European Symposium on Research in Computer Security

Computer Security -- ESORICS 2015 pp 293-311 | Cite as

DexHunter: Toward Extracting Hidden Code from Packed Android Applications

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9327)


The rapid growth of mobile application (or simply app) economy provides lucrative and profitable targets for hackers. Among OWASP’s top ten mobile risks for 2014, the lack of binary protections makes it easy to reverse, modify, and repackage Android apps. Recently, a number of packing services have been proposed to protect Android apps by hiding the original executable file (i.e., dex file). However, little is known about their effectiveness and efficiency. In this paper, we perform the first systematic investigation on such services by answering two questions: (1) what are the major techniques used by these services and their effects on apps? (2) can the original dex file in a packed app be recovered? If yes, how? We not only reveal their techniques and evaluate their effects, but also propose and develop a novel system, named DexHunter, to extract dex files protected by these services. It is worth noting that DexHunter supports both the Dalvik virtual machine (DVM) and the new Android Runtime (ART). The experimental results show that DexHunter can extract dex files from packed apps effectively and efficiently.


  1. 1.
  2. 2.
  3. 3.
  4. 4.
    Owasp mobile top 10 risks (2014).
  5. 5.
  6. 6.
    F-droid (2015).
  7. 7.
  8. 8.
  9. 9.
    Apvrille, A., Nigam, R.: Obfuscation in android malware, and how to fight back. In: Virus Bulletin, July 2014Google Scholar
  10. 10.
    Arxan Tech., Inc.: Securing mobile apps in the wild with app hardening and run-time protection (2014).
  11. 11.
  12. 12.
  13. 13.
    Chen, K., Liu, P., Zhang, Y.: Achieving accuracy and scalability simultaneously in detecting application clones on android markets. In: Proceedings of the ACM ICSE (2014)Google Scholar
  14. 14.
    Collberg, C., Nagra, J.: Surreptitious Software: Obfuscation, Watermarking, and Tamperproofing for Software Protection. Addison-Wesley, Upper Saddle River (2009)Google Scholar
  15. 15.
    Crussell, J., Gibler, C., Chen, H.: Attack of the clones: detecting cloned applications on android markets. In: Foresti, S., Yung, M., Martinelli, F. (eds.) ESORICS 2012. LNCS, vol. 7459, pp. 37–54. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  16. 16.
    Crussell, J., Gibler, C., Chen, H.: Scalable semantics-based detection of similar android applications. In: Proceedings of the ESORICS (2013)Google Scholar
  17. 17.
    Davies, J., German, D., Godfrey, M., Hindle, A.: Software bertillonage - determining the provenance of software development artifacts. Empirical Softw. Eng. 18(6), 1195–1237 (2013)CrossRefGoogle Scholar
  18. 18.
    Dredge, S.: Android beats IOS for app downloads, but revenues are still a different story (2015).
  19. 19.
    Egele, M., Scholte, T., Kirda, E., Kruegel, C.: A survey on automated dynamic malware-analysis techniques and tools. ACM Comput. Surv. 44(2), 1–42 (2012)CrossRefGoogle Scholar
  20. 20.
    Frumusanu, A.: A closer look at android runtime (ART) in android LGoogle Scholar
  21. 21.
    Fung, B.: The time a major financial institution was hacked in under 15 minutes (2015).
  22. 22.
    Gartner Inc.: Debunking six myths of app wrapping (2015).
  23. 23.
    Gibler, C., Stevens, R., Crussell, J., Chen, H., Zang, H., Choi, H.: Adrob: examining the landscape and impact of android application plagiarism. In: Proceedings of the ACM MobiSys (2013)Google Scholar
  24. 24.
    Google: Proguard.
  25. 25.
    Google Inc.: ART and DalvikGoogle Scholar
  26. 26.
    Grassi, M.: Reverse engineering, pentesting, and hardening of android appsGoogle Scholar
  27. 27.
