Empirical Analysis on the Use of Dynamic Code Updates in Android and Its Security Implications

  • Maqsood AhmadEmail author
  • Bruno Crispo
  • Teklay Gebremichael
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10014)


Dynamic code update techniques, such as reflection and dynamic class loading (DCL), enable an application (app) to change its behavior at runtime. These techniques are heavily used in Android apps for extensibility. However, malware developers misuse these techniques to conceal malicious functionality, bypass static analysis tools and expose the malicious functionality only when the app is installed and run on a user’s device. Although, the use of these techniques alone may not be sufficient to bypass analysis tools, it is the use of reflection/DCL APIs with obfuscated parameters that makes the state-of-art static analysis tools for Android unable to infer the correct behavior of the app. To understand the current trends in real apps, it is important to perform a study on the sources of the parameters used in reflection/DCL APIs. In this paper, we describe how malicious apps bypass analysis tools using reflection/DCL with parameters provided by sources, such as network, files, encrypted strings, etc., which are hard to analyze statically. We further develop a tool to analyze a dataset of 3,645 real world malware samples and 16,528 benign apps in order to investigate the sources of the parameters used in reflection/DCL APIs. The results of our analysis indicate the presence of such programming practices in both legitimate and malicious apps. However, malicious apps tend to obfuscate the parameters of reflection/DCL APIs more often. The use of Crypto related APIs as sources of the parameters of reflection/DCL APIs is significantly higher in malicious apps, which endorses the fact that malicious apps try to thwart static analysis tools.


Android malware Reflection Dynamic class loading 


  1. 1.
    2015 mobile threat report published by the pulse secure mobile threat center (MTC).
  2. 2.
    AndroGuard: Reverse engineering, malware and goodware analysis of Android applications.
  3. 3.
  4. 4.
    Contagio Mobile Malware Mini Dump. http://www.
  5. 5.
    Dexguard: The most advanced security software for android applications.
  6. 6.
    F-Droid – Android market.
  7. 7.
    Google Play – Android official market.
  8. 8.
    Number of available applications in the Google Play Store from December 2009 to July 2015.
  9. 9.
    Virustotal - free online malware and url scanner.
  10. 10.
    Smartphone OS Market Share, 2015 Q2 (2015).
  11. 11.
    Arzt, S., Rasthofer, S., Fritz, C., Bodden, E., Bartel, A., Klein, J., Le Traon, Y., Octeau, D., McDaniel, P.: FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. In: Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation, pp. 259–269 (2014)Google Scholar
  12. 12.
    Bodden, E., Sewe, A., Sinschek, J., Oueslati, H., Mezini, M.: Taming reflection: aiding static analysis in the presence of reflection and customclass loaders. In: Proceedings of the 33rd International Conference on Software Engineering, pp. 241–250. ACM (2011)Google Scholar
  13. 13.
    Callaham, J.: Google says there are now 1.4 billion active Android devices worldwide (2015).
  14. 14.
    Canfora, G., Mercaldo, F., Moriano, G., Visaggio, C.A.: Composition-malware: building android malware at run time. In: 2015 10th International Conference on Availability, Reliability and Security (ARES), pp. 318–326. IEEE (2015)Google Scholar
  15. 15.
    Christensen, A.S., Møller, A., Schwartzbach, M.I.: Precise analysis of string expressions. In: Cousot, R. (ed.) SAS 2003. LNCS, vol. 2694, pp. 1–18. Springer, Heidelberg (2003). doi: 10.1007/3-540-44898-5_1 CrossRefGoogle Scholar
  16. 16.
  17. 17.
    Falsina, L., Fratantonio, Y., Zanero, S., Kruegel, C., Vigna, G., Maggi, F.: Grab’n run: secure and practical dynamic code loading for android applications. In: Proceedings of the 31st Annual Computer Security Applications Conference, pp. 201–210. ACM (2015)Google Scholar
  18. 18.
    Fuchs, A.P., Chaudhuri, A., Foster, J.S.: Scandroid: automated security certification of android applications, 2(3). Univ. of Maryland (2009).
  19. 19.
    Hirzel, M., Dincklage, D.V., Diwan, A., Hind, M.: Fast online pointer analysis. ACM Trans. Program. Lang. Syst. (TOPLAS) 29(2), 11 (2007)CrossRefGoogle Scholar
  20. 20.
    Hoffmann, J., Ussath, M., Holz, T., Spreitzenbarth, M.: Slicing droids: program slicing for smali code. In: Proceedings of the 28th Annual ACM Symposium on Applied Computing, pp. 1844–1851 (2013)Google Scholar
  21. 21.
    Li, L., Bartel, A., Bissyande, T.F.D.A., Klein, J., Le Traon, Y., Arzt, S., Rasthofer, S., Bodden, E., Octeau, D., McDaniel, P.: IccTA: detectinginter-component privacy leaks in android apps. In: 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering (ICSE 2015) (2015)Google Scholar
  22. 22.
    Livshits, B., Whaley, J., Lam, M.S.: Reflection analysis for Java. In: Yi, K. (ed.) APLAS 2005. LNCS, vol. 3780, pp. 139–160. Springer, Heidelberg (2005). doi: 10.1007/11575467_11 CrossRefGoogle Scholar
  23. 23.
    Poeplau, S., Fratantonio, Y., Bianchi, A., Kruegel, C., Vigna, G.: Executethis! analyzing unsafe and malicious dynamic code loading in android applications (2014)Google Scholar
  24. 24.
    Polkovnichenko, A., Boxiner, A.: Braintest - a new level of sophistication in mobile malware. Technical report, Check Point Technologies LtdGoogle Scholar
  25. 25.
    Wei, F., Roy, S., Ou, X., et al.: Amandroid: a precise and generalinter-component data flow analysis framework for security vetting of androidapps. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 1329–1341. ACM (2014)Google Scholar
  26. 26.
    Wognsen, E.R., Karlsen, H.S., Olesen, M.C., Hansen, R.R.: Formalisation andanalysis of dalvik bytecode. Science of Computer Programming (2013)Google Scholar
  27. 27.
    Zhauniarovich, Y., Ahmad, M., Gadyatskaya, O., Crispo, B., Massacci, F.: Stadyna: addressing the problem of dynamic code updates in the security analysis of android applications. In: Proceedings of the 5th ACM Conferenceon Data and Application Security and Privacy, pp. 37–48. ACM (2015)Google Scholar
  28. 28.
    Zhou, Y., Jiang, X.: An analysis of the AnserverBot Trojan. Technical report, Department of Computer Science, NC State University (2013).
  29. 29.
    Zhou, Y., Jiang, X.: Dissecting android malware: characterization and evolution. In: Proceedings of the 2012 IEEE Symposium on Security and Privacy, pp. 95–109 (2012)Google Scholar

Copyright information

© Springer International Publishing AG 2016

Authors and Affiliations

  • Maqsood Ahmad
    • 1
    Email author
  • Bruno Crispo
    • 1
    • 2
  • Teklay Gebremichael
    • 1
  1. 1.University of TrentoTrentoItaly
  2. 2.KU LeuvenLeuvenBelgium

Personalised recommendations