Multidex trick to unpack Android/BianLian

What makes this sample difficult to unpack

Detecting it is packed

DroidLysis detects the sample is packed

Unpacking

This is where the unpacking actually begins! For clarity, I renamed the method “install_multidex”. Its original name was of course obfuscated to “a”. It is a bit difficult to spot so much happens through this simple call…
Obfuscated bot configuration strings. De-obfuscation occurs through i.a()
Isn’t that nice? JEB automatically decrypts strings when a simple algorithm is used. JEB doesn’t do all the work though, you still have to reverse engineer to understand the meaning: I manually renamed obfuscated name h.a to h.PAYLOAD_EXTENSION etc.
  1. com.brazzers.naughty.g.attachBaseContext(Context)
  2. com.brazzers.naughty.a.a(Context)
  3. com.brazzers.naughty.a.a(Context, File, File…)
  4. com.brazzers.naughty.b.a(Context, String…)
  5. com.brazzers.naughty.b.c()
  6. com.brazzers.naughty.b.a(ZipFile, ZipEntry…)
  7. com.brazzers.naughty.k.a(String, InputStream, OutputStream)

Automating the unpacking

Static program to unpack the asset — java UnpackJwi
$ unzip -l unpacked.zip 
Archive: unpacked.zip
Length Date Time Name
--------- ---------- ----- ----
906456 2022-01-14 11:05 classes.dex
--------- -------
906456 1 file

So, how is the DEX loaded if not with DexClassLoader?

  • MultiDexApplication is found in com.brazzers.naughty.g
  • MultiDex is within in com.brazzers.naughty.a
  • and MultiDexExtractor is com.brazzers.naughty.b
  1. Changes in file and folder names. The extracted DEX will be located in a directory named hf8U6UUIwiqaGgo instead of the standard secondary-dexes name, the extracted suffix will be .weg instead of .zip, and some other minor details like the lock file name is changed to T9etIiaI.uw87 instead of MultiDex.lock. The goal is obviously to complicate reverse engineering, but also to make the files less noticeable should they be spotted during extraction on the device.
  2. Deflating and decryption of the secondary DEXes. Compare the original code with the malware’s version below.
Original code from https://android.googlesource.com/platform/frameworks/multidex/+/refs/heads/master/library/src/androidx/multidex/MultiDexExtractor.java (not malicious!)
Malware’s version. The input is deflated and decrypted.

More recent samples of January 14 (today)

generic_x86_64:/data/data/com.friend.bronze/app_DynamicOptDex # ls
maXclr.json maXclr.json.prof

Mobile and IoT malware researcher. The postings on this account are solely my own opinion and do not represent my employer.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Building a secure network in AWS (PART 2)

The new Ubuntu 20.10 (Groovy Gorilla)

Flutter game RollMyDice with Firebase

In case you missed it, HubSpot acquired PieSync, an innovative company that offers two-way data…

What is serverless computing?

Blockchain NodeJS Server Monitoring

Deploy Spring Boot App To AWS Elastic Beanstalk

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
@cryptax

@cryptax

Mobile and IoT malware researcher. The postings on this account are solely my own opinion and do not represent my employer.

More from Medium

One Ring to rule them all, and in darkness bind them

THE 7 LAYERS (OSI MODEL)

x86 Linux Bind TCP Shellcode

Running sctest on MSF’s linux/x86/shell_bind_tcp shellcode

Cryptography and how it is used to secure today’s WIFI networks — part 01