    Guo, F., Ferrie, P., Chiueh, T.: A study of the packer problem and its solutions. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 98–115. Springer, Heidelberg (2008) CrossRefGoogle Scholar
  28. 28.
    Halloway, S.: Component Development for the Java Platform. Addison-Wesley, Boston (2002)Google Scholar
  29. 29.
    IDC.: Android and IOS squeeze the competition (2015).
  30. 30.
    Ijiami Inc.:
  31. 31.
    Kang, M., Poosankam, P., Yin, H.: Renovo: a hidden code extractor for packed executables. In: Proceedings of WORM (2007)Google Scholar
  32. 32.
    Lookout Inc.: Mobile threats, made to measure (2014).
  33. 33.
    Martignoni, L., Christodorescu, M., Jha, S.: Omniunpack: fast, generic, and safe unpacking of malware. In: Proceedings of the ACSAC (2007)Google Scholar
  34. 34.
    Nigam, R.: Android packers: separating from the pack, June 2014.
  35. 35.
    Park, Y.: We can still crack you! general unpacking method for android packer (no root). In: Proceedings of the Blackhat Asia (2015)Google Scholar
  36. 36.
    Perdisci, R., Lanzi, A., Lee, W.: Classification of packed executables for accurate computer virus detection. Pattern Recogn. Lett. 29(14), 1941–1946 (2008)CrossRefGoogle Scholar
  37. 37.
    Qian, C., Luo, X., Shao, Y., Chan, A.: On tracking information flows through JNI in android applications. In: Proceedings of the IEEE/IFIP DSN (2014)Google Scholar
  38. 38.
    Qian, C., Luo, X., Yu, L., Gu, G.: Vulhunter: towards discovering vulnerabilities in android applications. IEEE Micro 35(1), 44–53 (2015)CrossRefGoogle Scholar
  39. 39.
  40. 40.
    Rastogi, V., Chen, Y., Jiang, X.: Droidchameleon: evaluating android anti-malware against transformation attacks. In: Proceedings of the ACM ASIACCS (2013)Google Scholar
  41. 41.
    Roundy, K., Miller, B.: Binary-code obfuscations in prevalent packer tools. ACM Comput. Surv. 46(1), 1–32 (2013)CrossRefGoogle Scholar
  42. 42.
    Royal, P., Halpin, M., Dagon, D., Edmonds, R., Lee, W.: Polyunpack: automating the hidden-code extraction of unpack-executing malware. In: Proceedings of the ACSAC (2006)Google Scholar
  43. 43.
    Sabanal, P.: State of the art: exploring the new android kitkat runtimeGoogle Scholar
  44. 44.
    Schulz, P.: Android security analysis challenge: tampering dalvik bytecode during runtime (2013).
  45. 45.
    Shao, Y., Luo, X., Qian, C., Zhu, P., Zhang, L.: Towards a scalable resource-driven approach for detecting repackaged android applications. In: Proceedings of the ACSAC (2014)Google Scholar
  46. 46.
    Sharif, M., Yegneswaran, V., Saidi, H., Porras, P.A., Lee, W.: Eureka: a framework for enabling static malware analysis. In: Jajodia, S., Lopez, J. (eds.) ESORICS 2008. LNCS, vol. 5283, pp. 481–500. Springer, Heidelberg (2008) CrossRefGoogle Scholar
  47. 47.
    Stewart, J.: Ollybone: semi-automatic unpacking on ia-32 (2006).
  48. 48.
    Strazzere, T.: android-unpacker (2014).
  49. 49.
    Strazzere, T., Sawyer, J.: Android hacker protection level 0 (2014).
  50. 50.
  51. 51.
    Zhang, F., Huang, H., Zhu, S., Wu, D., Liu, P.: Viewdroid: towards obfuscation-resilient mobile application repackaging detection. In: Proceedings of the ACM WiSec (2014)Google Scholar
  52. 52.
    Zheng, M., Lee, P.P.C., Lui, J.C.S.: ADAM: an automatic and extensible platform to stress test android anti-virus systems. In: Flegel, U., Markatos, E., Robertson, W. (eds.) DIMVA 2012. LNCS, vol. 7591, pp. 82–101. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  53. 53.
    Zhou, W., Zhou, Y., Jiang, X., Ning, P.: Detecting repackaged smartphone applications in third-party android marketplaces. In: Proceedings of the ACM CODASPY (2012)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  1. 1.Department of Computing, The Hong Kong Polytechnic University Shenzhen Research InstituteThe Hong Kong Polytechnic UniversityKowloonHong Kong

Personalised recommendations