[Mal Series #20] Android libarm_protect packer

Just came across with some android malware that packed with libarm_protect packer.

Here is the manifest of the packed android application.

You can see from the <application> tag, the app will starts with class called arm.StubApp

AndoridManifest.xml of the app

The StubApp seems like works as a payload unpacker that loads the library arm_protect which is in the folder /lib/armeabi/libarm_protect.so.

Decompiled StubApp code

Then, we can somehow guess that the packer is in the .so file since you can’t find other classes mentioned in the AndroidManifest.xml (e.g. com.e4a.runtime.android.StartActivity)

Go to the library folder that contains libarm_protect.so , and decompile the library in your favorite decompiler, Ghidra is used in this case.

Check for attachBaseContext function, seems like it will read file ends with .dex from folder /assets . In folder /assets there are 2 encoded binary with .dex extension.

Why attachBaseContext? By referring to this paper.

AttachBaseContext() is the function that packers
usually override to perform these tasks since it is called
by the framework even before

By reading the load bytes function, we can see NOT operation on the loaded bytes. We can try to NOT those bytes and see what happens. After the NOT those bytes, we can see the dex magic header from those decoded .dex files.

After that, we can continue with the payload analysis :)

Decompiled code of libarm_protect.so

I think the decoding logic might be vary for different sample as it looks like a custom packer.







Typical memes addict🐒 GitHub: https://github.com/ghoulgy 🍕Support my work: https://www.buymeacoffee.com/GhoulSec

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Lost Programmer

Pretty status bar and navigation bar in Android

Building a TCP Chat in Go

How to store a date when working with Active Record

Top 8 Productivity hacks for Programmers to get the most out of your remote working hours.

External Sensors

Developer Relations is booming — here’s why

CS373 Spring 2020 — Yuntong Qu

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


Typical memes addict🐒 GitHub: https://github.com/ghoulgy 🍕Support my work: https://www.buymeacoffee.com/GhoulSec

More from Medium


Unpacking a JsonPacker-packed sample

Cryptography Part II

Compile android debug bridge on Raspberry pi