## Abstract In this workshop, you will learn how to analyze Android malware and understand what they are doing. The workshop consists in a majority of hands-on lab sessions, with demo and many exercises on real, and recent, Android malware. Of course, you also learn how to deal with those malware safely ;-) #### Malware Samples covered during the training * Android/Alien * Android/Bread (Joker) * Android/EventBot * Android/Ghimob * Android/SpyNote * Android/Sandr (Sandro RAT) ## Agenda #### Session 1: Android background and first steps * Introduction / Welcome * Android malware trends * Google Play Protect * Contents of Android application: manifest, assets, native libraries... * Certificates and application signature * Presentation of Reverse Engineering tools * Setup of tools. A dedicated Docker container is provided to attendees * 3 Labs: compiling an Android app, disassembling it and patching. #### Session 2: Reverse engineering of Android Malware * Demo of reverse engineering of Android/SpyNote * Exercises on other samples * Using Quark Engine to spot malicious behaviour * Writing custom rules for Quark Engine * Using MobSF for an overview and quick analysis of a sample #### Session 3: Dynamic loading and obfuscation * Dynamically loaded classes * Unpacking packed malware with Dexcalibur * Decrypting obfuscating string with Frida #### Session 4: Advanced reverse engineering * De-obfuscation like a Pro * Using House * Implementing a JEB script * Malware abusing Accessibility Services * Anti-debug/VM tricks and solutions based * Detection with APKiD * Modifying default Dexcalibur hooks * SSdeep and dexofuzzy to find similar samples #### Session 5: Malicious network activity * Locating the CnC of a malware * Reversing the contents of an obfuscated HTTP Post * Searching through classes with Smalisca * Re-activating debug messages with a Frida hook * Dealing with native libraries #### Tools used during the training * Androguard * Android Studio * APKiD * Apksigner * APKTool * Baksmali / Smali * Dexcalibur * Frida * House * JADX * JD-GUI * JEB * MobSF * Quark * Smalisca * Pithus ## Required Skills * Familiarity with Unix command-line tools * Basic understanding of Java programming concepts (classes, methods, inheritance, etc.) * Be able to write scripts or small programs in a language of your choice (e.g. Python, Java, etc.) * OPTIONAL: Familiarity with Docker: pull images, run containers, configure ports and shared directories. This is not strictly mandatory knowledge for the training, but it will help. ## System Requirements * A working laptop capable of running virtual machines * 15 GB free Hard disk space * Docker and docker-compose: https://docs.docker.com * Training container: 'docker pull cryptax/android-re:latest' * SSH, SCP and/or VNC client * Recent Java Development Kit (JDK) * Android Studio: https://developer.android.com/studio/ * Python 3.x * A programming environment of your choice - Vim, Emacs, Sublime, etc. * A build environment * Discord
