Android app deobfuscation using static-dynamic cooperation

Thursday 4 October 11:00 - 11:30, Red room

Yoni Moses (Check Point)
Yaniv Mordekhay (Check Point)



Malicious Android applications are quite common, and can even be found from time to time in the Google Play Store. Thus, a lot of work has been done in both industry and academia on Android app analysis, and in particular, static code analysis. One of the problems faced by static code analysis is encryption of sensitive strings (e.g. names of functions called by reflection). The app developer can perform such encryption manually, or using off-the-shelf obfuscators.

Dynamic code analysis (i.e. running the app in an emulator) is not affected by such obfuscation techniques, because the sensitive data is decrypted by the app's code during run time. Thus, we created a combined analysis process, composed of dynamic and static analysis modules, in which the dynamic module extracts the decrypted data and passes it to the static module.

One challenge immediately comes to mind: while static analysis can analyse every line of code in the app, dynamic analysis is only aware of the code that actually runs. In other words, we might have to work hard during dynamic analysis to reach all possible flows where encrypted data is used. The solution is to make the dynamic module more active by showing it the right direction. The static module searches the app code for all invocations of the decryption code, which is usually in the form of a static function (e.g. in off-the-shelf obfuscators such as DashO, KlassMaster and others). It provides the dynamic module with a list of function calls, including argument values. The dynamic module performs these function calls and returns the results to the static module, which then patches the app code using the decrypted strings.

We implemented this concept and tested it on samples obfuscated by DashO. As we hoped, this approach enabled static analysis to detect new suspicious behaviours in applications with previously limited analysis coverage.

 

 

Yoni-Moses-web.jpg

Yoni Moses

Yoni Moses is a software engineer and researcher. His fascination with cybersecurity started 15 years ago during his undergraduate studies. Since then he has made several attempts to escape, but they have all been unsuccessful. Yoni's research interests focus mainly on static analysis algorithms and machine learning. Currently a mobile security researcher at Check Point, he uses his expertise to hunt down previously unknown Android malware. Other than writing code, he enjoys listening to classical music and discussing music with anyone willing to listen.

 

Yaniv_Mordekhay-web.jpg

Yaniv Mordekhay

Yaniv Mordekhay is a seasoned software engineer and researcher. He has over two decades of experience under his belt, coding in most programming languages known to the mankind. His tinkering took him from punch cards, through embedded devices and all the way to modern cloud-computing platforms. Currently a mobile security researcher at Check Point, he devotes most of his efforts to excavating the dark secrets of Linux and Android inner workings. You may occasionally spot him in his natural habitat on GitHub and StackOverflow, trying to contribute to way too many projects. When not glued to his computer screens, Yaniv spends time with his family exploring abandoned castles and brewing his trademark spiced coffee.


   Download slides    Read paper    Watch video

Back to VB2018 Programme page

Other VB2018 papers

An international 'who-cares-ometer' for cybercrime (partner presentation)

Stephen Cobb (ESET)

Since the hacking of Sony Pictures

Minseok (Jacky) Cha (AhnLab)

DOKKAEBI: Documents of Korean and Evil Binary

Jaeki Kim (Financial Security Institute)
Kyoung-Ju Kwak (Financial Security Institute)
Min-Chang Jang (Financial Security Institute)

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.