Part 5 of our Android Banker Deep Dive! In this video, we continue our analysis of the Android banking trojan by executing the sample and manually triggering broadcasts. We find multiple dynamically dropped files including the Shared Preferences settings and a SQL database.
In this [RE]laxing new series, I fully reverse a difficult Android Banker trojan from start to finish.
These extensive "Deep Dive" segments concentrate on dissecting malware specimens and delving into the individual approaches employed to fully reverse them. Throughout the journey, I attempt to provide explanations of my techniques as much as possible, however, if any ambiguities arise, please feel free to post a comment below.
Timestamps:
00:00 Intro
00:36 Booting Emulator
03:35 Watching the Dropper
05:05 Accessiblity Abuse
06:16 Can't click the button?
08:50 Drawing over other apps
09:45 Switching to an old Android version
11:02 Trying Android 8
13:00 Successful Install!
14:02 Dropped APK?
16:32 Broadcast Triggers
18:48 SMS Trigger
20:24 Dropping back to host
21:39 Database Creation
23:00 Web Data SQL
25:15 Shared Preferences XML
27:33 Recap
Software Links Mentioned in Video:
JADX: https://github.com/skylot/jadx
Malware Examined in the video (Banker/Anubis):
sha256:cae0c0d33e68be9cf81099680b815eb714d8296cb219b7a6247f7f081820f39a
MalwareBazaar Link:
https://bazaar.abuse.ch/sample/cae0c0...
laurieWIRED Twitter:
/ lauriewired
laurieWIRED Website:
http://lauriewired.com
laurieWIRED Github:
https://github.com/LaurieWired
laurieWIRED HN:
https://news.ycombinator.com/user?id=...
laurieWIRED Reddit:
/ lauriewired