AppSpear: Automating the Hidden-Code Extraction and Reassembling of Packed Android Malware

Bodong Li,Yuanyuan Zhang,Juanru Li,Wenbo Yang,Dawu Gu
DOI: https://doi.org/10.1016/j.jss.2018.02.040
IF: 3.5
2018-01-01
Journal of Systems and Software
Abstract:Code packing is one of the most frequently used protection techniques for malware to evade detection. Particularly, Android packers originally designed to protect intellectual property are widely utilized by Android malware nowadays to hide their malicious behaviors. What's worse, Android code packing techniques are evolving rapidly with new features of Android system (e.g., the use of new Android runtime). Meanwhile, unpacking techniques and tools generally do not respond to the evolving of packers immediately, which weakens the effectiveness of new malware detection. To address the unpacking challenge especially for Android packers with advanced code hiding strategies, in this paper we propose APPSPEAR, an automated unpacking system for both Dalvik and ART. APPSPEAR adopts a universal unpacking strategy that combines runtime instrumentation, interpreter-enforced execution, and executable reassembling to guarantee the hidden code is extracted and reconstructed as a complete executable. Our experimental evaluation with 530 packed samples shows that APPSPEAR is able to unpack protected code generated by latest versions of mainstream Android packers effectively. (C) 2018 Elsevier Inc. All rights reserved.
What problem does this paper attempt to address?