Happer: Unpacking Android Apps via a Hardware-Assisted Approach

Malware authors are abusing packers (or runtime-based obfuscators) to protect malicious apps from being analyzed. Although many unpacking tools have been proposed, they can be easily impeded by the anti-analysis methods adopted by the packers, and they fail to effectively collect the hidden Dex data due to the evolving protection strategies of packers. Consequently, many packing behaviors are unknown to analysts and packed malware can circumvent the inspection. To fill the gap, in this paper, we propose a novel hardware-assisted approach that first monitors the packing behaviors and then selects the proper approach to unpack the packed apps. Moreover, we develop a prototype named Happerwith a domain-specific language named behavior description language (BDL) for the ease of extending Happerafter tackling several technical challenges. We conduct extensive experiments with 12 commercial Android packers and more than 24k Android apps to evaluate Happer. The results show that Happerobserved 27 packing behaviors, 17 of which have not been elaborated by previous studies. Based on the observed packing behaviors, Happeradopted proper approaches to collect all the hidden Dex data and assembled them to valid Dex files.

[1]  Xiangyu Zhang,et al.  SPIDER: stealthy binary program instrumentation and debugging via hardware virtualization , 2013, ACSAC.

[2]  Wenke Lee,et al.  Ether: malware analysis via hardware virtualization extensions , 2008, CCS.

[3]  LeeSangho,et al.  Toward Engineering a Secure Android Ecosystem , 2016 .

[4]  Heng Yin,et al.  Renovo: a hidden code extractor for packed executables , 2007, WORM '07.

[5]  Guillaume Bonfante,et al.  CoDisasm: Medium Scale Concatic Disassembly of Self-Modifying Binaries with Overlapping Instructions , 2015, CCS.

[6]  Tao Zhang,et al.  Can We Trust the Privacy Policies of Android Apps? , 2016, 2016 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[7]  Lei Xue,et al.  AndroidPerf: A cross-layer profiling system for Android applications , 2015, 2015 IEEE 23rd International Symposium on Quality of Service (IWQoS).

[8]  Tzi-cker Chiueh,et al.  A Study of the Packer Problem and Its Solutions , 2008, RAID.

[9]  Xiapu Luo,et al.  PPChecker: Towards Accessing the Trustworthiness of Android Apps’ Privacy Policies , 2018, IEEE Transactions on Software Engineering.

[10]  Kevin Leach,et al.  LO-PHI: Low-Observable Physical Host Instrumentation for Malware Analysis , 2016, NDSS.

[11]  Yajin Zhou,et al.  Malton: Towards On-Device Non-Invasive Mobile Malware Analysis for ART , 2017, USENIX Security Symposium.

[12]  Tijs van der Storm,et al.  RASCAL: A Domain Specific Language for Source Code Analysis and Manipulation , 2009, 2009 Ninth IEEE International Working Conference on Source Code Analysis and Manipulation.

[13]  Lei Xue,et al.  Toward Automatically Generating Privacy Policy for Android Apps , 2017, IEEE Transactions on Information Forensics and Security.

[14]  Mu Zhang,et al.  Semantics-Aware Android Malware Classification Using Weighted Contextual API Dependency Graphs , 2014, CCS.

[15]  Heng Yin,et al.  DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis , 2012, USENIX Security Symposium.

[16]  Nicolas Christin,et al.  Evading android runtime analysis via sandbox detection , 2014, AsiaCCS.

[17]  Davide Balzarotti,et al.  SoK: Deep Packer Inspection: A Longitudinal Study of the Complexity of Run-Time Packers , 2015, 2015 IEEE Symposium on Security and Privacy.

[18]  Lei Xue,et al.  Adaptive Unpacking of Android Apps , 2017, 2017 IEEE/ACM 39th International Conference on Software Engineering (ICSE).

[19]  Alessandra Gorla,et al.  Mining Apps for Abnormal Usage of Sensitive Data , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[20]  Tal Garfinkel,et al.  A Virtual Machine Introspection Based Architecture for Intrusion Detection , 2003, NDSS.

[21]  Xiaohong Su,et al.  A Framework for Understanding Dynamic Anti-Analysis Defenses , 2014, PPREW-4.

[22]  Mu Zhang,et al.  Things You May Not Know About Android (Un)Packers: A Systematic Study based on Whole-System Emulation , 2018, NDSS.

[23]  Wenke Lee,et al.  PolyUnpack: Automating the Hidden-Code Extraction of Unpack-Executing Malware , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[24]  Fengwei Zhang,et al.  DexLego: Reassembleable Bytecode Extraction for Aiding Static Analysis , 2018, 2018 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[25]  Yajin Zhou,et al.  NDroid: Toward Tracking Information Flows Across Multiple Android Contexts , 2019, IEEE Transactions on Information Forensics and Security.

[26]  Yanick Fratantonio,et al.  Understanding Linux Malware , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[27]  David Lie,et al.  Tackling runtime-based obfuscation in Android with TIRO , 2018, USENIX Security Symposium.

[28]  Xiapu Luo,et al.  PackerGrind: An Adaptive Unpacking System for Android Apps , 2020, IEEE Transactions on Software Engineering.

[29]  Eric Bodden,et al.  Harvesting Runtime Values in Android Applications That Feature Anti-Analysis Techniques , 2016, NDSS.

[30]  Ali Feizollah,et al.  The Evolution of Android Malware and Android Analysis Techniques , 2017, ACM Comput. Surv..

[31]  Juanru Li,et al.  AppSpear: Bytecode Decrypting and DEX Reassembling for Packed Android Malware , 2015, RAID.

[32]  Angelos Stavrou,et al.  Using Hardware Features for Increased Debugging Transparency , 2015, 2015 IEEE Symposium on Security and Privacy.

[33]  Juanru Li,et al.  AppSpear: Automating the hidden-code extraction and reassembling of packed android malware , 2018, J. Syst. Softw..

[34]  Jacques Klein,et al.  FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps , 2014, PLDI.

[35]  Xiapu Luo,et al.  RootGuard: Protecting Rooted Android Phones , 2014, Computer.

[36]  Anil Kurmus,et al.  A Tale of Two Kernels: Towards Ending Kernel Hardening Wars with Split Kernel , 2014, CCS.

[37]  Xiapu Luo,et al.  DexHunter: Toward Extracting Hidden Code from Packed Android Applications , 2015, ESORICS.

[38]  Aristide Fattori,et al.  CopperDroid: Automatic Reconstruction of Android Malware Behaviors , 2015, NDSS.

[39]  Hareton K. N. Leung,et al.  Enhancing the Description-to-Behavior Fidelity in Android Apps with Privacy Policy , 2018, IEEE Transactions on Software Engineering.

[40]  Yu Le,et al.  VulHunter: Toward Discovering Vulnerabilities in Android Applications , 2015, IEEE Micro.

[41]  Xiapu Luo,et al.  On Tracking Information Flows through JNI in Android Applications , 2014, 2014 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.

[42]  Somesh Jha,et al.  OmniUnpack: Fast, Generic, and Safe Unpacking of Malware , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[43]  Jun Xu,et al.  HART: Hardware-Assisted Kernel Module Tracing on Arm , 2020, ESORICS.

[44]  Fengwei Zhang,et al.  Ninja: Towards Transparent Tracing and Debugging on ARM , 2017, USENIX Security Symposium.

[45]  Lei Xue,et al.  Is what you measure what you expect? Factors affecting smartphone-based mobile network measurement , 2017, IEEE INFOCOM 2017 - IEEE Conference on Computer Communications.