Duration 39:32
16+
Play
Talk video

Unpacking the Packed Unpacker: Reverse Engineering an Android Anti-Analysis Native Library

Maddie Stone
Security Engineer at Google
  • Video
  • Theses
  • Video
Black Hat USA 2018
August 4 2019, Las Vegas, USA
Black Hat USA 2018
Video
Unpacking the Packed Unpacker: Reverse Engineering an Android Anti-Analysis Native Library
Purchased
In cart
Free
Free
Free
Free
Free
Free
Add to favorites
21.32 K
I like 0
I dislike 0
Purchased
In cart
Free
Free
Free
Free
Free
Free
  • Description
  • Transcript
  • Discussion

About speaker

Maddie Stone is a Security Engineer on Google's Android Security where she reverses all the bytes to keep malware off the phones of Android users. Maddie has previously spent many years deep in the circuitry and firmware of embedded devices including 8051, ARM, C166, MIPS, PowerPC, BlackFin, the many flavors of Renesas, and more. She is the creator of the IDAPython Embedded Toolkit. Maddie has previously spoken at international security conferences including OffensiveCon, REcon Montreal, DerbyCon, and the Women in Cybersecurity Conference.

About talk

Topic: IT

I will discuss each of the techniques the malware author used in order to prevent reverse engineering of their Android native library including manipulating the Java Native Interface, encryption, run-time environment checks, and more. This talk discusses not only the techniques the malware author implemented to prevent analysis, but also the steps and process for a reverse engineer to proceed through the anti-analysis traps.

00:00 Who is the Maddie Stone

00:30 What analysts and malware developers strive for

01:08 What is “anti-analysis” for?

02:03 What is the “elf libraries”

03:43 About Shinhwa Android botnet family

05:17 Explicitly malware developers manipulate the native Java interface

06:51 What are the key features of a "wedding cake"

07:51 About different CPU variants

08:43 Analysis of one of the CPU options

10:04 The key thing to remember when we start disassembling an elf

12:40 How to look at the code that is labeled as Jayanthi Onload Idol

15:14 Why do malware developers raise to zero

17:43 Do I need to notify users of malware in applications

19:38 Python's main problem

21:24 How the decryption program works

22:35 About the problem of adaptability

24:21 Hexadecimal hexagon example

25:37 How finding different types of instructions can help decrypt an encrypted array

26:48 Benefits of using Ida Python instead of API

27:50 How does decryption work

29:24 About using regular expressions

30:49 What goals and expectations do malware developers have

31:47 About VX EG checks

34:38 What is the “Monkey tool” for

38:24 Report summary

Share

So who am I my name is Maddie Stone. 00:00 I am a reverse engineer on the Google play protect team under Android security and I've been there for about a year before that. 00:02 I have about 5 years of experience doing hardware and firmware reversing and exploit dev. 00:10 So why do we even care? 00:18 What is the whole point of this? 00:19 Where are we coming from so the reason? 00:22 Why I'm talking and wanted to focus on anti-analysis techniques was very first staff. 00:24

The reason they exist? 00:30 Is this whole sort of dynamic between us as malware. 00:30 Analysts and the malware developers and so we're both striving for asymmetric advantage. 00:35 So they want to be able to create malware that super quickly that has the most market share that they are accomplishing their goal. 00:41

Well, we want to be able to detect it that much faster so that's this mindset that was coming from of they can create anti-analysis techniques, 00:50 but can we detect them and prevent them and get around them with less investment than it takes for them to develop them. 00:59 So what is this anti-analysis technique just to make it harder for you to figure out what they are trying to hide so that this is going to 01:08 encompass all of anti-reverse engineering. 01:18

Anti debugging anti emulation. 01:21 All of those things I'm packaging up into anti-analysis. 01:21 So let's take a step back and set the context. 01:29 What's the story? 01:32 Where are we I on the Google play protect team we have so many apps coming in all the time and certain ones are flagged for human 01:32 reviewer. 01:41 When that's escalated to me. 01:41

I want to take a look in decide as quickly as possible is this benign or is it malware and should be started issuing warnings so this app came up. 01:43 It looked pretty normal but there was 1 interesting thing it had an L file embedded in the APK that just it didn't look right. 01:53

Full transcript of the talk will be available after the purchase
Cackle comments for the website

Buy this talk

Access to the talk «Unpacking the Packed Unpacker: Reverse Engineering an Android Anti-Analysis Native Library»
Purchased
In cart
Free
Free
Free
Free
Free
Free

Video

Get access to all videos “Black Hat USA 2018”
Purchased
In cart
Free
Free
Free
Free
Free
Free
Ticket

Interested in topic «IT»?

You might be interested in videos from this event

September 28 2018
Moscow
16
83
app store, apps, development, google play, mobile, soft

Similar talks

Alejandro Hernandez
Senior Security Consultant at IOActive
Purchased
In cart
Free
Free
Free
Free
Free
Free
Christopher Domas
Director of Research at Finite State
Purchased
In cart
Free
Free
Free
Free
Free
Free
Balint Seeber
Software Engineer at Bastille
Purchased
In cart
Free
Free
Free
Free
Free
Free

Buy this video

Video

Access to the talk 'Unpacking the Packed Unpacker: Reverse Engineering an Android Anti-Analysis Native Library'
Purchased
In cart
Free
Free
Free
Free
Free
Free

Conference Cast

With ConferenceCast.tv you get access to our library of the world's best conference talks.

Conference Cast
156 conferences
6391 speakers
2119 hours of content