Article

Tackling runtime-based obfuscation in android with TIRO

Authors:

Michelle Y. Wong,

David LieAuthors Info & Claims

SEC'18: Proceedings of the 27th USENIX Conference on Security Symposium

Pages 1247 - 1262

Published: 15 August 2018 Publication History

Abstract

Obfuscation is used in malware to hide malicious activity from manual or automatic program analysis. On the Android platform, malware has had a history of using obfuscation techniques such as Java reflection, code packing and value encryption. However, more recent malware has turned to employing obfuscation that subverts the integrity of the Android runtime (ART or Dalvik), a technique we call runtime-based obfuscation. Once subverted, the runtime no longer follows the normally expected rules of code execution and method invocation, raising the difficulty of deobfuscating and analyzing malware that use these techniques.

In this work, we propose TIRO, a deobfuscation framework for Android using an approach of Target-Instrument-Run-Observe. TIRO provides a unified framework that can deobfuscate malware that use a combination of traditional obfuscation and newer runtime-based obfuscation techniques. We evaluate and use TIRO on a dataset of modern Android malware samples and find that TIRO can automatically detect and reverse language-based and runtime-based obfuscation. We also evaluate TIRO on a corpus of 2000 malware samples from VirusTotal and find that runtime-based obfuscation techniques are present in 80% of the samples, demonstrating that runtime-based obfuscation is a significant tool employed by Android malware authors today.

References

[1]

ARP, D., SPREITZENBARTH, M., HUBNER, M., GASCON, H., RIECK, K., AND SIEMENS, C. DREBIN: Effective and explainable detection of Android malware in your pocket. In Proceedings of the Annual Symposium on Network and Distributed System Security (NDSS) (2014).

[2]

ARZT, S., RASTHOFER, S., FRITZ, C., BODDEN, E., BARTEL, A., KLEIN, J., LE TRAON, Y., OCTEAU, D., AND MCDANIEL, P. FlowDroid: precise context, flow, field, object-sensitive and-aware taint analysis for Android apps. In Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation (2014), p. 29.

[3]

BANESCU, S., COLLBERG, C., GANESH, V., NEWSHAM, Z., AND PRETSCHNER, A. Code obfuscation against symbolic execution attacks. In Proceedings of the 32nd Annual Conference on Computer Security Applications (2016), ACM, pp. 189-200.

[4]

BICHSEL, B., RAYCHEV, V., TSANKOV, P., AND VECHEV, M. Statistical deobfuscation of Android applications. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (2016), ACM, pp. 343-355.

[5]

BODDEN, E., SEWE, A., SINSCHEK, J., OUESLATI, H., AND MEZINI, M. Taming reflection: Aiding static analysis in the presence of reflection and custom class loaders. In Proceedings of the 33rd International Conference on Software Engineering (2011), ACM, pp. 241-250.

[6]

COSTAMAGNA, V., AND ZHENG, C. ARTDroid: A virtual-method hooking framework on Android ART runtime. Proceedings of the 2016 Innovations in Mobile Privacy and Security (IMPS) (2016), 24-32.

[7]

Dex2jar. https://github.com/pxb1988/dex2jar, 2017. Accessed: April 2017.

[8]

DINABURG, A., ROYAL, P., SHARIF, M., AND LEE, W. Ether: malware analysis via hardware virtualization extensions. In Proceedings of the 15th ACM conference on Computer and communications security (2008), ACM, pp. 51-62.

[9]

DUAN, Y., ZHANG, M., BHASKAR, A. V., YIN, H., PAN, X., LI, T., WANG, X., AND WANG, X. Things you may not know about Android (Un)Packers: A systematic study based on whole-system emulation. In Proc. of the Symposium on Network and Distributed System Security (NDSS) (2018).

[10]

ENCK, W., GILBERT, P., CHUN, B.-G., COX, L. P., JUNG, J., MCDANIEL, P., AND SHETH, A. N. TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In Proceedings of the 2010 Symposium on Operating Systems Design and Implementation (OSDI) (Oct. 2010), pp. 1-6.

[11]

FELT, A. P., CHIN, E., HANNA, S., SONG, D., AND WAGNER, D. Android permissions demystified. In Proceedings of the 18th ACM Conference on Computer and Communications Security (2011), ACM, pp. 627-638.

[12]

FRATANTONIO, Y., BIANCHI, A., ROBERTSON, W., KIRDA, E., KRUEGEL, C., AND VIGNA, G. TriggerScope: Towards detecting logic bombs in Android applications. In Security and Privacy (SP), 2016 IEEE Symposium on (2016), IEEE, pp. 377-396.

