André MOULU

After many years as a pentester for a French IT Consulting company, I am currently a security researcher at Quarkslab, specializing in vulnerability research and exploitation on Android and Linux-based systems.

Jan. 2013 - ?

Quarkslab - Paris, France

Security researcher

  • Reverse Engineering of proprietary (closed sources) parts of Android systems ( Bootloader, Kernel drivers ...)
  • Vulnerability research on proprietary Linux systems and Set-top Boxes (Android 4/5)
  • Vulnerability research on Android flagship devices (Samsung, ...)
  • Trainer on Android security (Reverse Engineering and app pentesting)
  • Binary patching of Android vulnerabilities for unmaintained devices (Stagefright)
  • Obfuscated Mobile applications assessments (development of a tiny smali emulator binded to JEB AST)
  • Forensic analysis
  • Penetration testing
  • ...


Sept. 2010 - Dec. 2012

Sogeti ESEC - Paris, France

Penetration tester (apprenticeship)

  • Internal and external penetration testing
  • Mobile applications assessments
  • Reverse Engineering of thick clients solutions
  • ...


March 2010 - June 2010

Sysdream - Paris, France

Intern in computer security

  • Forensic analysis
  • Web sites penetration testing
  • Creation of computer security challenges for a French security event


Computer security

Reverse engineering Vulnerability research Pentesting Software vulnerabilities exploitation Web vulnerabilities exploitation Fuzzing Forensic analysis Source code audit Malware analysis Cryptography

Programming

Python C x86/ARM assembly Java PHP SQL Bash Android apps

Operating Systems

Linux (Debian/Ubuntu) Android Windows

Networking

Common TCP/UDP protocols Common UNIX/Windows services

Languages

French (mother tongue) English

Jan. 2014 - Jul. 2014

ESIEA engineering school - Paris, France

BADGE Reverse Engineering

BADGE ("Bilan d’Aptitude Délivré par les Grandes Écoles", Assessment of competency issued by grandes écoles) on the Reverse Engineering subject and based on 6 month evening classes.


Master in computer security (apprenticeship)

with honors


2010 - 2011

University Institute of Technology of Amiens - Amiens, France

Bachelor degree in computer science (apprenticeship)

with honors


2008 - 2010

University Institute of Technology of Amiens - Amiens, France

DUT (Two-year university degree in technology) in computer science

with honors


2008

Jean Racine High-School - Montdidier, France

High-School diploma in science

with honors


May 2016

Online article

How to lock the samsung download mode using an undocumented feature of aboot

This article explains how to lock Samsung's proprietary bootloader (aboot) by disabling the download mode. This is done by reverse engineering an undocumented feature and building a custom recovery allowing an end-user to lock/unlock the download mode if a good password is provided.


November 2015

Online article

Remote Code Execution as System User on Android 5 Samsung Devices abusing WifiCredService (Hotspot 2.0)

Analysis of a vulnerability disclosed by the Google's Project Zero team and independently discovered at Quarkslab. The vulnerability impacted all Android 5 Samsung devices and allowed remote code execution as system user simply by browsing a website, by downloading an email attachment or via a malicious third party application with no permission. The root cause of the vulnerability is a lack of validation when unzipping a file, allowing directory traversal and arbitrary data overwriting as system user.


November 2014

Online article

Abusing Samsung KNOX to remotely install a malicious application: Story of a half patched vulnerability

Analysis of a vulnerability discovered at the release of the Samsung Galaxy S5. The vulnerability is located inside a Samsung Knox app and allows the installation of an arbitrary application by making the user believe an update of Samsung Knox is available. This vulnerability was silently patched by Samsung just before the mobile Pwn2Own 2014 on the Samsung Galaxy S5, Note 4 and Alpha, but not on older vulnerable devices like the Ace 4, S4 or Note 3. An exploit has been implemented in the Metasploit framework and allows the installation of an arbitrary application by visiting a web page and automatically runs it when installed.

Fun fact: this vulnerability was used in the S02E05 of the "Mr Robot" TV show.


How to rediscover and exploit the vulnerability of the mobile Pwn2Own Android 2012

The article explains how it was possible from the security advisory of ZDI, to rediscover the vulnerability used in the mobile Pwn2Own 2012 and build an exploit for it. The vulnerability is located inside the XML document parsing code of the Polaris Office app, which is used to render and edit Office files on the Android Samsung devices. The article explains how to realize fuzzing via a grammar implemented to describe shape tags, how to analyze the obtained crashes and finally how to exploit the vulnerability using the ROP method. The final result is a "polyglot file" exploit being both an Android application (APK) but also a legit Word file (docx) and bash shell script which will execute arbitrary code when opened by Polaris Office on a vulnerable Samsung Galaxy S3.


September 2013

Misc Magazine - n° 69

Linux Kernel PERF_EVENTS local root - analysis and exploitation

Analysis of the vulnerability CVE-2013-2094 located inside the PERF_EVENTS system of the Linux kernel from the version 2.6.37 to 3.8.8 (and from 2.6.32 for the CentOS systems) and how to exploit it on the x86/x86_64 and ARM architectures.


Android OEM’s applications (in)security and backdoors without permission

Study of the Samsung customisations/overlay

Presentation of the results of a security study I conducted on the Samsung overlay (customisations) present on the Samsung Galaxy S3. On the stock ROM there are more than 200 apps and most of them have been developed by Samsung. The presentation concentrates on how to find vulnerabilities present in Samsung applications and how to combine them to build a backdoor to take over the control of the Smartphone (with system uid privileges) but without using any permission. A dozen vulnerabilities have been reported to Samsung.


State of the art of the Reverse Engineering technicals for the Android platform

Presentation of the different existing technical in static and dynamic analysis for Android apps, from the Dalvik bytecode to the native code, but also how to automate analysis (for example by using Androguard).


July 2012

Online article

From 0 perm app to INSTALL_PACKAGES on Samsung Galaxy S3

Analysis and exploitation of a vulnerability present inside the Kies application of the Samsung Galaxy S3. The vulnerability was located inside the restoration system of Kies. By combining multiple vulnerabilities, it was possible for a 3rd party unprivileged application (asking 0 permission) to force the installation of an arbitrary application transparently and without any user interaction.


2013 - ?

HITB, MSc in computer security at CFA AFTI, Specialized Master of computer security at ESIEA, and different industrial groups.

Training on Android security

Reverse Engineering technicals and app pentesting

I regularly give training to students and professionals in Android security, and more precisely in Reverse Engineering technicals and how to analyse malware and find vulnerabilities in apps.


Sport

I like running.

Cats

Everyone knows that Internet was invented to help people share pictures of cats. I try to collect the good ones on http://sh4ka.cat.

CTF / Computer security challenges

In the past, I was very active on CTF (Capture The Flag, a team-based 24/48 hours security contest) with the teams Nibbles and CoP. We participated in numerous CTFs like Defcon, Hack.lu, PlaidCTF, Codegate, HITBAMS, GITS, CSAW, ... Thought I've been less active recently, I'm still interested in new challenges.