Ever since the arrival of advanced persistent threats, obfuscation technologies have existed to help cybercriminals evade security detection and tracing. It’s an ongoing evolution of technology on the bad guys’ end. It really started with antivirus evasion, years ago.  Today, we have about 500,000 virus samples coming into FortiGuard Labs every day. A lot of those are from the same virus family, but they’re polymorphic—which means they use binary packers to shift the nature of the code every few seconds to try and... [Read More]
by RSS Derek Manky  |  Mar 21, 2016  |  Filed in: Industry Trends
If you have any interest in Android packers, or how to reverse mobile malware that use such packers, please don't miss Ruchna's upcoming talk at Hacktivity . Android Packers: Separating from the Pack - 11. October 2014. 11:20 - 12:05 If you feel like reading on this topic before, I suggest: our joint paper in Virus Bulletin : "Obfuscation in Android malware and how to fight back" (July 2014). With tools and tips to reverse obfuscated samples. Rowland Yu, "Android Packers: Facing the Challenges, Building the Solutions" at Virus Bulletin Conference,... [Read More]
by RSS Axelle Apvrille  |  Oct 09, 2014  |  Filed in: Security Research
Recently, I ran into a malicious sample (Android/Mseg.A!tr.spy) which was causing Baksmali to stall. This does not happen that often. I contacted Jesus Freke, the author of smali/baksmali, who quickly fixed the issue. A deeper look in the sample turned out to be quite interesting. The sample is highly obfuscated (perhaps actually a bit too much - we'll discuss that later) with very long and strange class and method names. For instance, we note a class named "AFHttpPacket;>" (yes, the ; and > are part of the name) in a no less strange namespace: "java/util/concurrent/BlockingQueue<Lcom/adfresca/sdk/packet"... [Read More]
by RSS Axelle Apvrille  |  Dec 16, 2013  |  Filed in: Security Research
This post is the second in a three part series. Click here for Part 1 and here for Part 3 Many Android talks on the 2nd day of VB2013! Actually, the importance of mobile threats is something everybody has observed here, and Helen Martin even started the conference mentioning the fact. What a difference compared to conferences 2 or 3 years ago! Rowland Yu - GinMaster : a case study in Android malware In America or Europe, people often tend to think that malware are only "important" if found in Google Play. Rowland however stated an important... [Read More]
by RSS Axelle Apvrille  |  Oct 11, 2013  |  Filed in: Security Research
Get rid of clich&#233;s: "Most of anti-virus software products detect malware pieces only through simple checksums. This is often the case for the anti-virus engines which are integrated into network gateways." People mainly believe that the main reason is that network gateways have limited resources to process the sheer amount of data exchanged through it "in real time". And also due to the fact that their OS is "embedded" thus limited. So people think that the bottom line is: "Too easy to bypass !" Let's be clear: reality is more... [Read More]
by RSS Alexandre Aumoine  |  Jul 30, 2012  |  Filed in: Security Research
DexLabs' @thuxnder has recently posted a challenge for Android which is both interesting as a challenge and as a PoC, because it shows how to fool Dex disassemblers. Basically, his strategy consists in using a branch condition, opaque but always true in reality that jumps over the next instruction which is a fill-array-data-payload Dalvik instruction. Then, after the fill-array-data-payload, there are further Dalvik instructions. Most disassemblers disassemble one instruction after the other, and hence understand the final instructions as meaningless... [Read More]
by RSS Axelle Apvrille  |  Jul 30, 2012  |  Filed in: Security Research