[Mal Series #20] Android libarm_protect packer

Just came across with some android malware that packed with libarm_protect packer.

Here is the manifest of the packed android application.

You can see from the <application> tag, the app will starts with class called arm.StubApp

AndoridManifest.xml of the app

The StubApp seems like works as a payload unpacker that loads the library arm_protect which is in the folder /lib/armeabi/libarm_protect.so.

Decompiled StubApp code

Then, we can somehow guess that the packer is in the .so file since you can’t find other classes mentioned in the AndroidManifest.xml (e.g. com.e4a.runtime.android.StartActivity)

Go to the library folder that contains libarm_protect.so , and decompile the library in your favorite decompiler, Ghidra is used in this case.

Check for attachBaseContext function, seems like it will read file ends with .dex from folder /assets . In folder /assets there are 2 encoded binary with .dex extension.

Why attachBaseContext? By referring to this paper.

AttachBaseContext() is the function that packers
usually override to perform these tasks since it is called
by the framework even before

By reading the load bytes function, we can see NOT operation on the loaded bytes. We can try to NOT those bytes and see what happens. After the NOT those bytes, we can see the dex magic header from those decoded .dex files.

After that, we can continue with the payload analysis :)

Decompiled code of libarm_protect.so

I think the decoding logic might be vary for different sample as it looks like a custom packer.







Typical memes addict🐒 GitHub: https://github.com/ghoulgy 🍕Support my work: https://www.buymeacoffee.com/GhoulSec

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Solana Network Update — Live Updates

Loop for asynchronous work

14 Tailwind CSS Custom Forms

Serializing Data in Rails

Using The Microsoft Face API to Create Mario Kart “Astrology”

5 Tips to Code Faster

CSS Hacks & Creating Blogs

AMA Session with PZMCash team

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


Typical memes addict🐒 GitHub: https://github.com/ghoulgy 🍕Support my work: https://www.buymeacoffee.com/GhoulSec

More from Medium

HTX Investigators’ Challenge (HTXIC) CTF Write-Up

Analysis of Android malware faking Korean bank application

How To Protect Your Android Device From The New BrazKing Android Malware?

Android Pentesting-Bypassing Root Detection