Instrumenting system applications on Android stock images presented at Recon 2022

by Vitor Ventura,

Summary : Android has the largest install base on the mobile landscape, with it there are a lot of vendors and telecom operators that install system applications on stock images. These are usually background applications running with high privileges, which the user can’t uninstall and in some cases can’t even disable. A reverser can get the source code of these applications and do static analysis, however doing dynamic analysis is a different story. These are applications running on stock images. Which often don’t have an initial activity to actually begin executing their main code. Using Google Play Protect Services has a demo application, I will show how system applications can be instrumented using Frida for analysis on stock images with as little changes to the images as possible. The presentation will show the several approaches tried, what their limitations were and why they ultimately fail in my purpose. The different approaches may work differently depending on the applications and the Android version, as such even though they didn’t work for Google Play Protect Services they still represent some interesting techniques that can be applied to different contexts. The presentation will culminate in the approach which actually made it possible for me to instrument Google Play Protect Services and be able to perform dynamic analysis of the Google Play Protect Services application, which also opens the door for future research around the Google Play Protect Services application itself.