Abstract
As the techniques for Android malware detection are progressing, malware also fights back through deploying advanced code encryption with the help of Android packers. An effective Android malware detection therefore must take the unpacking issue into consideration to prove the accuracy. Unfortunately, this issue is not easily addressed. Android packers often adopt multiple complex anti-analysis defenses and are evolving frequently. Current unpacking approaches are either based on manual efforts, which are slow and tedious, or based on coarse-grained memory dumping, which are susceptible to a variety of anti-monitoring defenses.
This paper conducts a systematic study on existing Android malware which is packed. A thorough investigation on 37,688 Android malware samples is conducted to take statistics of how widespread are those samples protected by Android packers. The anti-analysis techniques of related commercial Android packers are also summarized. Then, we propose AppSpear, a generic and fine-grained system for automatically malware unpacking. Its core technique is a bytecode decrypting and Dalvik executable (DEX) reassembling method, which is able to recover any protected bytecode effectively without the knowledge of the packer. AppSpear directly instruments the Dalvik VM to collect the decrypted bytecode information from the Dalvik Data Struct (DDS), and performs the unpacking by conducting a refined reassembling process to create a new DEX file. The unpacked app is then available for being analyzed by common program analysis tools or malware detection systems. Our experimental evaluation shows that AppSpear could sanitize mainstream Android packers and help detect more malicious behaviors. To the best of our knowledge, AppSpear is the first automatic and generic unpacking system for current commercial Android packers.
This work is partially supported by the National Key Technology Research and Development Program of China under Grants No. 2012BAH46B02, the National Science and Technology Major Projects of China under Grant No. 2012ZX03002011, and the Technology Project of Shanghai Science and Technology Commission under Grants No. 13511504000 and No. 15511103002.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
An APK Fake Encryption Sample. https://github.com/blueboxsecurity/DalvikBytecodeTampering
\(\mathbf{API_{-}permissions.py}\) in AndroGuard. https://github.com/androguard/androguard/blob/master/androguard/core/bytecodes/api_permissions.py
AVL Malware Report (2014). http://blog.avlyun.com/2015/02/2137/malware-report/
libdex/DexFile.h - platform/dalvik - Git at Google. https://android.googlesource.com/platform/dalvik/+/android-4.4.2_r2/libdex/DexFile.h
SandDroid - An automatic Android application analysis system. http://sanddroid.xjtu.edu.cn/
Apvrille, A.: Playing Hide and Seek with Dalvik Executables. Hacktivity (2013)
Arp, D., Spreitzenbarth, M., Hübner, M., Gascon, H., Rieck, K., CERT Siemens: Drebin: Effective and explainable detection of android malware in your pocket. In: Proceedings of Network and Distributed System Security Symposium (NDSS), 21st (2014)
Bilge, L., Lanzi, A., Balzarotti, D.: Thwarting real-time dynamic unpacking. In: Proceedings of European Workshop on System Security, 4th (2011)
Böhne, L.: Pandoras bochs: Automatic unpacking of malware. PhD thesis, University of Mannheim (2008)
Burguera, I., Zurutuza, U., Nadjm-Tehrani, S.: Crowdroid: behavior-based malware detection system for android. In: Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices (2011)
Crussell, J., Gibler, C., Chen, H.: AnDarwin: scalable detection of semantically similar android applications. In: Crampton, J., Jajodia, S., Mayes, K. (eds.) ESORICS 2013. LNCS, vol. 8134, pp. 182–199. Springer, Heidelberg (2013)
Grace, M., Zhou, Y., Zhang, Q., Zou, S., Jiang, X.: Riskranker: scalable and accurate zero-day android malware detection. In: Proceedings of the 10th International Conference on Mobile Systems, Applications, and Services (2012)
Guo, F., Ferrie, P., Chiueh, T.: A study of the packer problem and its solutions. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 98–115. Springer, Heidelberg (2008)
Hu, W.: Guess Where I am: Detection and Prevention of Emulator Evading on Android. HITCON (2014)
Kang, M.G., Poosankam, P., Yin, H.: Renovo: a hidden code extractor for packed executables. In: Proceedings of the 5th ACM Workshop on Recurring Malcode (2007)
Martignoni, L., Christodorescu, M., Jha, S.: Omniunpack: fast, generic, and safe unpacking of malware. In: Proceedings of the 23rd Computer Security Applications Conference (2007)
Park, Y.: We can still crack you! general unpacking method for android packer (not root). In: Black Hat Asia (2015)
Petsas, T., Voyatzis, G., Athanasopoulos, E., Polychronakis, M., Ioannidis, S.: Rage against the virtual machine: hindering dynamic analysis of android malware. In: Proceedings of the 7th European Workshop on System Security (EuroSec) (2014)
Rasthofer, S., Arzt, S., Miltenberger, M., Bodden, E.: Harvesting runtime data in android applications for identifying malware and enhancing code analysis. Technical report (2015)
Royal, P., Halpin, M., Dagon, D., Edmonds, R., Lee, W.: Polyunpack: automating the hidden-code extraction of unpack-executing malware. In: Proceedings of the 22nd Computer Security Applications Conference (2006)
Schulz, P., Matenaar, F.: Android reverse engineering and defenses. http://bluebox.com/wp-content/uploads/2013/05/AndroidREnDefenses201305.pdf
Sharif, M., Yegneswaran, V., Saidi, H., Porras, P.A., Lee, W.: Eureka: a framework for enabling static malware analysis. In: Jajodia, S., Lopez, J. (eds.) ESORICS 2008. LNCS, vol. 5283, pp. 481–500. Springer, Heidelberg (2008)
Strazzere, T.: Dex Education: Practicing Safe Dex. Black Hat, USA (2012)
Strazzere, T.: Dex education 201: anti-emulation. HITCON (2013)
Strazzere, T., Sawyer, J.: ANDROID HACKER PROTECTION LEVEL 0. DEF CON 22 (2014)
Ugarte-Pedrero, X., Balzarotti, D., Santos, I., Bringas, P.G.: SoK: deep packer inspection: a longitudinal study of the complexity of run-time packers. In: Proceedings of IEEE Symposium on Security and Privacy 36th (2015)
Vidas, T., Christin, N.: Evading android runtime analysis via sandbox detection. In Proceedings of ACM symposium on Information, computer and communications security, 9th (2014)
Yu, R.: Android packers: facing the challenges, building solutions. In: Proceedings of the 24th Virus Bulletin International Conference (2014)
Zhang, Y., Luo, X., Yin, H.: Dexhunter: toward extracting hidden code from packed android applications. In: Proceedings ESORICS (2015)
Zhou, Y., Wang, Z., Zhou, W., Jiang, X.: Hey, You, get off of my market: detecting malicious apps in official and alternative android markets. In: Proceedings of the 19th Network and Distributed System Security Symposium (NDSS) (2012)
Acknowledgments
We would like to thank our shepherd, Elias Athanasopoulos, and the anonymous reviewers for their insightful comments that greatly helped improve the manuscript of this paper.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Yang, W. et al. (2015). AppSpear: Bytecode Decrypting and DEX Reassembling for Packed Android Malware. In: Bos, H., Monrose, F., Blanc, G. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2015. Lecture Notes in Computer Science(), vol 9404. Springer, Cham. https://doi.org/10.1007/978-3-319-26362-5_17
Download citation
DOI: https://doi.org/10.1007/978-3-319-26362-5_17
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-26361-8
Online ISBN: 978-3-319-26362-5
eBook Packages: Computer ScienceComputer Science (R0)