Upload
hanhi
View
237
Download
6
Embed Size (px)
Citation preview
AppSpear:BytecodeDecryp0ngandDEXReassemblingforPackedAndroidMalware
YangWenbo,ZhangYuanyuan,LiJuanru,ShuJunliang,LiBodong,HuWenjun,GuDawu
SudeepNanjappaJayakumar
Agenda• Introduc0on• AppSpear–Goals,Contribu0ons• CodePackedAndroidMalware• Analysis• AppSpear–Overview• DEXReassembling• ExperimentalEvalua0on• AccuracyofDEXreassembling• RelatedWork• Conclusion
Introduc0on• Arangeofsta0canddynamicanalysisapproaches(usingcodesimilaritycomparison
todetectmalware)havebeenproposedfordetec0ngmaliciousAndroidapps.• These techniques are ini0ally designed to counter reverse engineering and
effec0velyresistmanyprogramtamperingaXempts,theyarebecomingacommonmeasureofmalwaredetec0oncircumven0on.
• Currentunpackingapproachesareeitherbasedonmanualefforts,whichareslowandtedious,orbasedoncoarse-grainedmemorydumping.
• Inves0ga0onon37,688Androidmalwaresamplesisconductedtotakesta0s0csoftheandroidapps.
• Thispaperconductsasystema0cstudyofpackedAndroidmalware,andexaminesthefeasibilityofuniversalandautomatedun-packingforAndroidapplica0ons.
AppSpear• AppSpearisagenericandfinegrainedsystemforautoma0cmalwareunpacking.• Its core technique is a bytecode decryp0ng and Dalvik executable (DEX)
reassemblingmethod,which isable to recoveranyprotectedbytecodeeffec0velywithouttheknowledgeofthepacker.
• AppSpear directly instruments the Dalvik VM to collect the decrypted bytecodeinforma0on from the Dalvik Data Struct (DDS), and performs the unpacking byconduc0ngarefinedreassemblingprocesstocreateanewDEXfile.
• The unpacked applica0on is then available for analyzing by malware detec0onsystems.
• AppSpearisthefirstautoma0candgenericunpackingsystemforcurrentcommercialAndroidpackers.
Goal1. Thorough inves0ga0on is done on large-scale Androidmalware samples to takesta0s0cs of how widespread those malware samples are protected by Androidpackers.
a) 10popular commercialandroidpackersare studiedwhichareusedby malwareauthors,alsowhichcoversthemajorityofexis0ngtechniquesand thentheinves0ga0onisconductedon37,688malwaresamples. b) Thiscontains490codepackedmalware.
2. To address the challenge of analyzing code packed malware, Authors haveproposedAppSpearwhichisagenericandfinegrainedsystemforautoma0cmalwareunpacking.
Contribu0ons
• Thorough inves0ga0on on both exis0ng mainstream Android packers and codepackedAndroidmalware isdone in thewildand furthersummarizing typicalan0-analysisdefensesofAndroidpackers.
• A bytecode decryp0ng and DEX reassembling technique is proposed to rebuildprotectedapps.OurAPKrebuildingprocesstransformsacodepackedmalwaretoanunpackedone,whichisafeasibleformforcommodityprogramanalysis.
• Designofautomatedandgenericunpackingsystem,AppSpearisdonetodealwithmost mainstream Android packers and the unpacked apps can be validated bystate-of-the-art analysis tools, which are not able to handle the packed formbeforehand.
CodePackedAndroidMalware• Inves0ga0onof10popularcommercialAndroidpackers(Bangcle,Ijiami,Qihoo360,
etc)andbuildasignaturedatabase.• Collected37,668malwaresamplesfrom2012toMay2015usingSandDroid,which
detectsmalware according to the feedback results of 12main virus scan enginesfromVirusTotal(F-Secure,Symantec,An0Vir,ESET-NOD32,Kaspersky,BitDefender,McAfee,For0net,Ad-Aware,AVG,Baidu-Interna0onal,Qihoo-360).
• Anappisregardedasmalwareifmorethanthreevirusscanenginesdetectit.
SummaryofPackedAndroidMalware
Analysis
• Analysis indicates that an0-analysis defenses employed by those packers can beclassifiedintothreecategories.a)Thefirstcategoryofan0-analysisdefensesinvolvefunc0onsthatcheckthesta0c
anddynamicintegrityoftheapp.b) The second category of an0-analysis measures involve source code levelobfusca0on,whichrequiresthesourcecodetoemploytheprotec0on.c)Thethirdcategory,whichismostcomplex,involvesbytecodehiding.
• Theintegrityisalsocheckedforthepackedappstodecideiftheappsaretamperedanditischeckedwithbothsta0canddynamicprocess.
AppSpear-OverviewAppSpearemploystheunpackingthroughthreemainsteps:• AppSpear introspects the Dalvik VM to
transparently monitor the execu0on of anypackedapp.
