Things you may not know about Android (un)packers: A systematic study based on whole-system emulation

Things you may not know about Android (un)packers: A systematic study based on whole-system emulation

The prevalent usage of runtime packers has complicated Android malware analysis, as both legitimate and malicious apps are leveraging packing mechanisms to protect themselves against reverse engineer. Although recent efforts have been made to analyze particular packing techniques, little has been do...

Full description

Saved in:
Bibliographic Details
Main Authors: DUAN, Yue, ZHANG, Mu, BHASKAR, Abhishek Vasist, YIN, Heng, PAN, Xiaorui, LI, Tongxin, WANG, Xueqiang, WANG, Xiaofeng
Format: text
Language:English
Published: Institutional Knowledge at Singapore Management University 2018
Subjects:
Databases and Information Systems
Software Engineering
Online Access:https://ink.library.smu.edu.sg/sis_research/8171
https://ink.library.smu.edu.sg/context/sis_research/article/9174/viewcontent/DroidUnpack_ndss18.pdf
Tags: Add Tag
No Tags, Be the first to tag this record!
Institution: Singapore Management University
Language: English
Description
Summary:The prevalent usage of runtime packers has complicated Android malware analysis, as both legitimate and malicious apps are leveraging packing mechanisms to protect themselves against reverse engineer. Although recent efforts have been made to analyze particular packing techniques, little has been done to study the unique characteristics of Android packers. In this paper, we report the first systematic study on mainstream Android packers, in an attempt to understand their security implications. For this purpose, we developed DROIDUNPACK, a whole-system emulation based Android packing analysis framework, which compared with existing tools, relies on intrinsic characteristics of Android runtime (rather than heuristics), and further enables virtual machine inspection to precisely recover hidden code and reveal packing behaviors. Running our tool on 6 major commercial packers, 93,910 Android malware samples and 3 existing state-of-the-art unpackers, we found that not only are commercial packing services abused to encrypt malicious or plagiarized contents, they themselves also introduce securitycritical vulnerabilities to the apps being packed. Our study further reveals the prevalence and rapid evolution of custom packers used by malware authors, which cannot be defended against using existing techniques, due to their design weaknesses.

Similar Items