[13]

GARCIA, J., HAMMAD, M., PEDROOD, B., BAGHERIKHALIGH, A., AND MALEK, S. Obfuscation-resilient, efficient, and accurate detection and family identification of Android malware. Department of Computer Science, George Mason University, Tech. Rep (2015).

[14]

GRUVER, B. smali. https://github.com/JesusFreke/smali, 2017.

[15]

GUARDSQURE. Proguard. https://www.guardsquare.com/en/proguard, 2017.

[16]

HU, W., AND GU, D. AppSpear: Bytecode decrypting and dex reassembling for packed Android malware. In Research in Attacks, Intrusions, and Defenses: 18th International Symposium, RAID 2015, Kyoto, Japan, November 2-4, 2015. Proceedings (2015), vol. 9404, Springer, p. 359.

[17]

KANG, M. G., POOSANKAM, P., AND YIN, H. Renovo: A hidden code extractor for packed executables. In Proceedings of the 2007 ACM workshop on Recurring malcode (2007), ACM, pp. 46-53.

[18]

Legend. https://github.com/asLody/legend, 2017.

[19]

LIU, R. Yet another hook framework for art (YAHFA). https://github.com/rk700/YAHFA, 2017.

[20]

MARTIGNONI, L., CHRISTODORESCU, M., AND JHA, S. Omniunpack: Fast, generic, and safe unpacking of malware. In Computer Security Applications Conference, 2007. ACSAC 2007. Twenty-Third Annual (2007), IEEE, pp. 431-441.

[21]

OCTEAU, D., JHA, S., AND MCDANIEL, P. Retargeting Android applications to java bytecode. In Proceedings of the ACM SIGSOFT 20th International Symposium on the Foundations of Software Engineering (2012), ACM, p. 6.

[22]

RASTHOFER, S., ARZT, S., MILTENBERGER, M., AND BODDEN, E. Harvesting runtime values in Android applications that feature anti-analysis techniques. In Proceedings of the Annual Symposium on Network and Distributed System Security (NDSS) (2016).

[23]

RASTHOFER, S., ARZT, S., TRILLER, S., AND PRADEL, M. Making malory behave maliciously: Targeted fuzzing of Android execution environments. In Software Engineering (ICSE), 2017 IEEE/ACM 39th International Conference on (2017), IEEE, pp. 300-311.

[24]

ROYAL, P., HALPIN, M., DAGON, D., EDMONDS, R., AND LEE, W. PolyUnpack: Automating the hidden-code extraction of unpack-executing malware. In Computer Security Applications Conference, 2006. ACSAC'06. 22nd Annual (2006), IEEE, pp. 289-300.

[25]

SHARIF, M. I., LANZI, A., GIFFIN, J. T., AND LEE, W. Impeding malware analysis using conditional code obfuscation. In Proceedings of the Annual Symposium on Network and Distributed System Security (NDSS) (2008).

[26]

STRAZZERE, T. android-unpacker. https://github.com/strazzere/android-unpacker, 2017.

[27]

SUN, M., WEI, T., AND LUI, J. TaintART: A practical multilevel information-flow tracking system for Android runtime. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (2016), ACM, pp. 331-342.

[28]

TAM, K., KHAN, S. J., FATTORI, A., AND CAVALLARO, L. CopperDroid: Automatic reconstruction of Android malware behaviors. In Proc. of the Symposium on Network and Distributed System Security (NDSS) (2015).

[29]

VALLéE-RAI, R., CO, P., GAGNON, E., HENDREN, L., LAM, P., AND SUNDARESAN, V. Soot - a Java bytecode optimization framework. In Proceedings of the 1999 conference of the Centre for Advanced Studies on Collaborative research (1999), CASCON '99, IBM Press, p. 13.

[30]

VIRUSTOTAL. Virustotal. https://www.virustotal.com, 2018.

[31]

WONG, M. Y., AND LIE, D. IntelliDroid: A targeted input generator for the dynamic analysis of Android malware. In Proceedings of the Annual Symposium on Network and Distributed System Security (NDSS) (2016).

[32]

XIA, M., GONG, L., LYU, Y., QI, Z., AND LIU, X. Effective real-time Android application auditing. In Proceedings of the 2015 IEEE Symposium on Security and Privacy (2015), SP '15, IEEE Computer Society.

[33]

XUE, L., LUO, X., YU, L., WANG, S., AND WU, D. Adaptive unpacking of Android apps. In Software Engineering (ICSE), 2017 IEEE/ACM 39th International Conference on (2017), IEEE, pp. 358-369.

