Publication Type

Conference Proceeding Article

Version

acceptedVersion

Publication Date

2-2018

Abstract

The prevalent usage of runtime packers has complicated Android malware analysis, as both legitimate and malicious apps are leveraging packing mechanisms to protect themselves against reverse engineer. Although recent efforts have been made to analyze particular packing techniques, little has been done to study the unique characteristics of Android packers. In this paper, we report the first systematic study on mainstream Android packers, in an attempt to understand their security implications. For this purpose, we developed DROIDUNPACK, a whole-system emulation based Android packing analysis framework, which compared with existing tools, relies on intrinsic characteristics of Android runtime (rather than heuristics), and further enables virtual machine inspection to precisely recover hidden code and reveal packing behaviors. Running our tool on 6 major commercial packers, 93,910 Android malware samples and 3 existing state-of-the-art unpackers, we found that not only are commercial packing services abused to encrypt malicious or plagiarized contents, they themselves also introduce securitycritical vulnerabilities to the apps being packed. Our study further reveals the prevalence and rapid evolution of custom packers used by malware authors, which cannot be defended against using existing techniques, due to their design weaknesses.

Discipline

Databases and Information Systems | Software Engineering

Research Areas

Cybersecurity; Information Systems and Management

Publication

Proceedings of the Network and Distributed System Security Symposium, California, USA, 2018 February 18-21

Identifier

10.14722/ndss.2018.23296

City or Country

US

Copyright Owner and License

Authors

Additional URL

http://doi.org/10.14722/ndss.2018.23296

Download

Share

COinS