Structural analysis of packing schemes for extracting hidden codes in mobile malware

In the Internet of Things service environment where all things are connected, mobile devices will become an extremely important medium linking together things with built-in heterogeneous communication functions. If a mobile device is exposed to hacking in this context, a security threat arises where all things linked to the device become targets of cyber hacking; therefore, greater emphasis will be placed on the demand for swift mobile malware detection and countermeasures. Such mobile malware applies advanced code-hiding schemes to ensure that the part of the code that executes malicious behavior is not detected by an anti-virus software. In order to detect mobile malware, we must first conduct structural analysis of their code-hiding schemes.In this paper, we analyze the structure of the two representative Android-based code-hiding tools, Bangcle and DexProtector, and then introduce a method and procedure for extracting the hidden original code. We also present experimental results of applying these tools on sample malicious codes.

[1]  Saumya K. Debray,et al.  Obfuscation of executable code to improve resistance to static disassembly , 2003, CCS '03.

[2]  Isaac Woungang,et al.  Impact Study of a Mobile Botnet over LTE Networks , 2016, J. Internet Serv. Inf. Secur..

[3]  Jeong Hyun Yi,et al.  Repackaging Attack on Android Banking Applications and Its Countermeasures , 2013, Wirel. Pers. Commun..

[4]  Marimuthu Palaniswami,et al.  Internet of Things (IoT): A vision, architectural elements, and future directions , 2012, Future Gener. Comput. Syst..

[5]  Frank T. Willmore,et al.  Debugging with gdb , 2016 .

[6]  Hyunki Kim,et al.  Anti-debugging scheme for protecting mobile apps on android platform , 2015, The Journal of Supercomputing.

[7]  Jeremy Clark,et al.  Understanding and improving app installation security mechanisms through empirical analysis of android , 2012, SPSM '12.

[8]  Jeong Hyun Yi,et al.  Multiple Device Login Attacks and Countermeasures of Mobile VoIP Apps on Android , 2014, J. Internet Serv. Inf. Secur..

[9]  Jaecheol Ryou,et al.  DWroidDump: Executable Code Extraction from Android Applications for Malware Analysis , 2015, Int. J. Distributed Sens. Networks.

[10]  Heng Yin,et al.  DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis , 2012, USENIX Security Symposium.

[11]  Swarat Chaudhuri,et al.  A Study of Android Application Security , 2011, USENIX Security Symposium.

[12]  Carol J. Fung,et al.  A Survey of Android Security Threats and Defenses , 2015, J. Wirel. Mob. Networks Ubiquitous Comput. Dependable Appl..

[13]  Seong-je Cho,et al.  Effects of Code Obfuscation on Android App Similarity Analysis , 2015, J. Wirel. Mob. Networks Ubiquitous Comput. Dependable Appl..