• AppSpear collects DDS in memory andperforms a reassembling process on thecollected DDS with some modified methodsfixedtore-generateaDEXfile.
• Finally, AppSpear resects an0-analysis codeand further synthesizes the DEX file with themanifest le and other resource les from theoriginalpackedAPKasanunpackedAPK.
DEXReassembling• DEXreassemblingofAppSpearisareverseprocessoftheDEXloadingprocedure.• AppSpearleveragesthistoemploytheDEXreassemblingprocess.• DalvikVMmaintains18DDSparsedfromaDEXleduringrun0me.• DDScanclassifiedintotwotypes:
a) IndexDDS(IDDS)includingHeader,StringId,TypeId,ProtoId,FieldId,MethodId, ClassDefandMapList.Themainfunc0onalityofIDDSistoindextherealoffsetofthesecondtypeofDDS.b) ContentDDS(CDDS)includingTypeList,ClassData,Code,StringData,DebugInfo, EncodedArrayand four items related toAnnota0on.This typeofDDSmainlystorerawdataofbyte-codecontentinforma0on.
DEXReassemblingContd..
APKRebuilding• AppSpearperformsalaststepAPKrebuildingtoobstructanalysis.
a)An0-analysisCodeResec0ng: AppSpear maintains an empirical database of code stubs and automa0callyresectsanycodestubsindatabasewhenencountering.
b)APKRepackaging: AppSpear combines the reassembledDEX lewithmaterials from theexis0ng packed app including manifests.xml and resource files to repackage the app. Themanifests leof anappdeclares thepermissionsand theentrypointsof theappandthesearedirectlyusedintherepackagedapp.
ExperimentalEvalua0on• 31packedmalwareweremanuallychosenfromthecollected490packedsamples
ofSandDroidtotestAppSpear.• These31samplescouldrunwithoutcrashesorexcep0onsbeforeunpackingandare
allofdifferentpackagenames.• Authorsdevelopedahomebrewedmaliciousappthatrequiresmanypermissions
andcollectssensi7vedata.• The test app contains all four main components (Ac0vity, Service, Broadcast
Receiver,ContentProvider)andanApplica0onclass.• TestappissubmiXedto7onlinepackingservicesofBangcle(a.k.aSecneo),Ijiami,
Qihoo360,Baidu,Alibaba,LIAPPandDex-Protector.
ExperimentalEvalua0on• AppSpearisdeployedontwodevices,GalaxyNexusandNexus4.• VersionsofAndroidopera0ngsystemare4.3and4.4.2.• ModifiedDalvikVMisbuiltbasedontheAOSPsourcecodeandreplacethedefault
DalvikVMwiththeAppSpearintegratedone.• AppSpear conducts the unpacking as soon as theMain Ac0vity class invokes the
onCreatemethod.• Allofthesamplesareunpackedautoma0callyandthecorrespondingunpackedAPK
lesaregenerated.
AccuracyofDEXreassembling• TheaccuracyoftheDEXreassemblingisdoneusingthe5popularandwidelyused
sta0ctoolsandtheyareEXTemplatefor010Editor,Baksmali,Enjarify,IDAProandAndroGuard.
• Thetes0ngsetconsistsof7homebrewedsamplessubmiXedtoonlinepackersand31malwaresamplesfromthecollected490packedsamples,whichcovers10differentpackersaltogether.
• TheresultaboveshowsthatDEXTemplatefor010Editor,IDAProandAndroGuardsuccessfullyparseallreassembledDEXfiles.
Relatedwork• Polyunpack: Performsautoma0cunpackingbyemula0ngtheexecu0onoftheprogramandmonitoringall memory writes and instruc0on fetches, and considers all instruc0ons fetched frompreviouslywriXenmemoryloca0onstobesuccessfullyunpacked.• Omniunpack:
Is a real-0me unpacker that performs unpacking by looking for wriXen-then-executepaXern.• Renovo:
Uses the wriXen-then-execute paXern to perform the unpacking. It instruments theexecu0onofthebinaryinanemulatorandtracestheexecu0onatinstruc0on-level.• Eureka:
Usescoarse-grainedNTDLLsystemcallmonitoring forautomatedmalwareunpacking, isonlyavailableforWindowspackers.
Conclusion
• Thispaperismainlyaboutthesystema0cstudyofcodepackedAndroidmalware.• An inves0ga0on of 37,688 Androidmalware samples is conducted and 490 code
packedappsareanalyzedwiththehelpofAppSpear.• AppSpearemploysanovelbytecodedecryp0ngandDEXreassemblingapproachto
replacetradi0onalmanualanalysisandmemorydumpbasedunpacking.• Experiments have demonstrated that AppSpear system is able to unpack most
malwaresamplesprotectedbypopularcommercialAndroidpackers.• AppSpearismostessen0alprocessofcurrentAndroidmalwaredetec0on.
ThankYou