Advertisement

Understanding Android Obfuscation Techniques: A Large-Scale Investigation in the Wild

  • Shuaike Dong
  • Menghao Li
  • Wenrui Diao
  • Xiangyu Liu
  • Jian LiuEmail author
  • Zhou Li
  • Fenghao Xu
  • Kai Chen
  • XiaoFeng Wang
  • Kehuan ZhangEmail author
Conference paper
Part of the Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering book series (LNICST, volume 254)

Abstract

Program code is a valuable asset to its owner. Due to the easy-to-reverse nature of Java, code protection for Android apps is of particular importance. To this end, code obfuscation is widely utilized by both legitimate app developers and malware authors, which complicates the representation of source code or machine code in order to hinder the manual investigation and code analysis. Despite many previous studies focusing on the obfuscation techniques, however, our knowledge of how obfuscation is applied by real-world developers is still limited.

In this paper, we seek to better understand Android obfuscation and depict a holistic view of the usage of obfuscation through a large-scale investigation in the wild. In particular, we focus on three popular obfuscation approaches: identifier renaming, string encryption and Java reflection. To obtain the meaningful statistical results, we designed efficient and lightweight detection models for each obfuscation technique and applied them to our massive APK datasets (collected from Google Play, multiple third-party markets, and malware databases). We have learned several interesting facts from the result. For example, more apps on third-party markets than malware use identifier renaming, and malware authors use string encryption more frequently. We are also interested in the explanation of each finding. Therefore we carry out in-depth code analysis on some Android apps after sampling. We believe our study will help developers select the most suitable obfuscation approach, and in the meantime help researchers improve code analysis systems in the right direction.

Keywords

Android Obfuscation Static analysis Code protection 

Notes

Acknowledgement

We thank anonymous reviewers for their insightful comments. This work was partially supported by National Natural Science Foundation of China (NSFC) under Grant No. 61572415 and 61572481, Hong Kong S.A.R. Research Grants Council (RGC) Early Career Scheme/General Research Fund No. 24207815 and 14217816.

