In this writeup, let’s take a look at Android packers in general before focusing on one of the more popular packer, Bangcle.
[An Introduction to Android Packers]
There are many useful reasons packers are used in software engineering, like for code obfuscation, compression, protecting your work against reverse engineers etc. The more sinister usage are for AV bypassing, masquerading malware and making the job of whitehat reverse engineers harder.
The common packers used for packaging EXEs are UPX Packer, RLPack, NSPack etc. As till recent times, the bulk of computer usage has been limited to PCs thus these were commonly used.
With the increase in usage of Android devices, different types of malicious Android applications were beginning to proliferate. In recent times, Android malware packaged using packers are beginning to surface in the wild.
A more detailed analysis on Android packers can be found here. In the next section, I will be focusing on one of the increasingly popular Android packer which is being used for Android malware.
[Bangcle: Android Packer]
Bangcle is a mobile application security services provider company based in China. One of the services it offer is Android app protection as shown in the screenshot above.
A user just have to register and subsequently use the dashboard to upload your apk file and you will get the bangcled apk ready for use.
I tested with a simple Hello World application. Before bangcling this is how the app’s structure will look like.
After uploading the hello world apk to be bangcled the resultant apk will be as shown below:
And the new bangcled application will also have additional permissions. Do take note that the actual hello world had no permissions initially.
The ACall.class file loads the additional libraries, FirstApplication.class file calls the super.onCreate function to initialize the activity and the ApplicationWrapper class subsequently loads the encrypted dex file which will be then be decrypted in the memory by the loaded libraries and finally executed. As it is being decrypted in memory, this makes static analysis of an Bangcled apk hard and tedious.
A more detailed writeup from Virus Bulletin can be found here.
[Reversing Bangcled APK]
In DEFCON 2014, TIM “DIFF” STRAZZERE (@timstrazz) presented and subsequently released the solution to debangcle a bangcled apk.
The full source can be found at his github acct here. Below is his shellscript portion.
# Playdead - Bangcle generic unpacking script
# Tim 'diff' Strazzere <firstname.lastname@example.org>
# Assumptions made:
# - there is only one device running for adb to connect to (target device)
# - folder named framework/ is full of /system/framework/ files from target device
# - target device have root access (emulator is best and verified)
# - target apk is installed
# - target apk is currently running
# - baksmali and smali are located in ~/bin/*
# Works on a year+ old sample and one found as recenty as today (7/16/04)
# Older samples may require a 4.3 or lower device, new samples appear to work on
# 4.4 well
SERVICE_PID=`adb shell ps | grep $PACKAGE | head -1 | tr -s ' ' | cut -d ' ' -f 2`
adb shell su -c cat /proc/$SERVICE_PID/maps | while read line
if [[ $line != */* ]]
MEM_LINE=`echo -n $MEM_LINE | cut -c1-17`
MEMORY_START=`echo -n $MEM_LINE | cut -d'-' -f1`
# Found a candidate
if [[ "$PEEKED" = "$ODEX_MAGIC" ]]
echo `echo -n $MEM_LINE`
retained_return=$(adb shell ls /proc/$SERVICE_PID/task/ | tail -1)
echo $(adb shell su -c /data/local/tmp/gdb --batch --pid $CLONE -ex "dump memory /data/local/tmp/dump.odex 0x$MEMORY_START 0x$MEMORY_END")
echo $(adb shell su -c /data/local/tmp/gdb --batch --pid $CLONE -ex "x/s 0x$MEMORY_START" | cut -d'"' -f2 | cut -c1-8 | tail -1)
if [[ $SERVICE_PID != '' ]]
echo "Attempting to find memory address for $PACKAGE inside $SERVICE_PID"
if [[ $MEM_LINE ]]
echo "Found optimized dex at $MEM_LINE"
MEMORY_START=`echo -n $MEM_LINE | cut -d'-' -f1`
MEMORY_END=`echo -n $MEM_LINE | cut -d'-' -f2`
if [[ $CLONE ]]
echo "Got clone $CLONE attempting to dump memory from 0x$MEMORY_START to 0x$MEMORY_END"
if [[ $blah ]]
echo "Pulling dumped file..."
adb pull /data/local/tmp/dump.odex
adb shell rm /data/local/tmp/dump.odex
java -jar ~/bin/baksmali-2.0.3.jar -x dump.odex -d framework/ -o temp-smali
java -jar ~/bin/smali-2.0.3.jar temp-smali -o debangcled.dex
echo "Cleaning up..."
rm -rf temp-smali/ dump.odex
echo 'Unable to find memory region to dump!'
echo "Unable to find pid for $PACKAGE"
To run his script (in a Linux environment), configure an Android enmulator (using AVD from the Android SDK) and install the bangcled apk in it using adb tools (adb install <bangcled-app.apk>).
Now execute his script after starting the app in the Android emulator. The dex will be decrypted in memory as discussed earlier. The script actually scans the memory in areas where an odex shouldn’t be to detect the magic bytes (“dey\n036”) for the optimized dex file and subsequently dumps out the specific memory portion as an dex file using baksmali. So the end product is an decrypted dex file which can now be analysed 🙂
As the usage of Android increases, more variants and complex malwares are being now detected. As it was in PC malware ecosystem, packers are making inroads into Android now. Bangcle which is a China based Android packer created as a means to protect one’s apk is currently being misused for packing Android malwares making reversing hard.
However, bangcled apks can now be reversed for static analysis thanks to the great work by @timstrazz.
The next writeup will be on an technical teardown of a bangcled apk found in the wild recently.
David Billa (@billa316)