#ANDROID: Guerilla Android Reversing
This course aims to introduce people into the world of Android reversing. It will be a mostly hands on experience with just enough theory to provide the student a solid base upon which to build their reversing skills.
We will cover the basics of Android, APK structure, DEX file internals and how this can be exploited in order to decompile and deobfuscate malware. The hands-on exercises provided use fresh malware samples that represent what those in the industry work with regularly where the knowledge can be put to good use in extracting C2s and other interesting information.
The course covers spotting suspicious samples, C2 deobfuscation, secondary payload extraction through both static and dynamic analysis. We will cover both Java and native code reverse engineering. Throughout the training exercises, we will cover tools such as Ghidra, Frida, JADX and BURP and how they can be used on Android and native code built into Android applications specifically to aid in reverse engineering. Students will learn how to approach simpler Android reverse engineering tasks as well as more challenging, obfuscated applications.
Why you should attend
The course has hands-on exercises that take you from zero to hero.
It will enable any experienced malware reverser to start diving into Android malware right after the course’s end, while more junior ones will get a solid foundation that will set them up for success.
What you will learn
Students will gain an introductory understanding of Android reverse engineering, including native code, and the tools and techniques to help them further expand their knowledge in the area.
Specifically, they will be introduced to Frida, Ghidra, JADX and BURP and how to use them to unpack and gain an understanding of Android malware.
This class is very lab-focused, so it will be a hands-on learning experience.
Schedule
Day 1
- 60m – static analysis – Introduction to Android and its malicious actors. This chapter will cover a short introduction to Android and its systems, touching upon ART and DVM and their role in executing an Android application
- 60m – static analysis – Structure of an APK file. What gets loaded? What starts up?
- hands on session – Using APKTool to identify a FluBot payload and unpack it using a decryptor provided by me
- 60m – static analysis – Structure of a DEX file. High level overview about smali code, DEX file structure and various tools to manipulate it.
- hands on session – Using JADX to generate human readable JAVA code. Case study: Escobar malware
- 60m – lunch break
- 60m – static analysis – String obfuscation – Google taking more and more steps to squash mobile malware, there’s been an increase in the amount of string obfuscation being employed. This final chapter will present the how and why and the most common ways to statically defeat it.
- hands on session – Find the C2 for a GINP sample
- 60m – putting it all together – writing the decryptor used initially to unpack FluBot
- 60m – dynamic analysis – setting up an Android emulator, adding a trusted CA to the system store and intercepting HTTPS traffic with BURP
- hands on session – Dawdropper detonation and payload isolation
Day 2
- 60m – dynamic analysis – quick intro to dynamic code loading on Android; introduction to FRIDA and function hooking
- hands on session – hook DexClassLoader to intercept a dynamically loaded payload
- 60m – static analysis – Native Code. Sometimes, native code such as C/C++ (via JNI), Rust or Go makes its way into Android apps. We will look at both static and dynamic analysis opportunities. First look at how to identify it using native code, then what to do with it statically and dynamically.
- hands on session – explore for hidden flags inside the JNI layer of an Android application for both static and dynamic bindings.
- 60m – dynamic analysis – Advanced Native Code –
- hands on session – more complex one, where the native code is heavily obfuscated
- 60m – lunch break
- 120m – putting it all together – Complete teardown of Cerberus
* hands on session – extract payload dropped by Cerberus
* hands on session – bypassing Cerberus’ step counter to get its C2 communication active
Who is it for
This introductory Android reverse engineering course is meant for students who are looking for a hands-on, lab-intensive class to expand their reverse engineering skills to Android.
Other information & prerequisites
- Technical difficulty of the class: BEGINNER
- Basic Linux knowledge (optional).
- Items students will need to provide: a PC capable of nested virtualization on which the course VM can run.
- Language: ENGLISH
- Duration: 16 hours
- Minimum students: 8
- Date: November 26th – 27th
- Venue: To be announced
- Price:
- Before October 28th: 675 EURO + vat
- After October 28th: 750 EURO + vat
About the trainers
GABRIEL GIRLIG
Android Hacker | Threat Hunter | Privacy Evangelist
Gabriel is an accomplished Android Hacker and Threat Hunter, recognized as a Forbes 30 Under 30 honoree. As a Privacy Evangelist, he is dedicated to advancing privacy practices and combating malware. His motto, “All is fair in love and malware,” reflects his commitment to navigating and addressing complex security challenges.
JOÃO SANTOS
Manager of Threat Intelligence | Senior Information Security Consultant
João is a seasoned Manager of Threat Intelligence and Senior Information Security Consultant. With expertise in Android hacking, he oversees threat intelligence strategies and provides advanced consulting services to help organizations enhance their security posture and effectively manage cyber threats.
FAQs
Q: What happens if there aren’t enough participants?
A: If we do not meet the minimum number of participants, you can either transfer to another workshop and pay or receive a refund for any difference in price, or opt for a full refund. You will be notified in advance and given options to choose what works best for you.
Q: Are food and accommodation included in the price?
A: The workshop price covers food. However, accommodation is not included, but we can recommend nearby options for your convenience.
Q: Can I get a refund if I can’t attend after registering?
A: Yes, full refunds are available up to 20 days before the workshop start date. However, if you cancel after that, we can offer only 50% of the price.
Q: How and when will I receive the details about the location and prerequisites?
A: You will receive an email with all the necessary details, including the workshop location, prerequisites, and schedule, at least one week before the event. If you have any immediate questions, feel free to reach out to us directly.