For this mobile challenge we are giving an APK named ‘Swip3r’. As with the previous APK, we start our analysis by using apktool and loading it up into our emulator in order to get an understanding of the application. We will use Android’s adb tool to install the application. Below are a quick set of screenshot highlighting these steps.

[APK Tool]

[adb install]

[App icon in the emulator]

We will continue by doing some basic dynamic analysis of the application. This will give us a better understanding of what the challenge may require in order to be solved. The app launches with a button that says “Give me the child” Clicking it changes the screen to the character ‘Jared’ with “Your eyes can se so cruel…” on the bottom of the screen. Clicking on the screen doesn’t appear to do anything. As the name of the APK suggest, if we swipe we see that the screen changes to a baby crying with the text “0oo0oopps!: 1”. If we continue swiping the screen in a different direction, we see the text ““0oo0oopps: 2”. Once again swiping increases that number after the text. So it appears that the app tracks the number of times we swipe and as it suggests we are doing something wrong.

[Starting the app]

[Jared appears]

[Crying baby]

At this point we some understanding of the app by performing basic dynamic analysis. Let move to performing some static analysis of the APK structure and see if we find anything interesting.

The AndroidManifest.xml while an important file for APK analysis; this particular app’s manifest reveals nothing interesting. However, if we go into the lib folder we see the following two folders and each of them holds a native library: “libswiipiin.so”. My guess is this is not your typical android library and is a good guess this a custom library.

[Libraries]

At this point we can either load the library on IDA or attempt to decompile the APK’s code using Bytecode Viewer. Why not both?

Let’s start with looking at the decompiled Java code. The application only has 2 classes: MainActivity.class & Swip3r.class. The Swip3r class is rather small and we can see that it sets the title and it starts the activity ‘MainActivity”.

[Swip3r.class]

Let us examine the code in the MainActivity.class. We can quickly see interesting strings we observed from our basic dynamic analysis. We see the app attempts to load the library: ‘swiipiin’. Lastly at the end of the class file we see two native methods being called: ‘wel()’ and ‘well()’. One which takes no parameters and the other takes eight parameters.

[oops strings]

[library loading]

[Native Methods]

At this point we know that app uses the native library with the two native methods. We can focus on finding where these two methods are being used and then moving to analyze the native library methods. The easy crude way is to just copy the decompiled code into Notepad++ and search for these native methods. We find that ‘wel()’ is used once in the OnCreate() method and ‘well()’ is used three times inside the onFling() method. Lastly, we can see that both methods after being called, its return value is being use to display a text.

[wel()]

[well()]

Let’s switch over to IDA for a bit and examine the native library. Under exports we see the native methods we previously found in our decompiled Java code. Examining ARM assembly hurts my eyes more than looking at x86 assembly, but we will attempt to analyze these methods a bit. By looking at the code we can tell that its loading a string “Your eyes can se so cruel” and then returns. If you remember we see this text when we loaded the app in our emulator. It coincides with the fact that this method after being called the return value is used as a string in displaying a text. Looking at the other method ‘well()’ we can see it calls a function (Note: I have renamed this function) ‘well_func1_F8C’. Looking at that function and using IDA’s ‘Xrefs from’ we see it calls ten other functions. If you look at those ten functions most of them have a loop with some sort of bitwise operation, which tells me there is some decoding going on. As I mentioned previously looking at ARM assembly is not as pleasant as x86. Let us try to take another approach and examine the decompiled Java code.

[IDA Exports]

[Xrefs]

[Example Func Loop]

[Example2 Func Loop]

The nice thing about ByteCode Viewer is that you get options from different Java decompilers. For example, if we focus on the ‘OnFling()’ method using JD-GUI decompiler we get a nasty nested while loops. If we choose Procyon decompiler we get a nice set of nested IF…ELSE statements, far better for reading the code. If you copy over the decompile code to Notepad++ makes it easier to collapse code and see a ‘big picture’ of what’s going on.

[Big picture]

A quick Google search will help you understand what is the point of the OnFling() (LINK: https://developer.android.com/reference/android/view/GestureDetector.OnGestureListener.html#onFling(android.view.MotionEvent,%20android.view.MotionEvent,%20float,%20float) ) method as well as its parameters. This will help us understand what we need to do in order to simplify the completion of this challenge. At this point we can break down the code looking at each IF and ELSE IF and determining that values are needed. Starting with the first set of conditional statements we see that the code is checking the values from motionEvent.getY(), motionEvent.getX(), motionEvent2.getY(), motionEvent2.getX(). These values are used to detect a motion on a screen on using the X and Y axis, which in turn detect when the user moves UP, DOWN, LEFT, RIGHT. Inside each conditional statement we see that the app sets several int’s with values that are checked throughout this OnFling() method. Knowing that we want the application to call the native method ‘well()’ we can being analyzing what values should be set with the right swipe motions as well as staying away from the motions that set the values which calls the “0oo0oopps!” message. After studying the code, we can conclude that the right combination is: UP, LEFT, DOWN, RIGHT, UP. Enjoying a handful of Jared pictures the last image holds the key: PAN{jAr3d_sayz_‘swwip3r_!NO!_swipp11nn’}

[Begin]

[UP]

[LEFT]

[DOWN]

[RIGHT]

[UP]

Quick little easter egg if you notice the app has detection for a method ‘onLongPress()’. Hence if you hold down on the screen’s emulator a nice little string comes on top of the screen. This appears to be base64, however is three different base64 strings each of which decode to: https://goo.gl/VgmUUy. Which is a google shorten URL which leads to a YouTube video of the Labyrinth song “Within you – David Bowie 1986” Unfortunately this video has since been removed by Internet gods. Interestingly there were 26 clicks made to this URL all from different countries. Note: the real number is 27, since one click was done during testing. Information about the URL can be found here: https://goo.gl/#analytics/goo.gl/VgmUUy/all_time

[easter-egg]

[url decoded]