AppSpear: Bytecode Decrypting and DEX Reassembling for Packed Android Malware

  • Wenbo YangEmail author
  • Yuanyuan Zhang
  • Juanru Li
  • Junliang Shu
  • Bodong Li
  • Wenjun Hu
  • Dawu Gu
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9404)


As the techniques for Android malware detection are progressing, malware also fights back through deploying advanced code encryption with the help of Android packers. An effective Android malware detection therefore must take the unpacking issue into consideration to prove the accuracy. Unfortunately, this issue is not easily addressed. Android packers often adopt multiple complex anti-analysis defenses and are evolving frequently. Current unpacking approaches are either based on manual efforts, which are slow and tedious, or based on coarse-grained memory dumping, which are susceptible to a variety of anti-monitoring defenses.

This paper conducts a systematic study on existing Android malware which is packed. A thorough investigation on 37,688 Android malware samples is conducted to take statistics of how widespread are those samples protected by Android packers. The anti-analysis techniques of related commercial Android packers are also summarized. Then, we propose AppSpear, a generic and fine-grained system for automatically malware unpacking. Its core technique is a bytecode decrypting and Dalvik executable (DEX) reassembling method, which is able to recover any protected bytecode effectively without the knowledge of the packer. AppSpear directly instruments the Dalvik VM to collect the decrypted bytecode information from the Dalvik Data Struct (DDS), and performs the unpacking by conducting a refined reassembling process to create a new DEX file. The unpacked app is then available for being analyzed by common program analysis tools or malware detection systems. Our experimental evaluation shows that AppSpear could sanitize mainstream Android packers and help detect more malicious behaviors. To the best of our knowledge, AppSpear is the first automatic and generic unpacking system for current commercial Android packers.


Code protection Android malware DEX reassembling 



We would like to thank our shepherd, Elias Athanasopoulos, and the anonymous reviewers for their insightful comments that greatly helped improve the manuscript of this paper.


