Live reverse engineering of Android malware

my hello and welcome to this talk which is going to be a live reverse engineering of android malware um my name is excel abril i work for fortinet as a security bus researcher there i'm focusing mainly on mobile malware and malware for internet of things and also besides that i'm the lead organizer of phone ctf that is a capture default lab which is located in the south of france if you happen to be there you were welcome to be there and the ctf is also dedicated to smart devices so this is going to be again mobile devices and internet of things so um actually i only have this light this is um the the sample we are going to reverse now

um this is really fully live except that um it's my second recording because the first was just total crap okay um uh it crashed in the middle well whatever okay um but this sample is a live i think it's from yesterday or something like that so it's gonna be really fresh for you okay when you when you see this i was thinking of doing some other sample before but i thought oh come on i want some something spicy something really really fresh so let's get and get this one the tools i'm gonna use is a mob sf this one there uh maybe not excalibur this time but um another time anyway it's a very good

tool so i'll have a look at it and this is my own tool so of course very good droid loses um also might be useful to have a look into these so go and have a look at those urls download um the the applications and try to use them because they're really helpful for reverse engineering then um of course it's the contact information well if you want to contact me you can use uh the old email fashion way this is works perfectly well as long as you don't do any typo in my last name okay uh otherwise um well of course you can restore to twitter and send me a message there and i'll be very happy to answer

if i can so let's uh now go on to the reverse engineering so this is the sample i'm just checking for you the hash there it is and i'm going to use it in modbus f msf has been launched already on my platform and it is there we select the apk and upload it and analyze it what i really like there is that i don't have to to go and share my sample with an external website that's great in case you know there might be some risks with sending it over or some corporate security rules everything here stays local on my laptop which is something which is really interesting so uh the web user interface is

absolutely beautiful um i really like that uh of course what we are interested in is that it helps you it helps you and me um reverse the sample in a in the correct way so here i see the package name tech teach sorry teach report crane uh it's always interesting to keep this in mind security score 5 out of 100 yeah this is probably crap because anyway this is a malicious sample and the security score well i don't know if it should be high or low but we would perhaps we would expect more detection trackers as well um [Music] the signer certificate we see it's reusing one of the standard android certificates um it's using v1 scheme okay this is the

old scheme now we have the better so it's insecure the app is vulnerable but we don't care if it's a malware right the permissions i really most of the time don't care with that have a look at that when i'm doing malware analysis i don't find this interesting now android api so it's doing best 64 encoding okay um but actually this is done in third-party sdks flurry is for app ads uploading i think same amazon well you know flurry there we go so this is not really a core of the application same for that i'm scrolling down oh dynamic class index loading oh this is interesting because text loading decks are dalvik executables on android so it

means that we probably have the potential for loading dynamically the decks okay so where is it doing that well you can just click there and it will tell you where and actually it highlights the name of text class loader which is the class which is used to um to do this dynamic loading and now let's have a look at where this is used oh it is used in here now when i see this we see that this is junk code okay it's just a computation but it's not used afterwards we see that the dex class loader instance is constructed in here okay interesting so the first or the first argument of a text class loaner i know that it is the path to the

file which holds the text executable so this is interesting for us because uh if i get that path then i can uh get the dalvik executive executable which is loaded and that's the payload okay and then we can analyze that this means that this sample very probably well it is packed and probably there's nothing interesting in this apk apart from the fact that it is unpacking this decks so now what we want to do what we want to go quickly at finding is how we can find this payload now i'm a little bit helped here because um i have already dealt with something which is very similar in a sample like two or three months ago so it resembles

so much what i have already seen i know what it's going to look like afterwards and also the fact that uh well it's the second edition of this um of this uh recording right so i'm gonna use jeb here because uh in here it's you know just a web api i can't have a look at the cross references so um it's not really cool for that i'm gonna load the sample it's this one okay

tells me the apk is big okay there it is and now it was in class m n e q so i can have try and find that one m n e q and i'm gonna try and find it there it is and teach report crane this is correct i'm gonna decompile it by hitting the tab button in jet jet is the the compiler i use here okay and it opens this pane over there i'm gonna make this one a little bit bigger come on

okay and here i'm gonna search for tex class loader and there it is and drink a choir so we said that this one is the text path so now i'm going to work my way up the call stack to see where i can read the value of this text path and find what is the path for for that text i am interested in so cross references you hit the edx button okay so here takes paths i'm gonna do this a little bit quickly this is the second argument over here

and here you see that it's no longer part of the argument so it means that it is valued inside the method so this is the first arcane occurrence so we can have a look in this one and see if it is constructing the value so this is junk code we look inside there and we've got lots of junk code yet again again except here where it deals with a path so it's interesting we go here junk code and this is constructing a file so yeah this is probably the path and probably the file name so the file name over here there it is it's this one w u dot j zone okay we've got that

now um actually we could have done this with mob sf okay um so we can switch to the dynamic analyzer and run the and run it and then we'll see actually this [Music] this file name so here what is really nice with mobizef is that it is actually so i've got [Music] an emulator it is automatically installing my application in the emulator and installing frida tools so this is really nice stuff and then you've got this interface so on a small crea screen this is horrible and even on a big screen you really need a really big screen there okay um so we'll have to work this out so however i'm not interested in an ssl

