Zen - A Complex Campaign of Harmful Android Apps

Explore the intricate world of Android malware in this 38-minute conference talk from the Hack In The Box Security Conference. Delve into the complex "Zen" campaign and other harmful Android apps, uncovering sophisticated techniques used by malware authors to monetize their creations. Learn about root access exploitation, fake Google account generation, click fraud, and spam apps. Discover how these malicious actors circumvent security measures, including CAPTCHA bypass and various persistence mechanisms. Gain insights into the evolution of Android malware, from simple app repackaging to advanced rooting trojans, and understand the challenges posed by improving Android security. Follow along as Łukasz Siewierski, a Reverse Engineer on the Android Security team at Google, breaks down the technical details and presents a timeline of the malware author's creations.

Intro
Repackaging an app and using custom ads
What is a click fraud malware?
Click fraud for everything
Step 1: download and execute exploits
Step 2: enable accessibility services you
Account creation
Phone numbers are supplied by the C&C
Code injection
to get the CAPTCHA image...
and solve it...
and hook internal methods...
and hook a bit more
Obfuscation: DES
Persistence (1): writing to install-recovery.sh
Persistence (II): installing apps in /system
Persistence (1ll): framework modification
Persistence (IV): injecting into
Persistence summary
Timeline of the author's creations