appspear: bytecode decryp0ng and dex reassembling for...

AppSpear:BytecodeDecryp0ngandDEXReassemblingforPackedAndroidMalware

YangWenbo,ZhangYuanyuan,LiJuanru,ShuJunliang,LiBodong,HuWenjun,GuDawu

SudeepNanjappaJayakumar

Agenda•  Introduc0on•  AppSpear–Goals,Contribu0ons•  CodePackedAndroidMalware•  Analysis•  AppSpear–Overview•  DEXReassembling•  ExperimentalEvalua0on•  AccuracyofDEXreassembling•  RelatedWork•  Conclusion

Introduc0on•  Arangeofsta0canddynamicanalysisapproaches(usingcodesimilaritycomparison

todetectmalware)havebeenproposedfordetec0ngmaliciousAndroidapps.•  These techniques are ini0ally designed to counter reverse engineering and

effec0velyresistmanyprogramtamperingaXempts,theyarebecomingacommonmeasureofmalwaredetec0oncircumven0on.

•  Currentunpackingapproachesareeitherbasedonmanualefforts,whichareslowandtedious,orbasedoncoarse-grainedmemorydumping.

•  Inves0ga0onon37,688Androidmalwaresamplesisconductedtotakesta0s0csoftheandroidapps.

•  Thispaperconductsasystema0cstudyofpackedAndroidmalware,andexaminesthefeasibilityofuniversalandautomatedun-packingforAndroidapplica0ons.

AppSpear•  AppSpearisagenericandfinegrainedsystemforautoma0cmalwareunpacking.•  Its core technique is a bytecode decryp0ng and Dalvik executable (DEX)

reassemblingmethod,which isable to recoveranyprotectedbytecodeeffec0velywithouttheknowledgeofthepacker.

•  AppSpear directly instruments the Dalvik VM to collect the decrypted bytecodeinforma0on from the Dalvik Data Struct (DDS), and performs the unpacking byconduc0ngarefinedreassemblingprocesstocreateanewDEXfile.

•  The unpacked applica0on is then available for analyzing by malware detec0onsystems.

•  AppSpearisthefirstautoma0candgenericunpackingsystemforcurrentcommercialAndroidpackers.

Goal1. Thorough inves0ga0on is done on large-scale Androidmalware samples to takesta0s0cs of how widespread those malware samples are protected by Androidpackers.

a) 10popular commercialandroidpackersare studiedwhichareusedby malwareauthors,alsowhichcoversthemajorityofexis0ngtechniquesand thentheinves0ga0onisconductedon37,688malwaresamples. b) Thiscontains490codepackedmalware.

2. To address the challenge of analyzing code packed malware, Authors haveproposedAppSpearwhichisagenericandfinegrainedsystemforautoma0cmalwareunpacking.

Contribu0ons

•  Thorough inves0ga0on on both exis0ng mainstream Android packers and codepackedAndroidmalware isdone in thewildand furthersummarizing typicalan0-analysisdefensesofAndroidpackers.

•  A bytecode decryp0ng and DEX reassembling technique is proposed to rebuildprotectedapps.OurAPKrebuildingprocesstransformsacodepackedmalwaretoanunpackedone,whichisafeasibleformforcommodityprogramanalysis.

•  Designofautomatedandgenericunpackingsystem,AppSpearisdonetodealwithmost mainstream Android packers and the unpacked apps can be validated bystate-of-the-art analysis tools, which are not able to handle the packed formbeforehand.

CodePackedAndroidMalware•  Inves0ga0onof10popularcommercialAndroidpackers(Bangcle,Ijiami,Qihoo360,

etc)andbuildasignaturedatabase.•  Collected37,668malwaresamplesfrom2012toMay2015usingSandDroid,which

detectsmalware according to the feedback results of 12main virus scan enginesfromVirusTotal(F-Secure,Symantec,An0Vir,ESET-NOD32,Kaspersky,BitDefender,McAfee,For0net,Ad-Aware,AVG,Baidu-Interna0onal,Qihoo-360).

•  Anappisregardedasmalwareifmorethanthreevirusscanenginesdetectit.

SummaryofPackedAndroidMalware

Analysis

•  Analysis indicates that an0-analysis defenses employed by those packers can beclassifiedintothreecategories.a)Thefirstcategoryofan0-analysisdefensesinvolvefunc0onsthatcheckthesta0c

anddynamicintegrityoftheapp.b) The second category of an0-analysis measures involve source code levelobfusca0on,whichrequiresthesourcecodetoemploytheprotec0on.c)Thethirdcategory,whichismostcomplex,involvesbytecodehiding.

•  Theintegrityisalsocheckedforthepackedappstodecideiftheappsaretamperedanditischeckedwithbothsta0canddynamicprocess.

AppSpear-OverviewAppSpearemploystheunpackingthroughthreemainsteps:•  AppSpear introspects the Dalvik VM to

transparently monitor the execu0on of anypackedapp.

