline may vary a little - for instance, depending on what the audience wishes!)

What to bring
Please install the following on your laptop and ensure you have a few GB of disk space left.

  • Docker and docker-compose: https://docs.docker.com
  • Training's container: `docker pull cryptax/android-re:latest`
  • SSH, SCP and/or VNC client
  • Recent Java Development Kit (JDK)
  • Android Studio: https://developer.android.com/studio/
  • Python 3.x
  • A programming environment (IDE & build tools) e.g Emacs, Sublime, make...
  • Discord

Training prerequisites

  • Be at ease in a **Unix** environment
  • Be *autonomous to install* development or reverse engineering software on your host: make, git...
  • Prior experience in **programming**. You need to understand **Java** code. You will also have to write some code in **Python** and **Javascript**, but only *a few lines* of code.
  • Experience in **cybersecurity**: malware, trojans, CnC...
  • Know how to download and run **Docker** containers
  • A prior experience on **disassembly** is definitely a plus.

Who should attend?

  • Malware Analyst
  • Security Researcher
  • Android developers


What to expect?
At the end of this training, you will be able to reverse Android malware on your own.

What attendees will get

  • Training **slides**
  • A **training manual**, with all lab exercises and solutions, and additional homework
  • A **Docker container** specialized for Android Reverse Engineering
  • **Online discussion** with the trainer and other participants

What not to expect?

  • Do not expect to learn about Android OS internals, how it is designed etc. Although this is very interesting, it is off-topic...
  • Do not expect to patch your favorite game. This training focuses on Malware, not legitimate apps.
  • Do not expect to be able to sit back, watch and listen (and get bored?) too numerous slides. This training is mostly hands-on training. This also means that *if you do not try to do exercises*, you won't learn anything...

About the Trainer

Axelle Apvrille is a happy senior researcher at Fortinet, where she hunts down any strange virus on so-called 'smart devices (smartphones, IoT). She is a frequent speaker at several conferences (Virus Bulletin, Insomnihack...), and has also given several workshops (Hack.lu, NorthSec...).

She is also the lead organizer of Ph0wn CTF, a CTF located in France and dedicated to security challenges on IoT.