Recon 2024 - Laurie Kirk - Manipulating Malware: Forcing Android Malware to Self-Unpack

Malicious Android applications use packing as the core technique to conceal payloads from manual and automated analysis. But what if we could force malicious Android applications to drop their payloads by unpacking themselves?

This presentation will introduce an automated and platform-independent method to autonomously unpack Android APKs. Java-based Android packers generate a unique stub per app whose sole purpose is to decrypt and load the malicious payload from inside Android’s Application subclass. I will describe the process for extracting and translating the Dalvik Bytecode, resources, and native code from these stubs into self-unpacking entities. Because the Android Framework is built on top of Java, the automation process must strip all Android-specific API calls and replace them with equivalent Java invocations. The new app can then be produced in one of two forms: a purely Java application that avoids Android emulator requirements, or a defanged version of the original APK after bytecode manipulation. This technique eradicates the need to write custom decryptors for packed Android applications while remaining entirely packer-agnostic.

I will demonstrate and equip attendees with BadUnboxing, a new open-source tool that automatically generates benign versions of Android malware to dump malicious payloads. I will also share my methodology for repackaging defanged APKs.

Laurie Kirk bio:

Laurie Kirk is a Reverse Engineer specializing in cross-platform malware analysis with a focus on mobile threats. She also runs a YouTube channel (@LaurieWired) that covers all sorts of in-depth Malware Analysis, Reverse-Engineering, Exploitation, and security topics. She has spoken at multiple conferences including DEFCON, TROOPERS23, Objective by the Sea, KernelCon, BlueHat, and BSides Seattle.