•  AppSpear collects DDS in memory andperforms a reassembling process on thecollected DDS with some modified methodsfixedtore-generateaDEXfile.

•  Finally, AppSpear resects an0-analysis codeand further synthesizes the DEX file with themanifest le and other resource les from theoriginalpackedAPKasanunpackedAPK.

DEXReassembling•  DEXreassemblingofAppSpearisareverseprocessoftheDEXloadingprocedure.•  AppSpearleveragesthistoemploytheDEXreassemblingprocess.•  DalvikVMmaintains18DDSparsedfromaDEXleduringrun0me.•  DDScanclassifiedintotwotypes:

a) IndexDDS(IDDS)includingHeader,StringId,TypeId,ProtoId,FieldId,MethodId, ClassDefandMapList.Themainfunc0onalityofIDDSistoindextherealoffsetofthesecondtypeofDDS.b) ContentDDS(CDDS)includingTypeList,ClassData,Code,StringData,DebugInfo, EncodedArrayand four items related toAnnota0on.This typeofDDSmainlystorerawdataofbyte-codecontentinforma0on.

DEXReassemblingContd..

APKRebuilding•  AppSpearperformsalaststepAPKrebuildingtoobstructanalysis.

a)An0-analysisCodeResec0ng: AppSpear maintains an empirical database of code stubs and automa0callyresectsanycodestubsindatabasewhenencountering.

b)APKRepackaging: AppSpear combines the reassembledDEX lewithmaterials from theexis0ng packed app including manifests.xml and resource files to repackage the app. Themanifests leof anappdeclares thepermissionsand theentrypointsof theappandthesearedirectlyusedintherepackagedapp.

ExperimentalEvalua0on•  31packedmalwareweremanuallychosenfromthecollected490packedsamples

ofSandDroidtotestAppSpear.•  These31samplescouldrunwithoutcrashesorexcep0onsbeforeunpackingandare

allofdifferentpackagenames.•  Authorsdevelopedahomebrewedmaliciousappthatrequiresmanypermissions

andcollectssensi7vedata.•  The test app contains all four main components (Ac0vity, Service, Broadcast

Receiver,ContentProvider)andanApplica0onclass.•  TestappissubmiXedto7onlinepackingservicesofBangcle(a.k.aSecneo),Ijiami,

Qihoo360,Baidu,Alibaba,LIAPPandDex-Protector.

ExperimentalEvalua0on•  AppSpearisdeployedontwodevices,GalaxyNexusandNexus4.•  VersionsofAndroidopera0ngsystemare4.3and4.4.2.•  ModifiedDalvikVMisbuiltbasedontheAOSPsourcecodeandreplacethedefault

DalvikVMwiththeAppSpearintegratedone.•  AppSpear conducts the unpacking as soon as theMain Ac0vity class invokes the

onCreatemethod.•  Allofthesamplesareunpackedautoma0callyandthecorrespondingunpackedAPK

lesaregenerated.

AccuracyofDEXreassembling•  TheaccuracyoftheDEXreassemblingisdoneusingthe5popularandwidelyused

sta0ctoolsandtheyareEXTemplatefor010Editor,Baksmali,Enjarify,IDAProandAndroGuard.

•  Thetes0ngsetconsistsof7homebrewedsamplessubmiXedtoonlinepackersand31malwaresamplesfromthecollected490packedsamples,whichcovers10differentpackersaltogether.

•  TheresultaboveshowsthatDEXTemplatefor010Editor,IDAProandAndroGuardsuccessfullyparseallreassembledDEXfiles.

Relatedwork•  Polyunpack: Performsautoma0cunpackingbyemula0ngtheexecu0onoftheprogramandmonitoringall memory writes and instruc0on fetches, and considers all instruc0ons fetched frompreviouslywriXenmemoryloca0onstobesuccessfullyunpacked.•  Omniunpack:

Is a real-0me unpacker that performs unpacking by looking for wriXen-then-executepaXern.•  Renovo:

Uses the wriXen-then-execute paXern to perform the unpacking. It instruments theexecu0onofthebinaryinanemulatorandtracestheexecu0onatinstruc0on-level.•  Eureka:

Usescoarse-grainedNTDLLsystemcallmonitoring forautomatedmalwareunpacking, isonlyavailableforWindowspackers.

Conclusion

•  Thispaperismainlyaboutthesystema0cstudyofcodepackedAndroidmalware.•  An inves0ga0on of 37,688 Androidmalware samples is conducted and 490 code

packedappsareanalyzedwiththehelpofAppSpear.•  AppSpearemploysanovelbytecodedecryp0ngandDEXreassemblingapproachto

replacetradi0onalmanualanalysisandmemorydumpbasedunpacking.•  Experiments have demonstrated that AppSpear system is able to unpack most

malwaresamplesprotectedbypopularcommercialAndroidpackers.•  AppSpearismostessen0alprocessofcurrentAndroidmalwaredetec0on.

ThankYou