Part 5 of our Android Banker Deep Dive! In this video, we continue our analysis of the Android banking trojan by executing the sample and manually triggering broadcasts. We find multiple dynamically dropped files including the Shared Preferences settings and a SQL database.



In this [RE]laxing new series, I fully reverse a difficult Android Banker trojan from start to finish.

These extensive "Deep Dive" segments concentrate on dissecting malware specimens and delving into the individual approaches employed to fully reverse them. Throughout the journey, I attempt to provide explanations of my techniques as much as possible, however, if any ambiguities arise, please feel free to post a comment below.

Timestamps:
00:00 Intro
00:36 Booting Emulator
03:35 Watching the Dropper
05:05 Accessiblity Abuse
06:16 Can't click the button?
08:50 Drawing over other apps
09:45 Switching to an old Android version
11:02 Trying Android 8
13:00 Successful Install!
14:02 Dropped APK?
16:32 Broadcast Triggers
18:48 SMS Trigger
20:24 Dropping back to host
21:39 Database Creation
23:00 Web Data SQL
25:15 Shared Preferences XML
27:33 Recap



Software Links Mentioned in Video:
JADX: https://github.com/skylot/jadx


Malware Examined in the video (Banker/Anubis):
sha256:cae0c0d33e68be9cf81099680b815eb714d8296cb219b7a6247f7f081820f39a

MalwareBazaar Link:
https://bazaar.abuse.ch/sample/cae0c0...


laurieWIRED Twitter:
  / lauriewired  

laurieWIRED Website:
http://lauriewired.com

laurieWIRED Github:
https://github.com/LaurieWired

laurieWIRED HN:
https://news.ycombinator.com/user?id=...

laurieWIRED Reddit:
  / lauriewired