Upgrade to Pro — share decks privately, control downloads, hide ads and more …

A Large-Scale Empirical Study on the Effects of...

A Large-Scale Empirical Study on the Effects of Code Obfuscations on Android Apps and Anti-Malware Products

The Android platform has been the dominant mobile platform in recent years resulting in millions of apps and security threats against those apps. Anti-malware products aim to protect smartphone users from these threats, especially from malicious apps. However, malware authors use code obfuscation on their apps to evade detection by anti-malware products. To assess the effects of code obfuscation on Android apps and anti-malware products, we have conducted a large-scale empirical study that evaluates the effectiveness of the top anti-malware products against various obfuscation tools and strategies. To that end, we have obfuscated 3,000 benign apps and 3,000 malicious apps and generated 73,362 obfuscated apps using 29 obfuscation strategies from 7 open-source, academic, and commercial obfuscation tools. The findings of our study indicate that (1) code obfuscation significantly impacts Android anti-malware products; (2) the majority of anti-malware products are severely impacted by even trivial obfuscations; (3) in general, combined obfuscation strategies do not successfully evade anti-malware products more than individual strategies; (4) the detection of anti-malware products depend not only on the applied obfuscation strategy but also on the leveraged obfuscation tool; (5) anti-malware products are slow to adopt signatures of malicious apps; and (6) code obfuscation often results in changes to an app’s semantic behaviors.

Mahmoud Hammad

June 01, 2018
Tweet

More Decks by Mahmoud Hammad

Other Decks in Research

Transcript

  1. A Large-Scale Empirical Study on the Effects of Code Obfuscations

    on Android Apps and Anti-Malware Products Mahmoud Hammad Joshua Garcia Sam Malek
  2. Code obfuscation in Android • Transforms code into a format

    that is more difficult to reverse engineer while preserving its semantics 6 AndroidManifest.xml classes.dex Resources APK file Obfuscation strategy Obfuscated APK file
  3. Obfuscation for benign purposes 7 • Intellectual Property • Make

    reverse engineering of intellectual property more difficult
  4. Obfuscation tools • Academic • DroidChameleon • ADAM 8 •

    Commercial • Allatori • • Open-source • ProGuard • Apktool • Jarsigner
  5. Obfuscation strategies • Trivial strategies - does not change bytecode

    • Non-trivial strategies – changes bytecode • Combined strategies • Combination of two or more of the previous ones 9 Junk code insertion String encryption Reflection Identifier renaming Member reordering Class renaming Control-flow manipulation Repackaging Android Manifest transformation Disassembly/ Reassembly Alignment
  6. Overall Research Goal • Goal: To assess the performance of

    commercial anti-malware products against various obfuscation tools and strategies • Large-Scale Empirical Study • Many anti-malware products • Many malicious and benign apps • Wide variety of obfuscation tools and strategies • Relation between time and anti-malware effectiveness • Obfuscations effects on validity, installability, and runnabilityof apps 10
  7. Scope of the study 11 Android apps Obfuscation tools Obfuscation

    strategies Anti-malware products RQ1 RQ3 RQ2 RQ4
  8. Experiment setup 12 Android apps Obfuscation tools Obfuscation strategies Anti-malware

    products 7 tools: 2 academia 2 commercial 3 open source 3,000 benign 3,000 malicious 73,362 obfuscated 29 strategies: 4 trivial 7 non-trivial 18 combined 61 products
  9. Obfuscation framework • The framework is reusable and extendable •

    Written in Python and available to public [1] 13 [1] http://www.ics.uci.edu/~seal/projects/obfuscation/ IR Converter IR Transformer APK Generator Data Analyzer IR Obfuscated IR
  10. RQ1 Findings 15 Code obfuscation decreases the detection rate of

    anti- malware products by, on average, 20% and up to 90% Manifest transformation, a trivial strategy, decreases the detection rate of anti-malware, on average, by 28%
  11. RQ1 Findings 16 Reflection strategy makes apps looks suspicious, increasing

    the chance of an app being labeled as malicious Combined strategies do not affect detection rate more than single transformations
  12. RQ2 Finding 18 • Detection rate varies based on the

    obfuscation tools. • DashO affects obfuscation tools the most. • ADAM and Apktool/Jarsigneraffects detection rate the least. 0 10 20 30 40 50 60 70 80 90 100 Detection rate (%) Obfuscation Tools
  13. RQ3: Time-aware analysis 20 Average detection rate decreases over time,

    indicating slow adoption of malicious signatures
  14. 21 Android apps Obfuscation tools Obfuscation strategies Anti-malware products RQ1

    RQ3 RQ2 RQ4 RQ4: Does code obfuscation affect the functionality of apps?
  15. RQ4: Does code obfuscation affect the functionality of apps? •

    Installable app: successfully installed onto Android device • Runnable app: runtime behavior is similar to original app • Apps tested using Monkey with 1,000 events and same seed • Order-aware vs. Order-agnostic 22
  16. Runnability of Apps – Order-Aware • Order-aware: the same set

    of components run in the same sequence before and after obfuscation 23 Original app C1 C2 C3 Execution traces using the same test suit Order-aware C1 C2 C3
  17. Runnability of Apps – Order-Agnostic • Order-agnostic: the same set

    of components run in any sequence before and after obfuscation 24 Original app C1 C2 C3 Execution traces using the same test suit Order-agnostic C2 C3 C1
  18. RQ4: Does code obfuscation affect the functionality of apps? 25

    Code obfuscation significantly affects the behavior of apps, showing the need for improving obfuscation tools.
  19. Lessons Learned • Deeper analysis for anti-malware products • Program

    analysis instead of just lexical analysis • For benign-app developers • Reflection to be avoided • Combined obfuscations generally non-problematic • For obfuscation-tool developers • Many transformations result in invalid, non-installable, or unrunnable apps 26
  20. Anti-malware products and obfuscation tools 27 DashO ProGuard DroidChameleon Original

    Allatori Apktool/Jarsigner ADAM ADAM DashO DroidChameleon ProGuard Allatori Apktool/Jarsigner Original Ideal for • Benign app developers • Obfuscation-tool developers • Anti-malware vendors Ideal for malware authors
  21. Conclusion • Large-scale empirical study of the effects of code

    obfuscation on Android apps and anti-malware products • Code obfuscations decrease commercial anti-malware detection rates by, on average, 20% and up to 90% • Future • Tomorrow – RevealDroid, an approach that detects malware despite such obfuscations • Obfuscation tools for the white hats and not the black hats 28 Thank You!