Published 2019-12-31
Copyright (c) 2019 Daniel Baier, Martin Lambertz (Author)
This work is licensed under a Creative Commons Attribution 4.0 International License.
How to Cite
Download Citation
Abstract
String encryption is a popular technique to obfuscate the functionality, inner workings, and goals of Android apps. Especially malicious apps use this technique to thwart automatic and manual analyses. Typically, a human analyst has to manually identify the decryption routines and afterwards use these routines to decrypt the strings contained in an app. This is a time-consuming and tedious task. What is more, it has to be carried out potentially for every new malware version as the authors frequently modify their techniques.
We analyzed the Android malware corpus of Malpedia [1] and found that string encryption is used in more than half of the samples. This demonstrates that string encryption is still a prevailing obfuscation method nowadays. In this paper we present DeStroid, an approach to fully automatically decrypt obfuscated strings from Android apps. We focus in particular on current Android malware using advanced string encryption techniques and show that DeStroid outperforms all publicly available string deobfuscation approaches.
References
- D. Plohmann, M. Clauß, S. Enders, and E. Padilla, “Malpedia: a collaborative effort to inventorize the malware landscape,” Proceedings of the Botconf, 2017.
- E. Protalinski, “Android passes 2.5 billion monthly active devices | VentureBeat,” 2019. [Online; https://venturebeat.com/2019/05/07/android-passes-2-5-billion-monthly-active-devices/; accessed 01-July-2019].
- I. Statista, “Number of available applications in the Google Play Store from December 2009 to March 2019.” [Online; https://www.statista.com/statistics/266210/number-of-available-applications-in-the-google-play-store/; accessed 26-June-2019].
- S. Dong, M. Li, W. Diao, X. Liu, J. Liu, Z. Li, F. Xu, K. Chen, X. Wang, and K. Zhang, “Understanding android obfuscation techniques: A large-scale investigation in the wild,” in International Conference on Security and Privacy in Communication Systems, pp. 172–192, Springer, 2018.
- D. Baier, “DeStroid - Fighting String Encryption in Android Malware.” [Online; https://github.com/fkie-cad/DeStroid].
- F. Wei, Y. Li, S. Roy, X. Ou, and W. Zhou, “Deep ground truth analysis of current android malware,” in International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pp. 252–276, Springer, 2017.
- D. Maiorca, D. Ariu, I. Corona, M. Aresu, and G. Giacinto, “Stealth attacks: An extended insight into the obfuscation effects on android malware,” Computers & Security, vol. 51, pp. 16–31, 2015.
- Google Inc., “JNI tips.” [Online; https://developer.android.com/training/articles/perf-jni; accessed 28-May-2019].
- Oracle America, Inc., “Chapter 5. Loading, Linking, and Initializing.” [Online; https://docs.oracle.com/javase/specs/jvms/se7/html/jvms-5.html; accessed 27-May-2019].
- Oracle America, Inc., “Static initializers.” [Online; https://docs.oracle.com/javase/specs/jls/se8/html/jls-8.html#jls-8.7; accessed 27-May-2019].
- D. Plohmann, “apk.flexispy.” [Online; https://malpedia.caad.fkie.fraunhofer.de/details/apk.flexispy; accessed 27-June-2019].
- O. Mirzaei, J. de Fuentes, J. Tapiador, and L. Gonzalez-Manzano, “Androdet: An adaptive android obfuscation detector,” Future Generation Computer Systems, vol. 90, pp. 240–261, 2019.
- M. Kühnel, M. Smieschek, and U. Meyer, “Fast identigication of obfuscation and mobile advertising in mobile malware,” in 2015 IEEE Trustcom/BigDataSE/ISPA, vol. 1, pp. 214–221, IEEE,2015.
- C. Fenton, “Oracle.” [Online; https://github.com/CalebFenton/dex-oracle; accessed 26-June-2019].
- E. Schoffstall, “Java bytecode analysis/deobfuscation tool.” [Online; https://github.com/contra/JMD; accessed 26-June-2019].
- Java Deobfuscator, “Java deobfuscator.” [Online; https://javadeobfuscator.com/; accessed 26-June-2019].
- Y. M. Yoni Moses, “Android app deobfuscation using static-dynamic cooperation.” [Online; https://www.virusbulletin.com/uploads/pdf/magazine/2018/VB2018-Moses-Mordekhay.pdf; accessed 26-May-2019].
- C. Fenton, “Simplify - Generic Android Deobfuscator.” [Online; https://github.com/CalebFenton/simplify; accessed 26-June-2019].
- C. Fenton, “TetCon 2016 - Android Deobfuscation: Tools and Techniques.” [Online; https://calebfenton.github.io/2016/04/23/tetcon-2016-android-deobfuscation/; accessed 21-June-2019].
- J. H. Y. Haehyun Cho and G.-J. Ahn, “DexMonitor: Dynamically Analyzing and Monitoring Obfuscated Android Applications,” IEEE Access, vol. 6, pp. 71229–71240, 2018.
- M. Y. Wong and D. Lie, “Tackling runtime-based obfuscation in android with fTIROg,” in 27th {USENIX} Security Symposium ({USENIX} Security 18), pp. 1247–1262, 2018.
- S. Rasthofer, S. Arzt, M. Miltenberger, and E. Bodden, “Harvesting runtime data in android applications for identifying malware and enhancing code analysis,” tech. rep., Technical Report TUD-CS-2015-0031, EC SPRIDE, 2015.
- B. Gruver, “About smali.” [Online; https://github.com/JesusFreke/smali/tree/master/dexlib2; accessed 24-June-2019].
- Sable Research Group, “Soot - A framework for analyzing and transforming Java and Android applications.” [Online; https://sable.github.io/soot/; accessed 24-June-2019].
- M.Weiser, “Programslicing,” in Proceedings of the 5th international conference on Software engineering, pp. 439–449, IEEE Press, 1981.
- C. Fenton, “Simplify - Generic Android Deobfuscator.” [Online; https://github.com/CalebFenton/simplify/blob/master/README.md; accessed 26-June-2019].
- D. Plohmann, “apk.retefe.” [Online; https://malpedia.caad.fkie.fraunhofer.de/details/apk.retefe; accessed 26-June-2019].
- D. Plohmann, “apk.marcher.” [Online; https://malpedia.caad.fkie.fraunhofer.de/details/apk.marcher; accessed 26-May-2019].