About a month or two ago, someone asked me to analyze some obfuscated Android malware. Recently, I finally had a chance to take a look. I ended up using dex-oracle along with some tricks to partially deobfuscate it. In this post, I’m going to explain the tricks and the overall process I used. This post will be useful if you deal with a lot of obfuscated Android apps.

The main problem was dex-oracle didn’t work “out of the box”. It took some “hacking” to make it work. Specifically, I modified an existing deobfuscation plugin to create two new plugins as well as slightly modify the app. It’s really hard to make completely generalized deobfuscation tools, or any kind of advanced tool, so you’ll need to know how it works in order to modify it to suit your needs.

Read More

This gif perfectly describe me attempting to connect debuggers to a kext using all the “simple” instructions on the internet.

Recently I had far too much time on my hands and a Kext binary which seemed to pique my interest. After spending a bit of time analyzing the binary in IDA Pro, I wanted to prove out some theories I had by debugging it. A while back I had set up MacOS to be running as a QEMU/KVM machine - though I no longer had access to the hardware that I set this up on. The purpose of the previous use case was to have lots of instances up (fuzzing) as opposed to in depth debugging, and I had never actually wondered about debugging the kernel. Anyhoo - I decided to revisit setting up a virtualized instance of MacOS and decided to go the VMWare Fusion route. I had a license on the computer I had in front of me, wanted to continually do snapshots, and just assumed it would be easy to get it working locally. Well, I was sort of right?

Read More

Table of Contents

• Soapbox Prelude
• The Story
• Analysis
  • APK Content
  • Signing Certificate
  • Android Manifest
  • String Encryption
  • Decrypting the Strings
• Features Overview
  • Data Exfiltration
• Is it HackingTeam?
• Conclusion
• Appendix
  • Yara Rule
  • Samples
  • Captured C2 Interactions
    • RequestActionsToExecute - Request
    • RequestActionsToExecute - Response
    • AckRequestedActions - Request
    • AckRequestedActions - Response
    • UploadService - Request (data exfiltration)
    • UploadService - Response
    • NotifyLog - Request
    • NotifyLog - Response
    • Decrypted String Dump

Soapbox Prelude

The past few years have been interesting in terms of surveillance and nation state purchased malware. Gamma Team (FinFisher) got owned, followed by Hacking Team having all the source code for their implants being posted on GitHub. Just this year, Hacking Team lost their global license to sell spyware. I’m unsure how this really would affect their business. The linked article explains the situation better than I ever could. To quote the article, it means:

Hacking Team will have to apply for an individual [export] license for each country. It will then be up to the Italian authorities to approve or deny any requests.

Maybe someone can shed light on what this actually means? Does that mean that a license must be acquired for the country in which the implant is being deployed or does it mean the license must exist for the country which the buying entity exists? Regardless, it would seem that recently the Hacking Team has had their global license reinstated. So, in theory none of this matters… Or does it?

Read More

GO binaries are weird, or at least, that is where this all started out. While delving into some Linux malware named Rex, I came to the realization that I might need to understand more than I wanted to. Just the prior week I had been reversing Linux Lady which was also written in GO, however it was not a stripped binary so it was pretty easy. Clearly the binary was rather large, many extra methods I didn’t care about - though I really just didn’t understand why. To be honest - I still haven’t fully dug into the Golang code and have yet to really write much code in Go, so take this information at face value as some of it might be incorrect; this is just my experience while reversing some ELF Go binaries! If you don’t want to read the whole page, or scroll to the bottom to get a link to the full repo, just go here.

Read More

Android apps are much easier to modify than those of traditional desktop operating systems like Windows or Linux, and there’s primarily only one way to modify Android apps after they have been compiled from source: dexlib. Even if you’re actually using Apktool or Smali, they are both using dexlib under the hood. Actually, Apktool uses Smali, and Smali and dexlib are part of the same project.

Why is this important? Any app which has had malware injected into it or has been cracked or pirated will have probably been disassembled and recompiled by dexlib. Also, there are very few reasons why a developer with access to the source code would use dexlib. Therefore, you know an app has been modified by dexlib, it’s probably interesting to you if you’re worried about malware or app piracy. This is where APKiD comes in. In addition to detecting packers, obfuscators, and other weird stuff, it can also identify if an app was compiled by the standard Android compilers or dexlib.

Read More

We recently gave a presentation at HITCON 2016 called Android Compiler Fingerprinting
where in we released a tool called: APKiD. It’s basically PEiD for Android – it detects several compilers, obfuscators, and packers and we’re adding to it whenever we find new stuff. You’re welcome to submit your rules also.

Read More