  1. 1.
  2. 2.
  3. 3.
  4. 4.
  5. 5.
    SandDroid - An automatic Android application analysis system.
  6. 6.
    Apvrille, A.: Playing Hide and Seek with Dalvik Executables. Hacktivity (2013)Google Scholar
  7. 7.
    Arp, D., Spreitzenbarth, M., Hübner, M., Gascon, H., Rieck, K., CERT Siemens: Drebin: Effective and explainable detection of android malware in your pocket. In: Proceedings of Network and Distributed System Security Symposium (NDSS), 21st (2014)Google Scholar
  8. 8.
    Bilge, L., Lanzi, A., Balzarotti, D.: Thwarting real-time dynamic unpacking. In: Proceedings of European Workshop on System Security, 4th (2011)Google Scholar
  9. 9.
    Böhne, L.: Pandoras bochs: Automatic unpacking of malware. PhD thesis, University of Mannheim (2008)Google Scholar
  10. 10.
    Burguera, I., Zurutuza, U., Nadjm-Tehrani, S.: Crowdroid: behavior-based malware detection system for android. In: Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices (2011)Google Scholar
  11. 11.
    Crussell, J., Gibler, C., Chen, H.: AnDarwin: scalable detection of semantically similar android applications. In: Crampton, J., Jajodia, S., Mayes, K. (eds.) ESORICS 2013. LNCS, vol. 8134, pp. 182–199. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  12. 12.
    Grace, M., Zhou, Y., Zhang, Q., Zou, S., Jiang, X.: Riskranker: scalable and accurate zero-day android malware detection. In: Proceedings of the 10th International Conference on Mobile Systems, Applications, and Services (2012)Google Scholar
  13. 13.
    Guo, F., Ferrie, P., Chiueh, T.: A study of the packer problem and its solutions. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 98–115. Springer, Heidelberg (2008) CrossRefGoogle Scholar
  14. 14.
    Hu, W.: Guess Where I am: Detection and Prevention of Emulator Evading on Android. HITCON (2014)Google Scholar
  15. 15.
    Kang, M.G., Poosankam, P., Yin, H.: Renovo: a hidden code extractor for packed executables. In: Proceedings of the 5th ACM Workshop on Recurring Malcode (2007)Google Scholar
  16. 16.
    Martignoni, L., Christodorescu, M., Jha, S.: Omniunpack: fast, generic, and safe unpacking of malware. In: Proceedings of the 23rd Computer Security Applications Conference (2007)Google Scholar
  17. 17.
    Park, Y.: We can still crack you! general unpacking method for android packer (not root). In: Black Hat Asia (2015)Google Scholar
  18. 18.
    Petsas, T., Voyatzis, G., Athanasopoulos, E., Polychronakis, M., Ioannidis, S.: Rage against the virtual machine: hindering dynamic analysis of android malware. In: Proceedings of the 7th European Workshop on System Security (EuroSec) (2014)Google Scholar
  19. 19.
    Rasthofer, S., Arzt, S., Miltenberger, M., Bodden, E.: Harvesting runtime data in android applications for identifying malware and enhancing code analysis. Technical report (2015)Google Scholar
  20. 20.
    Royal, P., Halpin, M., Dagon, D., Edmonds, R., Lee, W.: Polyunpack: automating the hidden-code extraction of unpack-executing malware. In: Proceedings of the 22nd Computer Security Applications Conference (2006)Google Scholar
  21. 21.
    Schulz, P., Matenaar, F.: Android reverse engineering and defenses.
  22. 22.
    Sharif, M., Yegneswaran, V., Saidi, H., Porras, P.A., Lee, W.: Eureka: a framework for enabling static malware analysis. In: Jajodia, S., Lopez, J. (eds.) ESORICS 2008. LNCS, vol. 5283, pp. 481–500. Springer, Heidelberg (2008) CrossRefGoogle Scholar
  23. 23.
    Strazzere, T.: Dex Education: Practicing Safe Dex. Black Hat, USA (2012) Google Scholar
  24. 24.
    Strazzere, T.: Dex education 201: anti-emulation. HITCON (2013)Google Scholar
  25. 25.
    Strazzere, T., Sawyer, J.: ANDROID HACKER PROTECTION LEVEL 0. DEF CON 22 (2014)Google Scholar
  26. 26.
    Ugarte-Pedrero, X., Balzarotti, D., Santos, I., Bringas, P.G.: SoK: deep packer inspection: a longitudinal study of the complexity of run-time packers. In: Proceedings of IEEE Symposium on Security and Privacy 36th (2015)Google Scholar
  27. 27.
    Vidas, T., Christin, N.: Evading android runtime analysis via sandbox detection. In Proceedings of ACM symposium on Information, computer and communications security, 9th (2014)Google Scholar
  28. 28.
    Yu, R.: Android packers: facing the challenges, building solutions. In: Proceedings of the 24th Virus Bulletin International Conference (2014)Google Scholar
  29. 29.
    Zhang, Y., Luo, X., Yin, H.: Dexhunter: toward extracting hidden code from packed android applications. In: Proceedings ESORICS (2015)Google Scholar
  30. 30.
    Zhou, Y., Wang, Z., Zhou, W., Jiang, X.: Hey, You, get off of my market: detecting malicious apps in official and alternative android markets. In: Proceedings of the 19th Network and Distributed System Security Symposium (NDSS) (2012)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Wenbo Yang
    • 1
    Email author
  • Yuanyuan Zhang
    • 1
  • Juanru Li
    • 1
  • Junliang Shu
    • 1
  • Bodong Li
    • 1
  • Wenjun Hu
    • 2
    • 3
  • Dawu Gu
    • 1
  1. 1.Computer Science and Engineering DepartmentShanghai Jiao Tong UniversityShanghaiChina
  2. 2.Xi’an Jiaotong UniversityXi’anChina
  3. 3.Palo Alto NetworksSingaporeSingapore

Personalised recommendations