Reversing an Android sample which uses Flutter

  1. Reverse engineer’s angle. Read this part if you want to hear how I struggled to reverse the app.
  2. Malware analyst’s angle. Read this part to learn if the app is malicious or not.

Reverse engineering Flutter-based Android apps

How do I detect the app uses Flutter?

  • If the app is in debug mode, you are lucky. Unzip the APK and look for the code in ./assets/flutter_assets/kernel_blob.bin [1]
  • If the app is in release mode (which is the case for the suspicious sample), you will find libflutter.so in ./lib/ subdirectories.

Where is the Dart code?

Output of : readelf -s libapp.so
Parsing the snapshots of the app. The first one is the VM isolate. Both use version 2.13.

Tools to reverse Dart

  • Darter [5]: this is a Python toolkit to parse libapp.so. It works for Flutter 2.5. Example of use here. Unfortunately, we have 2.13 which is significantly newer.
  • Doldrums [6]: this tool is meant to parse libapp.so and dump all classes of the isolate snapshots. Exactly what I am looking for, except it works for Flutter 2.10. There’s a fork currently focusing on 2.13. It isn’t finished yet. I tried to fix errors for my sample, by quickly moving out of issues it encountered, but I got no interesting decompiled output in the end (meaning my “quick fix” is too quick, and there’s more to be done to get it to work).
  • reFlutter [7]: this framework operates differently. The idea is to patch the sample and use a patched version of the Flutter library. Then, to write Frida hooks and dynamically analyze calls to the patched library.

To reFlutter … or not

Patching the sample with reFlutter — select option 2 for dynamic analysis of the sample
Function 'get:zra': getter const. null {Code Offset: _kDartIsolateSnapshotInstructions + 0x000000000000c1a4

}
function hookFunc() {
// _kDartIsolateSnapshotInstructions (c000) + code offset (c1a4)
var dumpOffset = '0x181a4'
var argBufferSize = 150
var address = Module.findBaseAddress('libapp.so')
console.log('\n\nbaseAddress: ' + address.toString())
...

Analyzing the reFlutter dump

This is the list of methods of the internal Dart:_http library
Obfuscated functions names of library “cuf”

Malware analyst’s angle

Notice the URLs going to amelimoncompte[.]blogpost[.]com

What’s the goal?

Applications developed by “santotosapps” in Google Play Store. Notice how each app look alike: a large rectangular icon with simple upper case font.

References

Mobile and IoT malware researcher. The postings on this account are solely my own opinion and do not represent my employer.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

A quick guide to bit manipulation in Java

Are you experiencing `403 Forbidden` while crawling? This could be one of the reasons…

Elixir: How to distribute Mnesia between multiple nodes

How we [Cisco] optimized performance on Snowflake to reduce costs 15%

Every JavaScript Array Method

Liquity Goes Live on Ethereum Mainnet

Top Reasons Why You Should Learn Python in 2022

We are merging our two apps into ONE

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
@cryptax

@cryptax

Mobile and IoT malware researcher. The postings on this account are solely my own opinion and do not represent my employer.

More from Medium

Announcement of Flutter Modular 5.0

DartPad Workshops from Flutter GDEs

Please Welcome Flutter 3.0!

What’s new in Flutter 3.0 in brief for lazies