Skip to main content
    CONTACT

    This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
    Lindsay Kaye & Gabriel Cirlig - Intro to Android Reverse Engineering: Tear Through Apps Like A Pro $1,400 (early $1,200)
    Lindsay Kaye & Gabriel Cirlig - Intro to Android Reverse Engineering: Tear Through Apps Like A Pro $1,400 (early $1,200)

    Lindsay Kaye & Gabriel Cirlig - Intro to Android Reverse Engineering: Tear Through Apps Like A Pro $1,400 (early $1,200)

    Las Vegas 2024
    $1,200.00
    Trainer bio's:

    Lindsay Kaye is the Vice President of Threat Intelligence at HUMAN Security. Her technical specialty spans the fields of malware analysis and reverse engineering, with a keen interest in dissecting custom cryptographic systems. Prior to her work at HUMAN, Lindsay served as Senior Director of Advanced Reversing, Malware, Operations and Reconnaissance as part of the Insikt Group at Recorded Future. Outside of work, Lindsay writes articles on complex cybersecurity issues including data and trends analysis, technical pieces on reverse engineering and TTPs, and discussions on the business of the cybercriminal underground. Lindsay is an internationally-recognized cybersecurity speaker and author. She holds a BS in Engineering with a Concentration in Computing from Olin College of Engineering and an MBA from Babson College.

    Gabriel Cirlig is Principal Security Researcher at HUMAN Security. A software developer-turned-rogue, Gabriel is the go-to expert for any mobile reverse engineering project within HUMAN’s Satori Threat Intelligence and Research team. In his past he went from developing apps for small businesses to 2M+ DAU Facebook games while keeping an eye open for everything shiny and new. Lately, Gabriel has shifted gears and started his career as a security researcher while speaking at various conferences showcasing what he’s hacked. With a background in electronics engineering and various programming languages, he likes to dismantle and (hopefully) put back whatever he gets his hands on.



    Trainer social media links:


    Full description of the training:
    This introductory Android reverse engineering course is meant for students who are looking for a hands-on, lab-intensive class to expand their RE skills to Android. This course aims to introduce people into the world of Android reversing. It will be a mostly hands on experience with just enough theory to provide the student a solid base upon which to build their reversing skills. We will cover the basics of Android, APK structure, DEX file internals and how this can be exploited in order to decompile and deobfuscate malware. The hands-on exercises provided use fresh malware samples that represent what those in the industry work with regularly where the knowledge can be put to good use in extracting C2s and other interesting information.

    The course covers spotting suspicious samples, C2 deobfuscation, secondary payload extraction through both static and dynamic analysis. We will cover both Java and native code reverse engineering. Throughout the training exercises, we will cover tools such as Ghidra, Frida, JADX and BURP and how they can be used on Android and native code built into Android applications specifically to aid in reverse engineering. Students will learn how to approach simpler Android reverse engineering tasks as well as more challenging, obfuscated applications.

    Short description of what the student will know how to do, after completing the class:

    Students will gain an introductory understanding of Android reverse engineering, including native code, and the tools and techniques to help them further expand their knowledge in the area. Specifically, they will be introduced to Frida, Ghidra, JADX and BURP and how to use them to unpack and gain an understanding of Android malware. This class is very lab-focused, so it will be a hands-on learning experience.




    Outline of the class:
    Day 1
    • 30m - static analysis - Introduction to Android and its malicious actors. This chapter will cover a short introduction to Android and its systems, touching upon ART and DVM and their role in executing an Android application
    • 30m - static analysis - Structure of an APK file. What gets loaded? What starts up?
      • hands on session - Using APKTool to identify a FluBot payload and unpack it using a decryptor provided by me
    • 30m - static analysis - Structure of a DEX file. High level overview about smali code, DEX file structure and various tools to manipulate it. 
      • hands on session - Using JADX to generate human readable JAVA code. Case study: Escobar malware
    • 30m - static analysis - String obfuscation - Google taking more and more steps to squash mobile malware, there's been an increase in the amount of string obfuscation being employed. This final chapter will present the how and why and the most common ways to statically defeat it.
      • hands on session - Find the C2 for a GINP sample
    • 60m - putting it all together - writing the decryptor used initially to unpack FluBot
    • 60m - dynamic analysis - setting up an Android emulator, adding a trusted CA to the system store and intercepting HTTPS traffic with BURP
      • hands on session -  Dawdropper detonation and payload isolation

