The article details technical aspects of dealing with a specific Android banking trojan, also broader themes in malware analysis, such as the use of obfuscation techniques and the tools available to counteract these methods
📌String Obfuscation Mechanism: The Nexus banking trojan uses a string obfuscation mechanism extensively throughout its application code. This complicates the analysis and understanding of the application’s functionality.
📌Analysis Tools: The analysis mentions the use of both manual decoding and paid tools like the JEB Decompiler for identifying and patching the obfuscated code.
📌Dalvik Bytecode Inspection: The case study explores modifying the obfuscated methods by inspecting the Dalvik bytecode, which is part of the DEX files in Android applications.
📌Tool Release - dexmod: a tool called dexmod, developed to assist in the patching of Dalvik bytecode that exemplifies how DEX files can be modified to simplify the analysis of Android applications.
📌Application Permissions: The analysis of the AndroidManifest.xml file reveals that the trojan requests access to sensitive information such as SMS messages, contacts, and phone calls.
📌Obfuscated Methods and Patching: Specific methods like bleakperfect () are highlighted for containing dead code and for their role in decoding strings using XOR operations. The article discusses patching these methods to remove redundant code and simplify the analysis.
📌DEX File Structure: The case study provides insights into the structure of DEX files, including sections like headers, string tables, class definitions, and method code. It explains how classes and methods are defined and referenced within these files.
📌Checksum and Signature Updates: The necessity of updating checksum and SHA-1 signature values in the DEX file’s header to ensure content verification is emphasized.