Unpacking an Android malware with Dexcalibur and JEB

This is the Android malware we are going to analyze. A phishing SMS is known as “smishing”. Dec 4, 2020

The sample is packed

Quickly, we notice the sample is packed. Indeed, the package’s namespace is tuna.obvious.trust, but the Android manifest references numerous activities and services with namespace dad.calm.invest, which does not exist in the sample.

<application android:allowBackup=”true”  android:icon=”@mipmap/ic_launcher” android:label=”TousAntiCovid”  android:name=”tuna.obvious.trust.NRuUxBnCsMhKmHjAbPxLqMdBpSmOaQzLaXpNqHwHrMhAbRzKiXfTz”  android:roundIcon=”@mipmap/ic_launcher_round”  android:supportsRtl=”true”  android:theme=”@android:style/Theme.Translucent.NoTitleBar”  android:usesCleartextTraffic=”true”><activity android:name="dad.calm.invest.KSfDnRiNpEoOsTdLcMhOyFtJdPzPhJbGhIuFiGxGpJlDsJr" android:screenOrientation="1"/>
<service android:exported="false" android:label="hgqkxlqj" android:name="dad.calm.invest.ffajxodmncsk" android:permission="android.permission.BIND_NOTIFICATION_LISTENER_SERVICE">

Where is the second DEX?

The first DEX needs to load the second DEX using DexClassLoader. So, we search for code using DexClassLoader in the first DEX. To quickly search, you can use DroidLysis, or Dexcalibur, or simply grep on smali ;-)

In Dexcalibur, we search for code using DexClassLoader using “calleed.name:”. We spot 2 references in the first DEX’s namespace. Both are in tuna.obvious.trust.XOiFqQlOuCjFxOyLkSn.coinknife.
Live reverse engineering of the packed sample using JEB Decompiler
the DEX is contained in wJDeTjC.json. Unfortunately, it is encrypted.

Unpacking with Dexcalibur

We need to decrypt the encrypted wJDeTjC.json file. At this point, we could go on with JEB and find the decryption routine. Or write a Frida hook on coinknife, because when coinknife calls DexClassLoader, the data has to be decrypted at that moment. We could print the data in the hook, and consequently have the malware decrypt the file for us 😏.

Click on the blue “Probe” button to add a hook for coinknife method.
Our custom hook (white) got called. Interesting, we see it was called with a file named /data/user/0/tuna.obvious.trust/app_DynamicOptDex/wJDeTjC.json
We have successfully unpacked the malware. Here, JEB is decompiling the “main” activity of the second DEX.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store



Mobile and IoT malware researcher. The postings on this account are solely my own opinion and do not represent my employer.