The ‘Night City’ blackmarket is powered by ‘Droidcoin’. An anonymous crypto-currency. The rogue androids seem to have hacked the ‘Nighty City’ ISP ‘PWNcast’. With that access, they are pushing malware that will steal the users Droidcoins. This will fund their operations and we can’t have that.

Analyze this sample and find the configuration file so we can locate their command-and-control server.

Local players can turn in this flag at the ACNR-booth for swag and streetcred! Download: DroidCoinStealer.apk

DroidCon was a 500 point reversing question in SEC-T CTF. It's an APK that uses a native C library. The CTF had an amazing website and theme: “You are a part of a hacker-crew dispatched to ‘Night City’. The mission is to stop an uprising started by a few androids gone rogue”.

My reaction on seeing an apk was to use apktool to decompile and check out what’s happening inside.

root@ctf-VirtualBox:/home/ctf/secctf# apktool d DroidCoinStealer.apk -f

02:11:59 up 15:25, 5 users, load average: 1.32, 0.93, 0.66

USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT

ctf tty7 :0 Thu07 18:22m 6:35 0.47s /sbin/upstart --user

ctf pts/5 tmux(3420).%0 Thu07 3:26m 0.14s 3.68s tmux

ctf pts/6 tmux(3420).%1 Thu07 3:30m 0.08s 3.68s tmux

ctf pts/12 tmux(3420).%2 Thu07 3:29m 0.10s 3.68s tmux

ctf pts/23 tmux(3420).%3 22:46 5.00s 0.11s 3.68s tmux

I: Using Apktool 2.0.2-dirty on DroidCoinStealer.apk

I: Loading resource table...

I: Decoding AndroidManifest.xml with resources...

I: Loading resource table from file: /root/apktool/framework/1.apk

W: Could not decode attr value, using undecoded value instead: ns=android, name=versionCode, value=0x00000001

I: Loading resource table from file: /root/apktool/framework/1.apk

W: Could not decode attr value, using undecoded value instead: ns=android, name=versionName, value=0x00000010

I: Loading resource table from file: /root/apktool/framework/1.apk

W: Could not decode attr value, using undecoded value instead: ns=android, name=versionCode, value=0x00000001

I: Loading resource table from file: /root/apktool/framework/1.apk

W: Could not decode attr value, using undecoded value instead: ns=android, name=versionName, value=0x00000010

Exception in thread "main" java.lang.NullPointerException

at java.io.Writer.write(Writer.java:157)

at brut.androlib.res.util.ExtMXSerializer.writeAttributeValue(ExtMXSerializer.java:38)

at org.xmlpull.mxp1_serializer.MXSerializer.attribute(MXSerializer.java:696)

at org.xmlpull.v1.wrapper.classic.XmlSerializerDelegate.attribute(XmlSerializerDelegate.java:106)

at org.xmlpull.v1.wrapper.classic.StaticXmlSerializerWrapper.writeStartTag(StaticXmlSerializerWrapper.java:267)

at org.xmlpull.v1.wrapper.classic.StaticXmlSerializerWrapper.event(StaticXmlSerializerWrapper.java:211)

at brut.androlib.res.decoder.XmlPullStreamDecoder$1.event(XmlPullStreamDecoder.java:83)

at brut.androlib.res.decoder.XmlPullStreamDecoder.decode(XmlPullStreamDecoder.java:141)

at brut.androlib.res.decoder.XmlPullStreamDecoder.decodeManifest(XmlPullStreamDecoder.java:153)

at brut.androlib.res.decoder.ResFileDecoder.decodeManifest(ResFileDecoder.java:140)

at brut.androlib.res.AndrolibResources.decodeManifestWithResources(AndrolibResources.java:199)

at brut.androlib.Androlib.decodeManifestWithResources(Androlib.java:140)

at brut.androlib.ApkDecoder.decode(ApkDecoder.java:100)

at brut.apktool.Main.cmdDecode(Main.java:165)

at brut.apktool.Main.main(Main.java:81)

It somehow crashes the apktool itself. Later I tried to do it with an online java decompiler.