[34]

YAN, L.-K., AND YIN, H. DroidScope: Seamlessly reconstructing the os and dalvik semantic views for dynamic Android malware analysis. In USENIX security symposium (2012), pp. 569-584.

[35]

ZHANG, A. ZHookLib. https://github.com/cmzy/ZHookLib, 2017.

[36]

ZHANG, Y., LUO, X., AND YIN, H. DexHunter: toward extracting hidden code from packed Android applications. In European Symposium on Research in Computer Security (2015), Springer, pp. 293-311.

[37]

ZHANG, Y., TAN, T., LI, Y., AND XUE, J. Ripple: Reflection analysis for Android apps in incomplete information environments. In Proceedings of the Seventh ACM on Conference on Data and Application Security and Privacy, CODASPY 2017, Scottsdale, AZ, USA, March 22-24, 2017 (2017), pp. 281-288.

[38]

ZHAUNIAROVICH, Y., AHMAD, M., GADYATSKAYA, O., CRISPO, B., AND MASSACCI, F. StaDynA: Addressing the problem of dynamic code updates in the security analysis of Android applications. In Proceedings of the 5th ACM Conference on Data and Application Security and Privacy (2015), ACM, pp. 37-48.

Cited By

Naderi-Afooshteh AKwon YNguyen-Tuong ABagheri-Marzijarani MDavidson JBalenson D(2019)CubismoProceedings of the 35th Annual Computer Security Applications Conference10.1145/3359789.3359821(430-443)Online publication date: 9-Dec-2019
https://dl.acm.org/doi/10.1145/3359789.3359821
Naderi-Afooshteh AKwon YNguyen-Tuong ARazmjoo-Qalaei AZamiri-Gourabi MDavidson JCavallaro LKinder JWang XKatz J(2019)MalMaxProceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security10.1145/3319535.3363199(1849-1866)Online publication date: 6-Nov-2019
https://dl.acm.org/doi/10.1145/3319535.3363199
Wang XContinella AYang YHe YZhu S(2019)LeakDoctorProceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies10.1145/33144153:1(1-25)Online publication date: 29-Mar-2019
https://dl.acm.org/doi/10.1145/3314415

Recommendations

Lightweight, Obfuscation-Resilient Detection and Family Identification of Android Malware

The number of malicious Android apps is increasing rapidly. Android malware can damage or alter other files or settings, install additional applications, and so on. To determine such behaviors, a security analyst can significantly benefit from ...
Effectiveness of Android Obfuscation on Evading Anti-malware
CODASPY '18: Proceedings of the Eighth ACM Conference on Data and Application Security and Privacy

Obfuscation techniques have been conventionally used for legitimate applications, including preventing application reverse engineering, tampering and protecting intellectual property. A malware author could also leverage these benign techniques to hide ...
Obfuscation: The Hidden Malware

A cyberwar exists between malware writers and antimalware researchers. At this war's heart rages a weapons race that originated in the 80s with the first computer virus. Obfuscation is one of the latest strategies to camouflage the telltale signs of ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image Guide Proceedings

SEC'18: Proceedings of the 27th USENIX Conference on Security Symposium

August 2018

1740 pages

ISBN:9781931971461

Program Chairs:
William Enck
North Carolina State University
,
Adrienne Porter Felt
Google

Sponsors

Google Inc.
Baidu Research: Baidu Research
NSF
Facebook: Facebook

Publisher

USENIX Association

United States

Publication History

Published: 15 August 2018

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 18 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Naderi-Afooshteh AKwon YNguyen-Tuong ABagheri-Marzijarani MDavidson JBalenson D(2019)CubismoProceedings of the 35th Annual Computer Security Applications Conference10.1145/3359789.3359821(430-443)Online publication date: 9-Dec-2019
https://dl.acm.org/doi/10.1145/3359789.3359821
Naderi-Afooshteh AKwon YNguyen-Tuong ARazmjoo-Qalaei AZamiri-Gourabi MDavidson JCavallaro LKinder JWang XKatz J(2019)MalMaxProceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security10.1145/3319535.3363199(1849-1866)Online publication date: 6-Nov-2019
https://dl.acm.org/doi/10.1145/3319535.3363199
Wang XContinella AYang YHe YZhu S(2019)LeakDoctorProceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies10.1145/33144153:1(1-25)Online publication date: 29-Mar-2019
https://dl.acm.org/doi/10.1145/3314415

View Options

View options

Media

Figures

Other

Tables

View Table of Contents