Mert Can Coskuner and Kursat Oguzhan Akinci

Mert Can Coskuner and Kursat Oguzhan Akinci

Kürşat Oğuzhan Akıncı is a Security Engineer at Trendyol. He is also a team leader of Blackbox Cyber Security which is Turkey’s first cyber security volunteer group, coordinator and mentor of Turkcell CyberCamp and Turkish Airlines CyberTakeOff. In his free time Kürşat is performing security researches in the form of bug bounty in which he has found several vulnerabilities in critical institutions such as NSA as well as helping Mert Can to break into C&Cs. Mert Can Coşkuner is a Security Engineer at Trendyol. He is maintaining a blog at In his free time Mert Can is performing mobile malware research and threat intelligence.

Android Malware Adventures

Android malware is evolving every day and they are everywhere, even in Google Play Store. Malware developers have found ways to bypass Google’s Bouncer as well as antivirus solutions and many alternative techniques to operate like Windows malware do. Using benign looking application working as a dropper is just one of them. This talk is about android malware on Google Play Store. The talk will cover;

  1. Techniques to Analyze Samples: Unencrypted samples are often used to retrieve personal informations to sell and do not have obfuscation. Encrypted samples however are used for much sophisticated tasks like stealing banking information. They decrypt themselves by getting the key from a twitter account who owned by the malware developer and operate by communicating with the C2s. Also, most banking samples are using techniques like screen injection and dependency injection which is mostly used by android application developers.

  2. Bypassing Anti-* Techniques: To be able to dynamically analyze the sample, defeating anti-* techniques are often needed. We will introduce some (known) Frida scripts to be able to defeat common anti-* checks malware uses.

  3. Extracting IoCs: Extracting twitter account as well as C2s from encrypted samples are often critical to perform threat intelligence over samples. Extracting IoCs while assets are still active was crucial for our research since we are also aiming to takeover C2s. We will introduce (known) automatization technique to extract twitter account, decryption key and C&C address.

  4. Extract Stolen Information from C2s: In order to extract information from C2, one should act swiftly. The speed of extraction process is critical since the actors change C2s often. We will give a detailed walkthrough about how we approach C2s as a target and extract the informations.

Schedule : September 24, 2020 - 01:30 PM