Android on Qtnes

BotConf 2026 Android Workshop: A Practical Android Malware Analysis Playbook

Wed, 22 Apr 2026 00:00:00 +0000

Overview

The BotConf 2026 Android workshop was not a bag of random “look how clever this sample is” tricks. It was a workflow: learn how the APK is put together, figure out where the malware is hiding, watch what it does at runtime, and then automate the boring rabbit chase once the pattern starts repeating.

That progression matters. A lot of Android reversing goes sideways because the analyst dives straight into strings or decompilation and never gets the bigger picture. This workshop does the opposite and treats the whole stack as layered:

7 - The Mole: Reconstructing an Android Malware Beacon from a PCAP

Fri, 17 Apr 2026 00:00:00 +0000

Overview

The Mole was an Android malware challenge built around a single artifact: a PCAP. From that capture alone, the goal was to reconstruct the infection chain, recover the device token, derive the bot token, and finally reach the flag endpoint.

What made this one interesting is that the network trace already contained the important pivots. The APK was not provided up front, but the traffic exposed enough structure to rebuild the dropper’s behavior and the C2 flow.

8 - Pizzeria: Prompt Injection Against an Android LLM Agent

Fri, 17 Apr 2026 00:00:00 +0000

Overview

Pizzeria looked like a simple Android food-ordering app, but the backend was doing something much more interesting: it was running an LLM agent with tool access.

The challenge was to move from a normal order request to a tool call that would reveal the flag. The path there was a good example of how brittle keyword filtering becomes once an LLM is exposed to attacker-controlled input.

Recon

Decompiling the APK showed three useful pieces immediately.

5 - MediterraneanPotions: Decrypting a Flutter App's Encrypted Database

Thu, 16 Apr 2026 00:00:00 +0000

Overview

MediterraneanPotions was a Flutter challenge built around a single encrypted asset: potions.hive, a Hive key-value database where every record was AES-CBC encrypted. The AES key was hardcoded in the app’s native Dart binary. The Hive frame format embedded a per-record IV.

The challenge was to find the key, understand the binary format, and decrypt all records.

First Impressions

The APK was a Flutter application. That changed the decompilation landscape immediately: the main application logic was compiled into libapp.so as native Dart code, not Java bytecode. JADX produced almost nothing useful beyond the Android framework glue.

6 - DeadDrop: Emulating an MQTT Bot to Recover a Flag

Thu, 16 Apr 2026 00:00:00 +0000

Overview

DeadDrop presented an Android malware sample that used MQTT as its C2 channel, with RC4 encryption on every message. The challenge was to reverse the network protocol, recover the broker credentials and encryption keys from the APK, and then write a bot emulator that could register a fake device and trigger flag delivery.

Decoding the Config

The APK’s Cfg.java class stored all configuration values as Base64-encoded strings. This is a minimal evasion technique — strings won’t appear in a naive grep for IP addresses or credentials — but a single Base64 decode reveals everything:

3 - Smoke: Bypassing StringFog and Decoding a Custom String Cipher

Wed, 15 Apr 2026 00:00:00 +0000

Overview

Smoke was a StringFog challenge. StringFog is an open-source Android string obfuscation tool that transforms every string literal in the bytecode into an encrypted hex payload, decoded on demand by a runtime method injected into the class. The goal is to make static analysis significantly harder: decompiling the APK produces no human-readable strings, only opaque calls like AbstractC0006a5.o("e30385842152b38cc3ab85").

The challenge used a custom variant of StringFog with its own cipher. The goal was to identify the encryption algorithm, port it to Python, and bulk-decrypt all string payloads in the decompiled source tree to find the flag.

4 - Handshake: Breaking AES-CBC via IV Recovery and CBC Malleability

Wed, 15 Apr 2026 00:00:00 +0000

Overview

Handshake was a cryptography challenge disguised as a network one. The APK connected to a mutual TLS C2 server, logged in with hardcoded credentials, and received an AES-CBC-encrypted flag. The AES key was in the APK. The IV was not.

Everything needed to decrypt the flag was recoverable, but it required understanding how CBC block chaining works and exploiting the fact that one of the two ciphertext blocks behaves independently of the IV.

1 - GhostMode: Reversing a Native Android CTF Library

Tue, 14 Apr 2026 00:00:00 +0000

Overview

GhostMode was the workshop’s first foray into native code. The APK itself was thin — the interesting logic lived entirely in libctflib.so, a stripped ELF64 shared library loaded at runtime. The challenge name already telegraphed the approach: you were not meant to find the flag through static analysis alone.

The fake flag was there to remind you of that.

First Look — The Stub and the Taunt

Decompiling the APK with JADX produced a small FlagManager class with a single JNI method:

2- ThePackage: Unpacking a Runtime-Loaded DEX

Tue, 14 Apr 2026 00:00:00 +0000

Overview

ThePackage introduced a classic Android evasion technique: DEX-in-DEX packing. The APK delivered to the user contains nothing interesting in its primary classes.dex. The actual application logic — including the flag — lives in a secondary DEX that is encrypted inside the assets directory and only loaded at runtime.

The goal was to find the decryption key, extract the hidden DEX, and recover the flag from the decrypted classes.

The Stub APK

Opening ThePackage.apk with JADX immediately felt wrong. The package structure was sparse, class names were generic, and there were no obvious flag-related strings. The main activity was minimal. This is the hallmark of a packing stub: the visible DEX exists only to bootstrap the real application.