A few days ago, I was happy to go to Insomni'Hack. I presented some updates on how to detect hidden methods in Dalvik Executable files. But it's not my talk I want to discuss in this post, but Ange Albertini's "Angecryption". With Angecryption, you can basically encrypt anything into whatever you want (there are a few restrictions on input and output formats, but it's the general idea). Basically, Ange Albertini wrote a (Python) script to which you provide the input you wish, the output you wish and the key you wish. The script manipulates the... [Read More]
by RSS Axelle Apvrille  |  Mar 31, 2014  |  Filed in: Security Research
This post is the second in a three part series. Click here for Part 1 and here for Part 3 Many Android talks on the 2nd day of VB2013! Actually, the importance of mobile threats is something everybody has observed here, and Helen Martin even started the conference mentioning the fact. What a difference compared to conferences 2 or 3 years ago! Rowland Yu - GinMaster : a case study in Android malware In America or Europe, people often tend to think that malware are only "important" if found in Google Play. Rowland however stated an important... [Read More]
by RSS Axelle Apvrille  |  Oct 11, 2013  |  Filed in: Security Research
Tim Strazzere's Android CrackMe It's Android challenge time, and Tim Strazzere provided an interesting Android CrackMe at BlackHat. As he agreed to my posting about it, here's my spoiler/solution below. The package is named droid-with-a-big-ego.apk and APKTool and Baksmali have difficulties processing it: I: Baksmaling... Exception in thread "main" org.jf.dexlib.Util.ExceptionWithContext: The header size is not the expected value (0x70) at org.jf.dexlib.Util.ExceptionWithContext.withContext(ExceptionWithContext.java:54) I worked around... [Read More]
by RSS Axelle Apvrille  |  Aug 23, 2012  |  Filed in: Security Research
Some time ago, I analyzed two similar samples of Android/Smsilence.A!tr.spy, a fake Vertu application that spies on its victim. One of the samples was targeting a Japanese audience, while the other sample was for Korean end-users. I was interested in finding their similarities (and differences). At (decompiled) source code level, I identified for instance a similarity: both samples check incoming SMS messages and download another payload if the message body contains the keyword 113, or deletes it if the SMS comes from 1588366. See below, identical... [Read More]
by RSS Axelle Apvrille  |  Jul 30, 2012  |  Filed in: Security Research
DexLabs' @thuxnder has recently posted a challenge for Android which is both interesting as a challenge and as a PoC, because it shows how to fool Dex disassemblers. Basically, his strategy consists in using a branch condition, opaque but always true in reality that jumps over the next instruction which is a fill-array-data-payload Dalvik instruction. Then, after the fill-array-data-payload, there are further Dalvik instructions. Most disassemblers disassemble one instruction after the other, and hence understand the final instructions as meaningless... [Read More]
by RSS Axelle Apvrille  |  Jul 30, 2012  |  Filed in: Security Research
As explained in our previous post (DroidKungFu is getting smarter), DroidKungFu now comes in 7 different flavors. Here is an updated graph of their similarities. Just like our previous graph (Clarifying Android DroidKungFu variants), each block represents a variant, intersections showing how many similar methods are implemented*. All variants can download and install new packages, start an application (activity), open a URL in the browser and delete a package**. Although the F variant intentionally piggybacks legitimate applications that use... [Read More]
by RSS Karine de Ponteves  |  Jun 01, 2012  |  Filed in: Security Research
Much like Ninja Turtles, DroidKungFu now comes in different flavours (5 so far), discovered by Pr. Xuxian Jiang (and research team) and Lookout. If, like me, you are having difficulties keeping track of those variants, this post is for you :) The similarities and differences between all 5 variants are depicted below. The various blocks represent each variant, and their intersection shows how many methods they share exactly*. All variants share the same malicious commands (CMD box). They can download and install new package, start a program (called... [Read More]
by RSS Axelle Apvrille  |  Oct 26, 2011  |  Filed in: Security Research