Shulou(Shulou.com)05/31 Report--

How to analyze the malicious Android application Bangle Android App Packer, aiming at this problem, this article introduces the corresponding analysis and solution in detail, hoping to help more partners who want to solve this problem to find a more simple and feasible method.

Words written in the front

Trustlook Labs found a malicious Android app that uses social engineering to trick users into installing. This application (MD5:eb9d394c1277372f01e36168a8587016) is packaged in Bangle packer.

The main activity that triggers the installation application is "com.goplaycn.googleinstall.activity.SplashActivity." However, the magic is that this behavior cannot be found anywhere in the decompiled code:

Next, let's study it with us.

Audit code

We start with the class SecAppWrapper, where one of the "System.loadLibrary" calls load to load "secShell." The native layer code in the module, which is mainly responsible for decrypting and loading the main load of the application from "assets\ secData0.jar" and decrypting the compressed DEX file.

We found that most of the method names in the "secShell" module are confused and their strings are decrypted when used.

The app detects whether a framework, such as Xposed, is installed on the phone. Xposed is a framework for manipulating the flow of Android applications at runtime.

The application also splits the ion process and calls "ptrace" to attach to the parent process to prevent the debugger from making any additional attempts. Multiple processes track each other to ensure the survival of child processes

The application also monitors the values in the / proc file system to check the status of the process.

One thing to say is that the JNI_OnLoad function in the "secShell" module has two branches. One branch is responsible for anti-debugging, and the other branch (0x7543EAE4 below) decrypts the main DEX module.

The following is the decryption function:

After bypassing anti-debugging, the module with the function "p34D946B85C4E13BE6E95110517F61C41" decrypts the data. Register R0 contains the file location, and the size of the .R1 storage file is identified by the title byte "contention\ x03\ x04". We can dump memory:

After unzipping the file, we get the DEX file that we can view normally:

Android packers is a valuable tool to protect the intellectual property rights of legitimate mobile application developers. However, they can also be used for malicious purposes and make it more difficult to analyze malicious applications. Trustlook Labs continues to work to identify malicious applications to protect our customers and mobile ecosystem.

This is the answer to the question about how to analyze the malicious Android application Bangle Android App Packer. I hope the above content can be of some help to you. If you still have a lot of doubts to be solved, you can follow the industry information channel to learn more about it.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.