Recon Montreal 2019

The Path to the Payload: Android Edition
2019-06-28, 15:30–16:00, Grand Salon

This talk go through each step of reverse-engineering a complex Android malware SDK that uses a lot of techniques to trick analysts. We will cover the multiple layers of obfuscation, anti-analysis checks, "confusion" techniques, and C2 communications that you must get through to finally discover the payloads.


This presentation will deep-dive into each step of reversing a complex Android malware SDK and each of its tricks and challenges along the way. We will walk through the multiple layers of obfuscation, anti-analysis checks, encrypted configuration for the SDK, and what it takes to get the C2 server to deliver the real commands. This malicious SDK did not just shutdown when it detected it was being analyzed. Instead it delivered fake, but realistic looking commands, in order to hide its real payloads.

This presentation will demonstrate how a sophisticated Android developer tries to hide its tracks using just Java and my path to get to the payloads they were trying so hard to hide. This SDK and techniques have never been discussed publicly previously.

See also: Slides