CodeInspect @DroidCon

CodeInspect will be presented at the 7th edition of DroidCon in Berlin. Droidcon is a global developer conference series and a network focusing on the best of Android. Our talk “DISMANTLING DROIDS FOR BREAKFAST – THE CURRENT STATE OF APP REVERSE ENGINEERING” is aimed at Software Engineers as well as Security Experts.

Looking forward for an interesting conference with lot’s of “droid-talks”.

An Investigation of the Android/BadAccents Malware

BadAccents Malware

Earlier this year, we reported on the Korean threat we identified in collaboration with McAfee Mobile Research. We have now released a technical report describing in detail the Android/BadAccents malware. Furthermore, we also describe a new tapjacking attack (also reported earlier this year) the malware exploited.

The technical report also describes the fix we submitted to the Android Security Team in January this year. Until now (approximately 4 month later), the official AOSP still doesn’t include the fix, meaning likely all Android versions are still vulnerable. Unfortunately, there is no real protection-mechanism for the user against this attack. A general recommendation from our side is the installation of apps from the official app stores and the usage of anti-virus applications (many AV vendors already detect this malware family).

First Android Hacking Event @SSE – A short summary


On 17th of march, we organized our first Android Hacking event. Our participants (a mix of students, security researchers, PhD-students and Post-Docs) had to solve various Android-based challenges on different levels of complexity. Each challenge involved reverse-engineering a specific application without access to the app’s source code – similar to what malware analysts need to accomplish in their daily jobs. Inside these apps, passwords needed to be found, key checking algorithms needed to be understood, and hidden functionality had to be discovered. To accomplish this task, the participants were using different analysis techniques including debugging, decompilation, and fuzzing.

The event was not only great fun for  both the participants and the organizers, but also allowed us to provide free CodeInspect licenses for the day, to be used and tested on the challenges. We were very satisfied with the feedback we got on the tool – we’re making rapid progress towards a stable product. Stay tuned for commercial CodeInspect offerings. In the meantime, our free beta program is still running.

At almost midnight, the winners of the challenges were finally found: Andreas Wittmann, Max Weller and Daniel Magin scored best. Congratulations from the Android team @ SSE.

Continue reading