Research Centre

[Hacktivity 2014] Android Packers: Separating from the Pack

Talk on Android Packers presented at Hacktivity 2014
Slides for the presentation can be found here: AndroidPackers_Hacktivity.pdf

In the context of Android applications, packers were introduced with the intention of providing protection for legitimate applica- tions from modifications and tampering. The flipside of the coin is that the same functionality can be used by malware authors to their advantage, making reverse engineering of malware difficult for the analyst.
The packers discussed in this talk - Bangcle and ApkProtect - rely on encrypted code in DEX files that the application loads using native code in shared libraries during runtime. This method, along with the anti-debugging tricks employed, render static analysis pretty much ineffective and dynamic analysis tricky.
The talk chronicles my (mis)adventures with reverse engineering applications packed using these packers. It ends with an assessment of the extent of packed malware in the wild and the implications this could have for AV vendors.