As malware authors shift tactics, they increasingly hide malicious functionality within popular mobile application frameworks, allowing them to evade static and dynamic analysis. This workshop will introduce participants to some of the more popular frameworks used in App development as well as techniques leveraging open source tools to approach reverse engineering said mobile applications for malware analysis and defensive threat intelligence.

The workshop will comprise two sections, one for Flutter and Unity. Both will begin with a quick foundational overview of the respective framework, including the basics on the Dart and Unity programming languages as well as a high-level overview of the Dart VM, its compilation models, and the resulting "snapshot" artifacts that analysts encounter. We then explain how both frameworks present unique obstacles for reverse engineering and walk through different techniques and tools (Il2CPPDumper and Blutter) used to produce higher-level code, as well as their shortcomings and limitations.

Students attending will get hands-on practice reversing In-the-Wild Android malware built with each respective framework, and be exposed to more advanced anti-analysis techniques employed by framework malware to impede dynamic analysis.