Research Centre

[Area41 2014] Android Packers: Separating from the Pack

Presented at Area41
Slides can be found here : Area41Public.pdf


Android malware has been around for a while now and is significant enough to bypass the "Is Android malware really an issue?" introduction to this abstract. 2014 saw the introduction of the first packer for Android applications. Android packers were introduced for DRM and with the intention of providing protection for legitimate applications from modifications and tampering. The flipside of the coin is that the same functionality can be used by malware authors to their advantage, making reverse engineering of malware more difficult for the analyst.
The packers discussed in this talk - Bangcle and ApkProtect - rely on encrypted code in DEX files that the application loads using native code in shared libraries during runtime. This method renders static analysis pretty much ineffective. In addition, anti-debugging tricks employed by them make dynamic analysis tricky as well.
The talk chronicles my (mis)adventures with reverse engineering applications packed using these packers. It ends with an assessment of the extent of packed malware in the wild and the implications this could have for AV vendors.

References