Figure 3: Scan result of virustotal. Original malware (top) and modified APK (bottom).
If you want to extract the files from the APK you can use the Android internal tools or manually binary edit the APK file and clear the ‘isEncrypted’ flag. This can be done using hexedit or other binary editing tool, but this is not very handy. You may use this short python script that does this job for Conclusion
Hopefully this challenge served as a useful walk through into the art of the possible in terms of how a malware or badware application can hide it’s existence in it’s quest to taint the mobile app marketplace. The Bluebox Labs research team wanted to share this challenge as part of our ongoing efforts to share issues that we come across as we look at the diverse set of mobile threats that are out there. Certainly many other techniques exist, and we’ll review those in future posts. Until then, follow us on twitter@BlueboxSec to hear more about what we’re working on.
