6. Team bi0s
Amrita Center for Cybersecurity,
Amritapuri
Issues?
→ High obfuscation == Bouncer escape
→ Third-party sources with malwares
→ Benign vs masked-benign
→ Write it in C++, and leave them miles behind from analysis
→ Just applications? How about 3xpl0its?
8. Team bi0s
Amrita Center for Cybersecurity,
Amritapuri
Motivation
→ Make a thorough analysis process
→ Automate redundant tasks
→ Have the freedom to render intermediate results manually
→ Extract only as much as needed
→ Easy tailoring
11. Team bi0s
Amrita Center for Cybersecurity,
Amritapuri
Reminder!
.java
R.java
res/*
Manifest
javac
.jar classes.dex
dx
Manifest bin
aapt
12. Team bi0s
Amrita Center for Cybersecurity,
Amritapuri
What Is This?
→ Adhrit is an open source Android APK reversing and analysis tool that can
help security researchers and CTF enthusiasts alike
→ An effort to simplify the reversing and analysis process
→ Long-term and subject to continual updation
→ Built with many little wonderful open source libraries and tools <3
→ Isolated tools from Android SDK
→ Open source and licensed under GPLv3
→
13. Team bi0s
Amrita Center for Cybersecurity,
Amritapuri
What Can It Do?
→ Extract source in both Java and smali
→ Extract manifest details
→ Check for malware footprints
→ Check for native libraries
→ Dump the disassembly of the shared objects/libraries
→ Check for simple bytecode injections
→ Extract certificate details
15. Team bi0s
Amrita Center for Cybersecurity,
Amritapuri
Where Can I Use It? (examples)
→ Certificate unipinning
→ Simple edits in the APK. (Bytecode injections)
→ A quick overview of the APK
→ Check if it’s already on malware databases
→ Reusage of the isolated tools (saves a lot of time!)
16. Team bi0s
Amrita Center for Cybersecurity,
Amritapuri
Precisely For?
→ APK reversing beginners
→ Reversing enthusiasts with minimal requirements
→ Intermediate results
→ CTFs
→ Malware analysis
17. Team bi0s
Amrita Center for Cybersecurity,
Amritapuri
Season 2
→ Dynamic analysis
→ More specific pattern searches (URL, API keys etc.)
→ SSL pinning identification
→ Log dive
→ MonkeyRunner to simulate clicks
→ Network connection dump
→ Suggestions always welcome :)
18. Team bi0s
Amrita Center for Cybersecurity,
Amritapuri
References
→ github.com/abhi-r3v0/Adhrit
→ blog | bi0s
→ Dissecting Google Bouncer
→ Smali Code Injection