heading so i can keep those but it's not really interesting i can load um hooks in here and actually type in and put my own frida hooks in there so this is good i'm gonna actually start instrumentation and when i start instrumentation it tells me instrumentation successful and also what i really like to have a look at is live api monitor and now things are going to pile into there and this is cool because you see we get the arguments for each function so basis d4 and well we get the input arguments it would have been even nicer to get the output arguments but now well we're going to have a look at where it loses text class letter and look at

this we had sorry is it shift there we have the the name of the json file with the completes path over there data user xero tech and et cetera so we're going to grab that so it's running in the emulator um adb shell data data and we said the name of the app is that it was in dynamic opt x it's this one so i'm going to copy that someplace where i can grab it easily outside of the emulator let's say on the sd card i exit and adb pool sd card w dot json and grab that now if i do this it tells me it is indeed a dalvik executable cool uh actually i'm going to put this in jet

to do some uh reverse engineering of the payload because all the interesting stuff right is in this static executable of course uh but jeff doesn't most of the time or maybe it's with only with prior version doesn't like when um the name is not ending with a dot deck so i'm gonna rename it and put it someplace i can access it for with gems um there we go

and now i'm gonna close this and this is my decks i could save it but there we go and we're gonna analyze that meanwhile actually i don't know that much about that dex it's okay so i'm gonna use actually my tool rightly this to get a first overview of what this text is doing so the input file and the outputs is just the directory where i will put all the reports kind of um on the laptop because as you can see well you know we get loads of classes where should we start it's a little bit difficult first huge to know so it's processing um it's a bit slow there because um i have mob sf which is

running i've got lots of things i'm gonna start to stop this for now okay by the way i'm not analyzing um the text with modbus f because well it only supports age case but not direct to analyzes of text files so this is the output of droidless so those are very long lengthy strings but here this is interesting we see the features that are exposed it's it obviously tries to abuse probably accessibility services that's one of the things actually this um this malware is doing so this is an important part there so we're gonna try and find which class is actually dealing with accessibility services and for that um we can have a look in the report

so the report the details of the report is called details.md and i'm simply going to grab something like accessibility and details and see where that happens and we see that it happens very often in well plenty of classes but for instance the choir alert c opinion sorry opinion acquire a lot c and we can have a look in here so i said opinion

um opening a choir alert and now i need to explain class c those are sub paths and there it is i can decompile that one

my laptop is heating up okay um so it's this is the class and you indeed see that there are plenty of references with accessibility events here and there okay and for instance this one is dealing with accessibility events and things like that and you can see quite obviously that it is there are obfuscated strings now let's try and hear the skateboard but those strings to make sense out of those so um this is a persuaded string and this is d of the skate and we see performance base64 decoding then this

oh this is just a string to bite array conversion not interesting

this um oh this calls this one which is there and this is decryption okay so i'm gonna call this decrypt and to be nice i'm gonna call this one let's slightly differently do decrypt go and oh so this is the side for text this is the result so this is the plain text um [Music] we see it as doing some xor with uh with this table in there which is a it's over here

this is swapping things

so anyway where is a constructed it is constructed from here from the constructor so basically we can say that this is more or less kind of a key and this is something that prepares the key and in here the key well the key has to be in the constructor so it's going to be this one the key we're going to rename it f key is here

so the key is here where is that value oh this is the value of the key cool okay so it is basically doing base64 decoding and then applying um a specific handmade algorithm to decrypt the obfuscated string it turns out that as i have already analyzed the sample like well not this precise sample but another similar sample three months ago i do have a script to do the obfuscation so we're gonna load that and decrypt for instance this string oops

file scripts script selector and well my script is no longer there so i'm gonna create one

and i have stored the script somewhere i don't want to do this one again okay because it's kind of quite lengthy to do this alien it's this one yeah it's not very complicated but still you've got to do it and i've customized and set the right key in here okay so i'm gonna copy all of this in chip

remove what is after save and execute that

close and i can close this one and we see that the obfuscated string decrypts to come google android permission controller okay and if we take this one for instance

ctrl f2 well this one decrypts to four clicks come android package installer rule you and things like that so well when my time is nearly up but um basically we know that this is kind of in accessibility services what our accessibility services use well basically to have the end user click where he or she wouldn't want to click and as a matter of fact uh well the the strings here de-obfuscate to something about permission control so probably it is trying to uh get you to automatically accept the given permission for the application and then do nasty things based on that okay that's probably what it is doing so you've got all the basis here for

your reverse engineering we learned how to see to start packing how to unpack either with mod sf or you can just go and fetch it directly on um inside the android and later and then uh well we learned to um to see what kind of things it could be doing with the accessibility services and to de-obfuscate strings uh with um a jet script okay so with all this you've done most of the the most difficult parts of your reverse engineering now if you really want to know exactly what this sample is doing you've got to follow exactly all the strings and see exactly what it is doing everywhere uh but obviously it's gonna ask well have

you click and accept some permissions uh doing it automatically and then it will abuse and use those permissions uh to do some uh something more i hope you enjoyed it and if you have any questions of course i'm online for you to answer thank you

you