A Large-Scale Empirical Study on the Effects of Code Obfuscations on Android Apps and Anti-Malware Products Mahmoud Hammad Joshua Garcia Sam Malek 

Source: IDC 85% 2 Mobile market share 

Explosive growth of Android malware 3 Source: 

Protection through anti-malware products • Smartphone users rely on anti-malware products to protect their devices 

Anti-malware evasion through obfuscation 5 • Code obfuscations • Identifier renaming • Encryption • Reflection • … 

Code obfuscation in Android • Transforms code into a format that is more difficult to reverse engineer while preserving its semantics 6 AndroidManifest.xml classes.dex Resources APK file Obfuscation strategy Obfuscated APK file 

Obfuscation for benign purposes 7 • Intellectual Property • Make reverse engineering of intellectual property more difficult 

Obfuscation tools • Academic • DroidChameleon • ADAM 8 • Commercial • Allatori • • Open-source • ProGuard • Apktool • Jarsigner 

Obfuscation strategies • Trivial strategies - does not change bytecode • Non-trivial strategies – changes bytecode • Combined strategies • Combination of two or more of the previous ones 9 Junk code insertion String encryption Reflection Identifier renaming Member reordering Class renaming Control-flow manipulation Repackaging Android Manifest transformation Disassembly/ Reassembly Alignment 

Overall Research Goal • Goal: To assess the performance of commercial anti-malware products against various obfuscation tools and strategies • Large-Scale Empirical Study • Many anti-malware products • Many malicious and benign apps • Wide variety of obfuscation tools and strategies • Relation between time and anti-malware effectiveness • Obfuscations effects on validity, installability, and runnabilityof apps 10 

Scope of the study 11 Android apps Obfuscation tools Obfuscation strategies Anti-malware products RQ1 RQ3 RQ2 RQ4 

Experiment setup 12 Android apps Obfuscation tools Obfuscation strategies Anti-malware products 7 tools: 2 academia 2 commercial 3 open source 3,000 benign 3,000 malicious 73,362 obfuscated 29 strategies: 4 trivial 7 non-trivial 18 combined 61 products 

Obfuscation framework • The framework is reusable and extendable • Written in Python and available to public [1] 13 [1] http://www.ics.uci.edu/~seal/projects/obfuscation/ IR Converter IR Transformer APK Generator Data Analyzer IR Obfuscated IR 

RQ1: Obfuscation strategies 14 Android apps Obfuscation tools Obfuscation strategies Anti-malware products RQ1 RQ3 RQ2 RQ4 

RQ1 Findings 15 Code obfuscation decreases the detection rate of anti- malware products by, on average, 20% and up to 90% Manifest transformation, a trivial strategy, decreases the detection rate of anti-malware, on average, by 28% 

RQ1 Findings 16 Reflection strategy makes apps looks suspicious, increasing the chance of an app being labeled as malicious Combined strategies do not affect detection rate more than single transformations 

RQ2: Obfuscation tools 17 Android apps Obfuscation tools Obfuscation strategies Anti-malware products RQ1 RQ3 RQ2 RQ4 

RQ2 Finding 18 • Detection rate varies based on the obfuscation tools. • DashO affects obfuscation tools the most. • ADAM and Apktool/Jarsigneraffects detection rate the least. 0 10 20 30 40 50 60 70 80 90 100 Detection rate (%) Obfuscation Tools 

RQ3: Time-aware analysis 19 Android apps Obfuscation tools Obfuscation strategies Anti-malware products RQ1 RQ3 RQ2 RQ4 

RQ3: Time-aware analysis 20 Average detection rate decreases over time, indicating slow adoption of malicious signatures 

21 Android apps Obfuscation tools Obfuscation strategies Anti-malware products RQ1 RQ3 RQ2 RQ4 RQ4: Does code obfuscation affect the functionality of apps? 

RQ4: Does code obfuscation affect the functionality of apps? • Installable app: successfully installed onto Android device • Runnable app: runtime behavior is similar to original app • Apps tested using Monkey with 1,000 events and same seed • Order-aware vs. Order-agnostic 22 

Runnability of Apps – Order-Aware • Order-aware: the same set of components run in the same sequence before and after obfuscation 23 Original app C1 C2 C3 Execution traces using the same test suit Order-aware C1 C2 C3 

Runnability of Apps – Order-Agnostic • Order-agnostic: the same set of components run in any sequence before and after obfuscation 24 Original app C1 C2 C3 Execution traces using the same test suit Order-agnostic C2 C3 C1 

RQ4: Does code obfuscation affect the functionality of apps? 25 Code obfuscation significantly affects the behavior of apps, showing the need for improving obfuscation tools. 

Lessons Learned • Deeper analysis for anti-malware products • Program analysis instead of just lexical analysis • For benign-app developers • Reflection to be avoided • Combined obfuscations generally non-problematic • For obfuscation-tool developers • Many transformations result in invalid, non-installable, or unrunnable apps 26 

Anti-malware products and obfuscation tools 27 DashO ProGuard DroidChameleon Original Allatori Apktool/Jarsigner ADAM ADAM DashO DroidChameleon ProGuard Allatori Apktool/Jarsigner Original Ideal for • Benign app developers • Obfuscation-tool developers • Anti-malware vendors Ideal for malware authors 

Conclusion • Large-scale empirical study of the effects of code obfuscation on Android apps and anti-malware products • Code obfuscations decrease commercial anti-malware detection rates by, on average, 20% and up to 90% • Future • Tomorrow – RevealDroid, an approach that detects malware despite such obfuscations • Obfuscation tools for the white hats and not the black hats 28 Thank You! 

MMNB N Thank you! 29