Tuesday, March 20, 2012

Fakeinst + Christian Andersen

Hi !

I saw in FakeInst sample an interesting trick :

desnos@t0t0:~/androguard$ ./androlyze.py -s
Androlyze version 1.0
In [1]: a, d, dx = AAnalyzeAPK("./apks/malwares/fakeinst.b/338666398c775c0690e78a632cd861c541d0f1da6c9134506881487526a9786c", decompiler="dex2jad")
In [2]: d.CL
d.CLASS_Ldfjg6_Gtr6H_B66gGh
d.CLASS_Ldfjg6_Gtr6H_HeavendeliverusfromthewildNorthmen
d.CLASS_Ldfjg6_Gtr6H_OnthecoastofFrancetheresoundedacryoffearforthebloodstained
d.CLASS_Ldfjg6_Gtr6H_closebytheEmperorthroneandspreadtheirwingsover
d.CLASS_Ldfjg6_Gtr6H_himasshieldstoprotecthimTheyreceivedthenameofVarangians
d.CLASS_Ldfjg6_Gtr6H_southwardtoByzantiumtheswansestablishedthemselvesthere
d.CLASS_Ldfjg6_Gtr6H_swansthatcamefromtheNorthwithfireundertheirwingsandthepeopleprayed
d.CLASS_Lyhj_hffd_BetaReceiver
d.CLASS_Lyhj_hffd_BetaService
d.CLASS_Lyhj_hffd_BetaWebA
d.CLASS_Lyhj_hffd_BootReceiver
d.CLASS_Lyhj_hffd_HeavendeliverusfromthewildNorthmen
d.CLASS_Lyhj_hffd_HtmlActivity
d.CLASS_Lyhj_hffd_OnthecoastofFrancetheresoundedacryoffearforthebloodstained
d.CLASS_Lyhj_hffd_OnthefreshswardofEnglandstoodtheDanishswan
d.CLASS_Lyhj_hffd_andhestretchedouthisgoldensceptreoverthelandTheheathens
d.CLASS_Lyhj_hffd_bytheopenseashorewiththecrownofhreekingdomsonhishead
d.CLASS_Lyhj_hffd_closebytheEmperorthroneandspreadtheirwingsover
d.CLASS_Lyhj_hffd_himasshieldstoprotecthimTheyreceivedthenameofVarangians
d.CLASS_Lyhj_hffd_nthePomeriancoastbentthekneeandtheDanishswanscamewiththebanneroftheCrossandwiththedrawnsword
d.CLASS_Lyhj_hffd_southwardtoByzantiumtheswansestablishedthemselvesthere
d.CLASS_Lyhj_hffd_swansthatcamefromtheNorthwithfireundertheirwingsandthepeopleprayed
d.CLASS_Lyhj_southwardtoByzantiumtheswansestablishedthemselvesthere_closebytheEmperorthroneandspreadtheirwingsover
d.CLASS_Lyhj_southwardtoByzantiumtheswansestablishedthemselvesthere_southwardtoByzantiumtheswansestablishedthemselvesthere


As you can see, the name of each class (and finaly each method, field) is obfuscated, but few classes are obfuscated with "curious" names :

  • OnthecoastofFrancetheresoundedacryoffearforthebloodstaine -> On the coast of France the ...
In fact, all these sentences come from a book "Fairy Tales" of Christian Andersen :)


Now, you can read a book during an analysis of an android malware !





2 comments:

  1. I guess this is a configuration of the obfuscator (Proguard?) where you tell it to use words from a given dataset.
    Once, on my side, I saw a sample where the obfuscator was using words from the world of Star Wars...

    ReplyDelete
  2. yep I think Proguard too.

    What was the sample with "star wars" ?

    ReplyDelete