Things you may not know about Android (un)packers: A systematic study based on whole-system emulation
The prevalent usage of runtime packers has complicated Android malware analysis, as both legitimate and malicious apps are leveraging packing mechanisms to protect themselves against reverse engineer. Although recent efforts have been made to analyze particular packing techniques, little has been do...
Saved in:
| Main Authors: | , , , , , , , |
|---|---|
| Format: | text |
| Language: | English |
| Published: |
Institutional Knowledge at Singapore Management University
2018
|
| Subjects: | |
| Online Access: | https://ink.library.smu.edu.sg/sis_research/8171 https://ink.library.smu.edu.sg/context/sis_research/article/9174/viewcontent/DroidUnpack_ndss18.pdf |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Singapore Management University |
| Language: | English |
| id |
sg-smu-ink.sis_research-9174 |
|---|---|
| record_format |
dspace |
| spelling |
sg-smu-ink.sis_research-91742023-09-26T10:32:33Z Things you may not know about Android (un)packers: A systematic study based on whole-system emulation DUAN, Yue ZHANG, Mu BHASKAR, Abhishek Vasist YIN, Heng PAN, Xiaorui LI, Tongxin WANG, Xueqiang WANG, Xiaofeng The prevalent usage of runtime packers has complicated Android malware analysis, as both legitimate and malicious apps are leveraging packing mechanisms to protect themselves against reverse engineer. Although recent efforts have been made to analyze particular packing techniques, little has been done to study the unique characteristics of Android packers. In this paper, we report the first systematic study on mainstream Android packers, in an attempt to understand their security implications. For this purpose, we developed DROIDUNPACK, a whole-system emulation based Android packing analysis framework, which compared with existing tools, relies on intrinsic characteristics of Android runtime (rather than heuristics), and further enables virtual machine inspection to precisely recover hidden code and reveal packing behaviors. Running our tool on 6 major commercial packers, 93,910 Android malware samples and 3 existing state-of-the-art unpackers, we found that not only are commercial packing services abused to encrypt malicious or plagiarized contents, they themselves also introduce securitycritical vulnerabilities to the apps being packed. Our study further reveals the prevalence and rapid evolution of custom packers used by malware authors, which cannot be defended against using existing techniques, due to their design weaknesses. 2018-02-01T08:00:00Z text application/pdf https://ink.library.smu.edu.sg/sis_research/8171 info:doi/10.14722/ndss.2018.23296 https://ink.library.smu.edu.sg/context/sis_research/article/9174/viewcontent/DroidUnpack_ndss18.pdf http://creativecommons.org/licenses/by-nc-nd/4.0/ Research Collection School Of Computing and Information Systems eng Institutional Knowledge at Singapore Management University Databases and Information Systems Software Engineering |
| institution |
Singapore Management University |
| building |
SMU Libraries |
| continent |
Asia |
| country |
Singapore Singapore |
| content_provider |
SMU Libraries |
| collection |
InK@SMU |
| language |
English |
| topic |
Databases and Information Systems Software Engineering |
| spellingShingle |
Databases and Information Systems Software Engineering DUAN, Yue ZHANG, Mu BHASKAR, Abhishek Vasist YIN, Heng PAN, Xiaorui LI, Tongxin WANG, Xueqiang WANG, Xiaofeng Things you may not know about Android (un)packers: A systematic study based on whole-system emulation |
| description |
The prevalent usage of runtime packers has complicated Android malware analysis, as both legitimate and malicious apps are leveraging packing mechanisms to protect themselves against reverse engineer. Although recent efforts have been made to analyze particular packing techniques, little has been done to study the unique characteristics of Android packers. In this paper, we report the first systematic study on mainstream Android packers, in an attempt to understand their security implications. For this purpose, we developed DROIDUNPACK, a whole-system emulation based Android packing analysis framework, which compared with existing tools, relies on intrinsic characteristics of Android runtime (rather than heuristics), and further enables virtual machine inspection to precisely recover hidden code and reveal packing behaviors. Running our tool on 6 major commercial packers, 93,910 Android malware samples and 3 existing state-of-the-art unpackers, we found that not only are commercial packing services abused to encrypt malicious or plagiarized contents, they themselves also introduce securitycritical vulnerabilities to the apps being packed. Our study further reveals the prevalence and rapid evolution of custom packers used by malware authors, which cannot be defended against using existing techniques, due to their design weaknesses. |
| format |
text |
| author |
DUAN, Yue ZHANG, Mu BHASKAR, Abhishek Vasist YIN, Heng PAN, Xiaorui LI, Tongxin WANG, Xueqiang WANG, Xiaofeng |
| author_facet |
DUAN, Yue ZHANG, Mu BHASKAR, Abhishek Vasist YIN, Heng PAN, Xiaorui LI, Tongxin WANG, Xueqiang WANG, Xiaofeng |
| author_sort |
DUAN, Yue |
| title |
Things you may not know about Android (un)packers: A systematic study based on whole-system emulation |
| title_short |
Things you may not know about Android (un)packers: A systematic study based on whole-system emulation |
| title_full |
Things you may not know about Android (un)packers: A systematic study based on whole-system emulation |
| title_fullStr |
Things you may not know about Android (un)packers: A systematic study based on whole-system emulation |
| title_full_unstemmed |
Things you may not know about Android (un)packers: A systematic study based on whole-system emulation |
| title_sort |
things you may not know about android (un)packers: a systematic study based on whole-system emulation |
| publisher |
Institutional Knowledge at Singapore Management University |
| publishDate |
2018 |
| url |
https://ink.library.smu.edu.sg/sis_research/8171 https://ink.library.smu.edu.sg/context/sis_research/article/9174/viewcontent/DroidUnpack_ndss18.pdf |
| _version_ |
1779157190612877312 |