    Day 2
    • 60m - dynamic analysis - quick intro to dynamic code loading on Android; introduction to FRIDA and function hooking
      • hands on session - hook DexClassLoader to intercept a dynamically loaded payload
    • 60m - static analysis - Native Code. Sometimes, native code such as C/C++ (via JNI), Rust or Go makes its way into Android apps. We will look at both static and dynamic analysis opportunities. First look at how to identify it using native code, then what to do with it statically and dynamically.
      • hands on session - explore for hidden flags inside the JNI layer of an Android application for both static and dynamic bindings.
    • 60m - dynamic analysis - Advanced Native Code -
      • hands on session - more complex one,  where the native code is heavily obfuscated
    • 120m - putting it all together - Complete teardown of Cerberus
    * hands on session - extract payload dropped by Cerberus
    * hands on session - bypassing Cerberus' step counter to get its C2 communication active

    Outline

    This will be a simple and short (in the limit of two days) introduction into Android reverse engineering, taking the student from zero to hero. No previous reversing knowledge is required and all of the tools will be provided in the form of a VM packed with goodies. The course will cover the basics of Android, APK structure, DEX file internals and how this can be exploited in order to decompile and deobfuscate malware. In addition, hands-on exercises will be provided with fresh malware samples where the knowledge can be put to good use in extracting C2s and other interesting information.

    This course aims to introduce people into the world of Android reversing. It will be a mostly hands on experience with just enough theory to provide the student a solid base upon which to build their reversing skills. The course covers spotting suspicious samples, C2 deobfuscation, secondary payload extraction through both static and dynamic analysis.

    The first part is focused on doing a high level threat landscape of what’s going on inside the Android malware scene. I’ll quickly go through some RATs, Joker, Flubot and BRATA to illustrate the main concepts abused such as accessibility services and system overlays.
    Afterwards, I will focus on the structure of an APK file, how it is processed by Android and what parts from it are relevant for an analyst. This will be followed up by a hands on session where the coursants will have to use a precompiled tool to unpack a sample that they identified as being suspicious. This will be a learning experience as they’ll quickly learn how to run commands in bulk over a range of files, use the file command and spot suspicious payloads.

    The next phase will take us closer to the DEX file format and give coursants a chance to dive deep into some real Android malware. It will mostly be an exploratory session, where the exercise is to understand what the sample does, how it leverages accessibility services/system overlays to create an injection loop and find said injection loop.

    The third phase presents a new challenge: obfuscated strings. Here we will have to use an old time trick in order to deobfuscate certain parts of the code: find the interesting bits, copy their dependencies and inject them into a JAVA wrapper.

    The final part of the static analysis session will circle back to the first session. Now the students have to write the very first decryptor they initially used in its compiled form. They will have to tackle a MultiDex packed payload, figure out the code added by the malicious attackers and reverse it in order to write the decryptor they used earlier.

    The second half of the workshop will introduce the dynamic analysis side of things. The students will have to modify an Android emulator instance in order to facilitate network traffic interception. For this they will have to make the system partition writable, disable secure boot, dm-verity and upload the MITM certificate. As a hands on exercise they will have to detonate a DawDropper sample, identify the secondary sample and identify the code responsible for the APK dropping.

    The next exercise will introduce the students to Frida. They will detonate a FluBot sample and then use FRIDA to prevent it from deleting the decrypted payload. This will allow the students to see the difference between the two approaches: static and dynamic analysis both with their own advantages and disadvantages.

    With this more advanced knowledge in hand, we’ll circle back to static analysis and ramp it up a notch, going into the native realm. The students will learn why and how native libraries are employed by malware developers and the common mechanics used to hide the code. The students will afterwards be taught how to use Frida in conjunction with JNI and calculate function addresses, hook them and read the return value.

    In the final part of the second half, the students will detonate a Cerberus sample. While it’s not the most recent malware strain, it is however really clever in hiding its traffic: it uses a simple step counter mechanism to count the number of steps the user of the device did. It will only initiate communication to the C2 after a certain number of steps are done. The goal is to find the code responsible and to patch it via FRIDA. This can be solved in various ways and will provide the final challenge of the course.




    Technical difficulty of the class (Beginner, Intermediate, Advanced):
    Beginner



    Suggested prerequisites for the class:
    Basic Linux knowledge. 

    Items students will need to provide:
    A PC capable of nested virtualization on which the course VM can run.
    DATE: August 12th-13th 2024

    TIME: 8am to 5pm PDT
    VENUE: Sahara Las Vegas
    TRAINER: Lindsay Kaye & Gabriel Cirlig

    - 16 hours of training with a certificate of completion.
    - 2 coffee breaks are provided per day
    - Note: Food is not included

    Registration terms and conditions:

    Trainings are refundable before July 1st, the processing fee is $250.

    Trainings are non-refundable after July 10th, 2024.

    Training tickets may be transferred. Please email us for specifics.

    Failure to attend the Training without prior written notification, will be considered a No-Show. No refund will be given.

    By purchasing this ticket you agree to abide by the DCT Code of Conduct and the registration terms and conditions listed above.
    DEF CON Communications, inc.

    1100 Bellevue way NE

    8A-85

    Bellevue, WA 98004

    Powered by Shopify