Introduction Many Android applications on the Google Play Store request a plethora of permissions to the user. In most cases, those permissions are actually required by the application to work properly, even if it is not always clear why, while other times they are plainly unnecessary for the application or are used for malicious purposes. … Continue reading How malicious applications abuse Android permissions
While banking trojans have been around for a very long time now, we have never seen a mobile malware family attack the applications of Belgian financial institutions. Until today... Earlier this week, the Italy-based Cleafy published an article about a new android malware family which they dubbed TeaBot. The sample we will take a look … Continue reading New mobile malware family now also targets Belgian financial apps
This blogpost explains all the steps I took while analyzing the Cabassous/FluBot malware. I wrote this while analyzing the sample and I've written down both successful and failed attempts at moving forward, as well as my thoughts/options along the way. As a result, this blogpost is not a writeup of the Cabassous/FluBot malware, but rather … Continue reading How to analyze mobile malware: a Cabassous/FluBot Case study
Many applications require the user to authenticate inside the application before they can access any content. Depending on the sensitivity of the information contained within, applications usually have two approaches: The user authenticates once, then stays authenticated until they manually log out;The user does not stay logged in for too long and has to re-authenticate … Continue reading A closer look at the security of React Native biometric libraries
During a mobile assessment, there will typically be two sub-assessments: The mobile frontend, and the backend API. In order to examine the security of the API, you will either need extensive documentation such as Swagger or Postman files, or you can let the mobile application generate all the traffic for you and simply intercept and … Continue reading Proxying Android app traffic – Common issues / checklist
TL;DR - In this post, we'll explore some mobile malware: how to create them, what they can do, and how to avoid them. Are you interested in learning more about how to protect your phone from shady figures? Then this blog post is for you. Introduction We all know the classic ideas about security on … Continue reading Backdooring Android Apps for Dummies
In a previous blogpost, I explained my steps for reversing the flutter.so binary to identify the correct offset/pattern to bypass certificate validation. As a very quick summary: Flutter doesn't use the system's proxy settings, and it doesn't use the system's certificate store, so normal approaches don't work. My previous guide only explained how to intercept … Continue reading Intercepting Flutter traffic on Android (ARMv8)
Update: The explanation below explains the step for ARMv7. For ARMv8 (64bit), see this blogpost. Flutter is Google's new open source mobile development framework that allows developers to write a single code base and build for Android, iOS, web and desktop. Flutter applications are written in Dart, a language created by Google more than 7 … Continue reading Intercepting traffic from Android Flutter applications
A few weekends ago we participated in the Google CTF. While we didn't make it to the top 10, we did manage to solve quite a few challenges. This is my writeup of FlaggyBird, the only mobile challenge that was available. The challenge The challenge was an .apk that did not require network connectivity. Installing … Continue reading Solving Flaggy Bird (Google CTF 2019)
TL;DR - There are many Android SSL pinning bypass scripts available for Frida. However, those don't always work on obfuscated applications. If the application uses OkHttp, there's an easy way to find a convenient place to bypass the pinning by grepping for the right SMALI string. The target For this blogpost, I've created a little … Continue reading Circumventing SSL Pinning in obfuscated apps with OkHttp