References

  1. 1.
    smartphone assistant. http://zhushou.360.cn/
  2. 2.
  3. 3.
  4. 4.
  5. 5.
  6. 6.
  7. 7.
  8. 8.
  9. 9.
  10. 10.
  11. 11.
  12. 12.
  13. 13.
    Number of available applications in the Google Play Store from December 2009 to December 2017. http://www.statista.com/statistics/266210/number-of-available-applications-in-the-google-play-store/
  14. 14.
  15. 15.
  16. 16.
  17. 17.
  18. 18.
  19. 19.
    Xiaomi application store. http://app.mi.com/
  20. 20.
    Apvrille, A., Nigam, R.: Obfuscation in android malware, and how to fight back. Virus Bull. 1–10 (2014)Google Scholar
  21. 21.
    Balachandran, V., Tan, D.J., Thing, V.L.: Control flow obfuscation for android applications. Comput. Secur. 61, 72–93 (2016)CrossRefGoogle Scholar
  22. 22.
    Bichsel, B., Raychev, V., Tsankov, P., Vechev, M.T.: Statistical deobfuscation of android applications. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (CCS) (2016)Google Scholar
  23. 23.
    Calvet, J., Fernandez, J.M., Marion, J.: Aligot: cryptographic function identification in obfuscated binary programs. In: Proceedings of the 19th ACM Conference on Computer and Communications Security (CCS) (2012)Google Scholar
  24. 24.
    Chen, K., Liu, P., Zhang, Y.: Achieving accuracy and scalability simultaneously in detecting application clones on Android markets. In: Proceeding of the 36th International Conference on Software Engineering (ICSE) (2014)Google Scholar
  25. 25.
    Duan, Y., et al.: Things you may not know about android (un)packers: a systematic study based on whole-system emulation. In: Proceedings of 25th Annual Network and Distributed System Security Symposium (NDSS) (2018)Google Scholar
  26. 26.
    Faruki, P., Fereidooni, H., Laxmi, V., Conti, M., Gaur, M.S.: Android Code Protection via Obfuscation Techniques: Past, Present and Future Directions. CoRR abs/1611.10231 (2016)Google Scholar
  27. 27.
    Freiling, F.C., Protsenko, M., Zhuang, Y.: An empirical evaluation of software obfuscation techniques applied to Android APKs. In: Tian, J., Jing, J., Srivatsa, M. (eds.) SecureComm 2014. LNICST, vol. 153, pp. 315–328. Springer, Cham (2015).  https://doi.org/10.1007/978-3-319-23802-9_24CrossRefGoogle Scholar
  28. 28.
    Gröbert, F., Willems, C., Holz, T.: Automated identification of cryptographic primitives in binary programs. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 41–60. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-23644-0_3CrossRefGoogle Scholar
  29. 29.
    Hoffmann, J., Rytilahti, T., Maiorca, D., Winandy, M., Giacinto, G., Holz, T.: Evaluating analysis tools for android apps: status quo and robustness against obfuscation. In: Proceedings of the Sixth ACM on Conference on Data and Application Security and Privacy (CODASPY) (2016)Google Scholar
  30. 30.
    Huang, H., et al.: Android malware development on public malware scanning platforms: a large-scale date-driven study. In: Proceeding of the 2016 IEEE International Conference on Big Data (BigData) (2016)Google Scholar
  31. 31.
    Li, L., Bissyandé, T.F., Octeau, D., Klein, J.: DroidRA: taming reflection to support whole-program analysis of android apps. In: Proceedings of the 25th International Symposium on Software Testing and Analysis (ISSTA) (2016)Google Scholar
  32. 32.
    Li, M., et al.: LibD: scalable and precise third-party library detection in Android markets. In: Proceedings of the 39th International Conference on Software Engineering (ICSE) (2017)Google Scholar
  33. 33.
    Maiorca, D., Ariu, D., Corona, I., Aresu, M., Giacinto, G.: Stealth attacks: an extended insight into the obfuscation effects on Android malware. Comput. Secur. 51, 16–31 (2015)CrossRefGoogle Scholar
  34. 34.
    Matenaar, F., Wichmann, A., Leder, F., Gerhards-Padilla, E.: CIS: the crypto intelligence system for automatic detection and localization of cryptographic functions in current malware. In: Proceeding of the 7th International Conference on Malicious and Unwanted Software (MALWARE), 16–18 October 2012, Fajardo, PR, USA (2012)Google Scholar
  35. 35.
    Park, J., Kim, H., Jeong, Y., Cho, S., Han, S., Park, M.: Effects of code obfuscation on Android app similarity analysis. J. Wirel. Mob. Netw. Ubiquitous Comput. Dependable Appl. 6(4), 86–98 (2015)Google Scholar
  36. 36.
    Preda, M.D., Maggi, F.: Testing Android malware detectors against code obfuscation: a systematization of knowledge and unified methodology. J. Comput. Virol. Hacking Tech. 13(3), 209–232 (2017)CrossRefGoogle Scholar
  37. 37.
    Rastogi, V., Chen, Y., Jiang, X.: DroidChameleon: evaluating Android anti-malware against transformation attacks. In: Proceedings of the 8th ACM Symposium on Information, Computer and Communications Security (ASIACCS) (2013)Google Scholar
  38. 38.
    Shu, J., Li, J., Zhang, Y., Gu, D.: Android app protection via interpretation obfuscation. In: Proceeding of the 12th IEEE International Conference on Dependable, Autonomic and Secure Computing (DASC) (2014)Google Scholar
  39. 39.
    Suarez-Tangil, G., Dash, S.K., Ahmadi, M., Kinder, J., Giacinto, G., Cavallaro, L.: DroidSieve: fast and accurate classification of obfuscated Android malware. In: Proceedings of the Seventh ACM on Conference on Data and Application Security and Privacy (CODASPY) (2017)Google Scholar
  40. 40.
    Wang, H., Guo, Y., Ma, Z., Chen, X.: WuKong: a scalable and accurate two-phase approach to Android app clone detection. In: Proceedings of the 2015 International Symposium on Software Testing and Analysis (ISSTA), Baltimore, MD, USA, 12–17 July 2015 (2015)Google Scholar
  41. 41.
    Wang, Y., Rountev, A.: Who changed you? Obfuscator identification for Android. In: Proceedings of the 4th IEEE/ACM International Conference on Mobile Software Engineering and Systems (MOBILESoft) (2017)Google Scholar
  42. 42.
    Zhang, F., Huang, H., Zhu, S., Wu, D., Liu, P.: ViewDroid: towards obfuscation-resilient mobile application repackaging detection. In: Proceedings of 7th ACM Conference on Security & Privacy in Wireless and Mobile Networks (WiSec) (2014)Google Scholar

Copyright information

© ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2018

Authors and Affiliations

  • Shuaike Dong
    • 1
  • Menghao Li
    • 2
  • Wenrui Diao
    • 3
  • Xiangyu Liu
    • 4
  • Jian Liu
    • 2
    Email author
  • Zhou Li
    • 5
  • Fenghao Xu
    • 1
  • Kai Chen
    • 2
  • XiaoFeng Wang
    • 6
  • Kehuan Zhang
    • 1
    Email author
  1. 1.The Chinese University of Hong KongSha TinHong Kong
  2. 2.Institute of Information EngineeringChinese Academy of SciencesBeijingChina
  3. 3.Jinan UniversityGuangzhouChina
  4. 4.Alibaba Inc.HangzhouChina
  5. 5.ACM MemberBostonUSA
  6. 6.Indiana University BloomingtonBloomingtonUSA

Personalised recommendations