AppSec California 2018

Abstract: 
Android malware authors may enforce one or a combination of protection techniques like obfuscators, packers and protectors. This additional step just before publishing the app adds complexity for Android Bouncers and various static, and dynamic code analysis tools. Along with these protection techniques a combination of features such as emulation detection, anti debugging, root detection, tampering detection, anti runtime injection enables malicious application practically makes malicious app go undetected. As a result we have seen a steady increase in the malicious apps published in various Android app stores. ZDNet reported around 1000 spyware mobile apps are published in the official Google Play Store this year alone. These apps may have the capability to monitor almost every action on an infected device. Actions such as taking photos, recording calls, monitoring information about Wi-Fi access point and inspecting user’s web traffic. 
We will focus on all three commonly used Apk protection techniques and how they operate under the hood. For obfuscation, we will demo a tool designed to remove switch case injection, dead code injection, and string encryption and get a readable code. In case of packer talk will showcase avenues to unpack the packer by first finding the algorithm, hooking into libc before packer opens DEX file, dumping DEX from memory. Protectors such as DexProtector mangles code by modifying entry point to loader stub and perform anti-emulation, anti-debug and anti-tampering checks. Protector are easy to patch, one can by attaching cloned process or dump odex and get readable code. By adding these techniques an ethical hacker or Android bouncer can identify many a malicious application published in app store.