Multidex trick to unpack Android/BianLian

What makes this sample difficult to unpack

Detecting it is packed

DroidLysis detects the sample is packed

Unpacking

This is where the unpacking actually begins! For clarity, I renamed the method “install_multidex”. Its original name was of course obfuscated to “a”. It is a bit difficult to spot so much happens through this simple call…
Obfuscated bot configuration strings. De-obfuscation occurs through i.a()
Isn’t that nice? JEB automatically decrypts strings when a simple algorithm is used. JEB doesn’t do all the work though, you still have to reverse engineer to understand the meaning: I manually renamed obfuscated name h.a to h.PAYLOAD_EXTENSION etc.
  1. com.brazzers.naughty.g.attachBaseContext(Context)
  2. com.brazzers.naughty.a.a(Context)
  3. com.brazzers.naughty.a.a(Context, File, File…)
  4. com.brazzers.naughty.b.a(Context, String…)
  5. com.brazzers.naughty.b.c()
  6. com.brazzers.naughty.b.a(ZipFile, ZipEntry…)
  7. com.brazzers.naughty.k.a(String, InputStream, OutputStream)

Automating the unpacking

Static program to unpack the asset — java UnpackJwi
$ unzip -l unpacked.zip 
Archive: unpacked.zip
Length Date Time Name
--------- ---------- ----- ----
906456 2022-01-14 11:05 classes.dex
--------- -------
906456 1 file

So, how is the DEX loaded if not with DexClassLoader?

  • MultiDexApplication is found in com.brazzers.naughty.g
  • MultiDex is within in com.brazzers.naughty.a
  • and MultiDexExtractor is com.brazzers.naughty.b
  1. Changes in file and folder names. The extracted DEX will be located in a directory named hf8U6UUIwiqaGgo instead of the standard secondary-dexes name, the extracted suffix will be .weg instead of .zip, and some other minor details like the lock file name is changed to T9etIiaI.uw87 instead of MultiDex.lock. The goal is obviously to complicate reverse engineering, but also to make the files less noticeable should they be spotted during extraction on the device.
  2. Deflating and decryption of the secondary DEXes. Compare the original code with the malware’s version below.
Original code from https://android.googlesource.com/platform/frameworks/multidex/+/refs/heads/master/library/src/androidx/multidex/MultiDexExtractor.java (not malicious!)
Malware’s version. The input is deflated and decrypted.

More recent samples of January 14 (today)

generic_x86_64:/data/data/com.friend.bronze/app_DynamicOptDex # ls
maXclr.json maXclr.json.prof

--

--

--

Mobile and IoT malware researcher. The postings on this account are solely my own opinion and do not represent my employer.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

HELM CHART FOR PROMETHEUS AND GRAFANA

Day 19: Christmas Pains w/ My Shield Lives

Dynamic Replication in Memcached

How To Install unixODBC-devel on CentOS 7 and Connect DB2 V9.7

The Journey to Developer

What is JEP-303 or reinventing invokedynamic

Guide to Upgrade Ruby On Rails

My interview with GPT-3

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
@cryptax

@cryptax

Mobile and IoT malware researcher. The postings on this account are solely my own opinion and do not represent my employer.

More from Medium

VulnHub’s SkyTower: A Walkthrough

Android/BianLian payload

Reversing crackmes.one challenge — Trycrackme

“The game of attack and defense”