A Large-Scale Empirical Study on the Effects of Code Obfuscations on Android Apps and Anti-Malware Products

Transcript

1. A Large-Scale Empirical Study on the Effects of Code Obfuscations

   on Android Apps and Anti-Malware Products Mahmoud Hammad Joshua Garcia Sam Malek

2. Source: IDC 85% 2 Mobile market share

3. Explosive growth of Android malware 3 Source:

4. Protection through anti-malware products • Smartphone users rely on anti-malware

   products to protect their devices

5. Anti-malware evasion through obfuscation 5 • Code obfuscations • Identifier

   renaming • Encryption • Reflection • …

6. Code obfuscation in Android • Transforms code into a format

   that is more difficult to reverse engineer while preserving its semantics 6 AndroidManifest.xml classes.dex Resources APK file Obfuscation strategy Obfuscated APK file

7. Obfuscation for benign purposes 7 • Intellectual Property • Make

   reverse engineering of intellectual property more difficult

8. Obfuscation tools • Academic • DroidChameleon • ADAM 8 •

   Commercial • Allatori • • Open-source • ProGuard • Apktool • Jarsigner

9. Obfuscation strategies • Trivial strategies - does not change bytecode

   • Non-trivial strategies – changes bytecode • Combined strategies • Combination of two or more of the previous ones 9 Junk code insertion String encryption Reflection Identifier renaming Member reordering Class renaming Control-flow manipulation Repackaging Android Manifest transformation Disassembly/ Reassembly Alignment

10. Overall Research Goal • Goal: To assess the performance of

    commercial anti-malware products against various obfuscation tools and strategies • Large-Scale Empirical Study • Many anti-malware products • Many malicious and benign apps • Wide variety of obfuscation tools and strategies • Relation between time and anti-malware effectiveness • Obfuscations effects on validity, installability, and runnabilityof apps 10

11. Scope of the study 11 Android apps Obfuscation tools Obfuscation

    strategies Anti-malware products RQ1 RQ3 RQ2 RQ4

12. Experiment setup 12 Android apps Obfuscation tools Obfuscation strategies Anti-malware

    products 7 tools: 2 academia 2 commercial 3 open source 3,000 benign 3,000 malicious 73,362 obfuscated 29 strategies: 4 trivial 7 non-trivial 18 combined 61 products

13. Obfuscation framework • The framework is reusable and extendable •

    Written in Python and available to public [1] 13 [1] http://www.ics.uci.edu/~seal/projects/obfuscation/ IR Converter IR Transformer APK Generator Data Analyzer IR Obfuscated IR

14. RQ1: Obfuscation strategies 14 Android apps Obfuscation tools Obfuscation strategies

    Anti-malware products RQ1 RQ3 RQ2 RQ4

15. RQ1 Findings 15 Code obfuscation decreases the detection rate of

    anti- malware products by, on average, 20% and up to 90% Manifest transformation, a trivial strategy, decreases the detection rate of anti-malware, on average, by 28%

16. RQ1 Findings 16 Reflection strategy makes apps looks suspicious, increasing

    the chance of an app being labeled as malicious Combined strategies do not affect detection rate more than single transformations

17. RQ2: Obfuscation tools 17 Android apps Obfuscation tools Obfuscation strategies

    Anti-malware products RQ1 RQ3 RQ2 RQ4

18. RQ2 Finding 18 • Detection rate varies based on the

    obfuscation tools. • DashO affects obfuscation tools the most. • ADAM and Apktool/Jarsigneraffects detection rate the least. 0 10 20 30 40 50 60 70 80 90 100 Detection rate (%) Obfuscation Tools

19. RQ3: Time-aware analysis 19 Android apps Obfuscation tools Obfuscation strategies

    Anti-malware products RQ1 RQ3 RQ2 RQ4

20. RQ3: Time-aware analysis 20 Average detection rate decreases over time,

    indicating slow adoption of malicious signatures

21. 21 Android apps Obfuscation tools Obfuscation strategies Anti-malware products RQ1

    RQ3 RQ2 RQ4 RQ4: Does code obfuscation affect the functionality of apps?

22. RQ4: Does code obfuscation affect the functionality of apps? •

    Installable app: successfully installed onto Android device • Runnable app: runtime behavior is similar to original app • Apps tested using Monkey with 1,000 events and same seed • Order-aware vs. Order-agnostic 22

23. Runnability of Apps – Order-Aware • Order-aware: the same set

    of components run in the same sequence before and after obfuscation 23 Original app C1 C2 C3 Execution traces using the same test suit Order-aware C1 C2 C3

24. Runnability of Apps – Order-Agnostic • Order-agnostic: the same set

    of components run in any sequence before and after obfuscation 24 Original app C1 C2 C3 Execution traces using the same test suit Order-agnostic C2 C3 C1

25. RQ4: Does code obfuscation affect the functionality of apps? 25

    Code obfuscation significantly affects the behavior of apps, showing the need for improving obfuscation tools.

26. Lessons Learned • Deeper analysis for anti-malware products • Program

    analysis instead of just lexical analysis • For benign-app developers • Reflection to be avoided • Combined obfuscations generally non-problematic • For obfuscation-tool developers • Many transformations result in invalid, non-installable, or unrunnable apps 26

27. Anti-malware products and obfuscation tools 27 DashO ProGuard DroidChameleon Original

    Allatori Apktool/Jarsigner ADAM ADAM DashO DroidChameleon ProGuard Allatori Apktool/Jarsigner Original Ideal for • Benign app developers • Obfuscation-tool developers • Anti-malware vendors Ideal for malware authors

28. Conclusion • Large-scale empirical study of the effects of code

    obfuscation on Android apps and anti-malware products • Code obfuscations decrease commercial anti-malware detection rates by, on average, 20% and up to 90% • Future • Tomorrow – RevealDroid, an approach that detects malware despite such obfuscations • Obfuscation tools for the white hats and not the black hats 28 Thank You!

29. MMNB N Thank you! 29