Research Centre

[VB 2017] Android Reverse Engineering tools: Not the Usual Suspects

Presented at Virus Bulletin conference, October 5, Madrid, Spain.


In the Android security field, anti-virus analysts and security researchers have probably all used some of the well-known tools such as apktool, smali, baksmali, dex2jar, and perhaps androguard. These tools are indeed must-haves for Android malware analysis. However, there are other interesting tools, which are seldom covered in conferences, and that's what this talk is about.

We will cover advanced tips and tricks for Android malware analysts and how to cope with specific situations such as those described below:

  • Android emulators often need to be shared with co-workers who typically need to test a given malicious sample but don't have the time to set up the entire Android environment. A docker image is an excellent workaround. However, there are a few tricks to write the image. The talk explains how.
  • JEB is a professional Android application decompiler. Many people in the VB audience will have used it, but what about JEB scripts? Similar to IDA plug-ins for disassembly, JEB scripts are powerful, but difficult to write. There is API documentation and a few examples, but no real tutorial or starting point. The talk explains how to write a string de-obfuscation routine, used for Android/Ztorg samples. (Note: I am not affiliated with PNF Software, the makers of JEB - this is independent advice.)
  • Debugging. Malware analysts all dream of running malware step by step to understand what it does. There are tools to do so: JEB (again) and also CodeInspect. We'll demonstrate, for instance, on Riskware/InnerSnail and decide if the dream can be a reality or not.
  • HTTPS. More and more Android applications use TLS to secure their communication flows. It is then more difficult for analysts to make sense of it. The solution is man-in-the-middle, and we explain how to set it up for Android smartphones.
  • Radare2 is a command-line reverse engineering framework. It supports many architectures, including Dalvik. We'll show how to use it on a malicious sample, and in particular how to find method or field cross references.

References