Hiding Behind Android Runtime - ART

Explore advanced techniques for creating user mode rootkits in Android by leveraging the Android Runtime (ART) in this Black Hat conference talk. Dive deep into ART internals, examining file formats and mechanisms crucial for rootkit development. Learn how to circumvent modern Android security measures like verified boot by shifting focus from kernel mode to user mode. Discover methods for crafting rootkits, including what to modify, where to locate targets, and how to implement changes. Gain insights into persistence techniques and understand the limitations of this approach. Witness a live demonstration of an ART rootkit in action. Ideal for security researchers and Android developers seeking to enhance their understanding of potential vulnerabilities in the Android ecosystem.

Intro
Motivation
Background
Compilation
Quick Backend
Portable backend
Boot image
Layout
ART Image Header
OAT File
CAT Header
OAT Class Header
OAT Quick Method Header
Approach
Advantages
Persistence
Replacing framework code
Replacing app code
Limitations
Conclusion