sec-zone/AndroidPurelyNative_Troopers23

This contains notes and code for my Troopers23 Beyond Java talk

Beyond Java: Obfuscating Android Apps with Purely Native Code

During this talk I demonstrate how to use purely native code as an obfuscation technique in Android. Together, we rewrite a standard Android Java applicaiton in C++ and remove all traces of the entrypoint. We even mask our Android framework API calls by using direct Binder invocations and messages.

Supporting Code

• DirectBinderInvocations.zip
  • Examples in Java and C++ for direct Binder invocations of dial() method
• PurelyNativeEmpty_Source.zip
  • Example purely native empty application
• AnubisBenignPurelyNative.zip
  • Purely native application based on benign fake Anubis sample
  • Password: infected1

Tools

• JADX
• Android Studio
  • Make sure the NDK is installed Install and configure the NDK and CMake
• Ghidra

Link References

• Android samples soure code
  • https://github.com/vxunderground/MalwareSourceCode/tree/main/Android\

Java Native Interface (JNI)

• JNI Functions
• JNI Types and Signatures

NativeActivity

• Android framework NativeActivity class
  • https://android.googlesource.com/platform/frameworks/base.git/+/master/core/java/android/app/NativeActivity.java
• Rawdrawandroid
  • https://github.com/cnlohr/rawdrawandroid

Android Source Code

• Binder
  • https://cs.android.com/android/kernel/superproject/+/common-android-mainline:common/drivers/android/binder.c
• ServiceManager
  • https://cs.android.com/android/platform/superproject/+/master:frameworks/base/core/java/android/os/ServiceManager.java