While banking trojans have been around for a very long time now, we have never seen a mobile malware family attack the applications of Belgian financial institutions. Until today... Earlier this week, the Italy-based Cleafy published an article about a new android malware family which they dubbed TeaBot. The sample we will take a look … Continue reading Android overlay attacks on Belgian financial applications
This blogpost explains all the steps I took while analyzing the Cabassous/FluBot malware. I wrote this while analyzing the sample and I've written down both successful and failed attempts at moving forward, as well as my thoughts/options along the way. As a result, this blogpost is not a writeup of the Cabassous/FluBot malware, but rather … Continue reading How to analyze mobile malware: a Cabassous/FluBot Case study
Many applications require the user to authenticate inside the application before they can access any content. Depending on the sensitivity of the information contained within, applications usually have two approaches: The user authenticates once, then stays authenticated until they manually log out;The user does not stay logged in for too long and has to re-authenticate … Continue reading A closer look at the security of React Native biometric libraries
During a mobile assessment, there will typically be two sub-assessments: The mobile frontend, and the backend API. In order to examine the security of the API, you will either need extensive documentation such as Swagger or Postman files, or you can let the mobile application generate all the traffic for you and simply intercept and … Continue reading Proxying Android app traffic – Common issues / checklist
In a previous blogpost, I explained my steps for reversing the flutter.so binary to identify the correct offset/pattern to bypass certificate validation. As a very quick summary: Flutter doesn't use the system's proxy settings, and it doesn't use the system's certificate store, so normal approaches don't work. My previous guide only explained how to intercept … Continue reading Intercepting Flutter traffic on Android (ARMv8)
Update: The explanation below explains the step for ARMv7. For ARMv8 (64bit), see this blogpost. Flutter is Google's new open source mobile development framework that allows developers to write a single code base and build for Android, iOS, web and desktop. Flutter applications are written in Dart, a language created by Google more than 7 … Continue reading Intercepting traffic from Android Flutter applications
A few weekends ago we participated in the Google CTF. While we didn't make it to the top 10, we did manage to solve quite a few challenges. This is my writeup of FlaggyBird, the only mobile challenge that was available. The challenge The challenge was an .apk that did not require network connectivity. Installing … Continue reading Solving Flaggy Bird (Google CTF 2019)
TL;DR - There are many Android SSL pinning bypass scripts available for Frida. However, those don't always work on obfuscated applications. If the application uses OkHttp, there's an easy way to find a convenient place to bypass the pinning by grepping for the right SMALI string. The target For this blogpost, I've created a little … Continue reading Circumventing SSL Pinning in obfuscated apps with OkHttp
TL;DR: Follow these steps to intercept traffic using Burp with a self made root CA on Android (or any browser) The problem In a previous blogpost, we presented a Magisk module that easily integrates user certificates into the system CA store in order to bypass Android N's new hardened security model. For instrumenting applications, this … Continue reading Using a custom root CA with Burp for inspecting Android N traffic
Intercepting HTTPS traffic is a necessity with any mobile security assessment. By adding a custom CA to Android, this can easily be done. As of Android Nougat, however, apps don't trust client certificates anymore unless the app explicitly enables this. In this blogpost, we present a new Magisk module, that circumvents this requirement, by automatically adding … Continue reading Intercepting HTTPS Traffic from Apps on Android 7+ using Magisk & Burp
