Android malware is evolving every day and they are everywhere, even in Google Play Store. Malware developers have found ways to bypass Google’s Bouncer as well as antivirus solutions and many alternative techniques to operate like Windows malware do. Using benign looking application working as a dropper is just one of them. This talk is about android malware on Google Play Store. The talk will cover;
Techniques to Analyze Samples: Unencrypted samples are often used to retrieve personal informations to sell and do not have obfuscation. Encrypted samples however are used for much sophisticated tasks like stealing banking information. They decrypt themselves by getting the key from a twitter account who owned by the malware developer and operate by communicating with the C2s. Also, most banking samples are using techniques like screen injection and dependency injection which is mostly used by android application developers.
Bypassing Anti-* Techniques: To be able to dynamically analyze the sample, defeating anti-* techniques are often needed. We will introduce some (known) Frida scripts to be able to defeat common anti-* checks malware uses.
Extracting IoCs: Extracting twitter account as well as C2s from encrypted samples are often critical to perform threat intelligence over samples. Extracting IoCs while assets are still active was crucial for our research since we are also aiming to takeover C2s. We will introduce (known) automatization technique to extract twitter account, decryption key and C&C address.
Extract Stolen Information from C2s: In order to extract information from C2, one should act swiftly. The speed of extraction process is critical since the actors change C2s often. We will give a detailed walkthrough about how we approach C2s as a target and extract the informations.