2026-06-21 –, Soprano A Language: English
As malware authors shift tactics, they increasingly hide malicious functionality within popular mobile application frameworks, allowing them to evade static and dynamic analysis. This workshop will introduce participants to some of the more popular frameworks used in App development as well as techniques leveraging open source tools to approach reverse engineering said mobile applications for malware analysis and defensive threat intelligence.
The workshop will comprise two sections, one for Flutter and Unity. Both will begin with a quick foundational overview of the respective framework, including the basics on the Dart and Unity programming languages as well as a high-level overview of the Dart VM, its compilation models, and the resulting "snapshot" artifacts that analysts encounter. We then explain how both frameworks present unique obstacles for reverse engineering and walk through different techniques and tools (Il2CPPDumper and Blutter) used to produce higher-level code, as well as their shortcomings and limitations.
Students attending will get hands-on practice reversing In-the-Wild Android malware built with each respective framework, and be exposed to more advanced anti-analysis techniques employed by framework malware to impede dynamic analysis.
Students attending this workshop should come prepared with a laptop (Linux, or Windows + WSL/Ubuntu) with the following tools installed:
- A working terminal
- Git
- Ghidra
- Blutter: https://github.com/worawit/blutter
- il2cppdumper: https://github.com/Perfare/Il2CppDumper
- ilspy/dnspy: https://github.com/dnSpy/dnSpy
- Maybe Python if you're feeling scripty.
Nick is a member of the Android Anti-Malware Team at Google where he focuses on off-market malware and phishing applications. When Nick isn’t reversing malware he’s day-dreaming about endpoint detection strategies, lockpicking, and carbs (mostly beer, but bread too). An interesting fact about Nick is that he has an eclectus parrot who keeps escaping from his house in Seattle.
Roy Tu is a security engineer for the Android Anti-Malware Team at Google, specializing in static code decompilation of non-standard Android apps. Previously, Roy worked as a pentester for 4 years for NCC Group. His interests include binary reverse engineering, control flow lifting, LLVM/MLIR and hardware hacking.