With Android application packing technology evolving, there are more and more ways to harden APPs. Manually unpacking APPs becomes more difficult as the time needed for analyzing increase exponentially. At the beginning, the packing technology is designed to prevent APPs from being easily decompiled, tampered and re-packed. But unfortunately, many malicious APPs start to use packing service to protect themselves. At present, most of the antivirus software focus on APPs that are unpacked, which means if malicious APPs apply the packing service, they can easily escape from a lot of antivirus software. Therefore, we should not only emphasize the importance of packing, but also concentrate on the unpacking technology. Only by doing this can we protect the normal APPs, and not miss any harmful APPs at the same time. In this paper, we first systematically study a lot of DEX packing and unpacking technologies, then propose and develop a universal unpacking system, named CrackDex, which is capable of extracting the original DEX file from the packed APP. We propose three core technologies: simulation execution, DEX reassembling, and DEX restoration, to get the unpacked DEX file. CrackDex is a part of the Dalvik virtual machine, and it monitors the execution of functions to locate the unpacking point in the portable interpreter, then launches the simulation execution, collects the data of original DEX file through corresponding structure pointer, finally fulfills the unpacking process by reassembling the data collected. The results of our experiments show that CrackDex can be used to effectively unpack APPs that are packed by packing service in a universal approach without any other knowledge of packing service.
[1]
Christopher Kruegel.
Proceedings of the 2007 ACM workshop on Recurring malcode
,
2007,
CCS 2007.
[2]
Paul Pocatilu.
Android Applications Security
,
2011
.
[3]
Bo Li,et al.
Automated Detection and Classification for Packed Android Applications
,
2016,
2016 IEEE International Conference on Mobile Services (MS).
[4]
Xiapu Luo,et al.
DexHunter: Toward Extracting Hidden Code from Packed Android Applications
,
2015,
ESORICS.
[5]
Yajin Zhou,et al.
Detecting repackaged smartphone applications in third-party android marketplaces
,
2012,
CODASPY '12.
[6]
Juanru Li,et al.
DIAS: Automated Online Analysis for Android Applications
,
2014,
2014 IEEE International Conference on Computer and Information Technology.
[7]
Xuxian Jiang,et al.
DroidChameleon: evaluating Android anti-malware against transformation attacks
,
2013,
ASIA CCS '13.
[8]
Hyunki Kim,et al.
Anti-debugging scheme for protecting mobile apps on android platform
,
2015,
The Journal of Supercomputing.
[9]
Heng Yin,et al.
Renovo: a hidden code extractor for packed executables
,
2007,
WORM '07.
[10]
Juanru Li,et al.
AppSpear: Bytecode Decrypting and DEX Reassembling for Packed Android Malware
,
2015,
RAID.
[11]
Rowland Yu,et al.
ANDROID PACKERS: FACING THE CHALLENGES, BUILDING SOLUTIONS
,
2014
.