Wednesday 3 October 14:30 - 15:00, Red room
Rowland Yu (Sophos)
Modern Android malware takes full advantage of the internet to execute remote tasks received from command & control servers, to click fraudulent clicks, and even generate cryptocurrency by downloading and running crypto-mining code within the victim's web browser. Existing well-known analysis tools like JEB, Apktool and Radare2 are widely used to analyse malicious Android apps. However, dealing with packed or obfuscated Android apps still remains a very challenging task. Analysis of the network activity can help enormously to understand an obfuscated app's logic. The main challenge here is being able to quickly establish a relationship between decompiled code and network traffic.
Using a packet sniffer in an Android environment is not as straightforward as it seems. To support the man-in-the-middle technique, a certificate has to be configured for SSL decryption on a test device or with a packet analyser such as Wireshark. Android-based packet analysers have the capability of linking packet data with each app on the device but provide clumsy features to download or analyse packets, while computer-based packet analysers are the exact opposite.
In this paper, we will present:
Rowland Yu is a senior threat researcher level 2 at Sophos. He joined SophosLabs as a spam analyst in 2006, before moving into the role of virus threat researcher for advanced threat research, reverse engineering and remediation. Rowland had also led anti-spam and DLP research in the Australian SophosLabs. After the first Android malware was revealed in 2012, Rowland believed Android would become 'the new Windows' for malware and dedicated most of his time to Android security. Now Rowland is the primary researcher leading the Android team for malware analysis and emerging threats. He is also a frequent speaker at Virus Bulletin, RSA, and AVAR conferences.