Recently, I ran into a malicious sample (Android/Mseg.A!tr.spy) which was causing Baksmali to stall. This does not happen that often. I contacted Jesus Freke, the author of smali/baksmali, who quickly fixed the issue. A deeper look in the sample turned out to be quite interesting. The sample is highly obfuscated (perhaps actually a bit too much - we'll discuss that later) with very long and strange class and method names. For instance, we note a class named "AFHttpPacket;>" (yes, the ; and > are part of the name) in a no less strange namespace: "java/util/concurrent/BlockingQueue<Lcom/adfresca/sdk/packet"... [Read More]
by RSS Axelle Apvrille  |  Dec 16, 2013  |  Filed in: Security Research
I am back from Hashdays. For the (very) unfortunate ones ;) who missed my talk, you can download my slides from here, and also view my demo there. Click to download the slides Hashdays video of my demo Shortly, I think the key topics to my talk were: an Androguard-based script to disassemble DEX files at any offset dexrehash: a tool to re-checksum and re-hash hacked DEX files hooking system properties to evade Android emulator detection, and why you can't hook all properties at a single spot Next time, don't skip my talk :D --... [Read More]
by RSS Axelle Apvrille  |  Nov 05, 2012  |  Filed in: Security Research
Some time ago, I analyzed two similar samples of Android/Smsilence.A!tr.spy, a fake Vertu application that spies on its victim. One of the samples was targeting a Japanese audience, while the other sample was for Korean end-users. I was interested in finding their similarities (and differences). At (decompiled) source code level, I identified for instance a similarity: both samples check incoming SMS messages and download another payload if the message body contains the keyword 113, or deletes it if the SMS comes from 1588366. See below, identical... [Read More]
by RSS Axelle Apvrille  |  Jul 30, 2012  |  Filed in: Security Research