The Android platform has been the dominant mobile platform in recent years resulting in millions of apps and security threats against those apps. Anti-malware products aim to protect smartphone users from these threats, especially from malicious apps. However, malware authors use code obfuscation on their apps to evade detection by anti-malware products. To assess the effects of code obfuscation on Android apps and anti-malware products, we have conducted a large-scale empirical study that evaluates the effectiveness of the top anti-malware products against various obfuscation tools and strategies. To that end, we have obfuscated 3,000 benign apps and 3,000 malicious apps and generated 73,362 obfuscated apps using 29 obfuscation strategies from 7 open-source, academic, and commercial obfuscation tools. The findings of our study indicate that (1) code obfuscation significantly impacts Android anti-malware products; (2) the majority of anti-malware products are severely impacted by even trivial obfuscations; (3) in general, combined obfuscation strategies do not successfully evade anti-malware products more than individual strategies; (4) the detection of anti-malware products depend not only on the applied obfuscation strategy but also on the leveraged obfuscation tool; (5) anti-malware products are slow to adopt signatures of malicious apps; and (6) code obfuscation often results in changes to an app’s semantic behaviors.
6. Code obfuscation in Android
• Transforms code into a format that is more difficult to
reverse engineer while preserving its semantics
6
AndroidManifest.xml
classes.dex
Resources
APK file
Obfuscation strategy
Obfuscated
APK file
7. Obfuscation for benign purposes
7
• Intellectual Property
• Make reverse engineering of intellectual property more
difficult
9. Obfuscation strategies
• Trivial strategies - does not change bytecode
• Non-trivial strategies – changes bytecode
• Combined strategies
• Combination of two or more of the previous ones
9
Junk code
insertion
String encryption Reflection
Identifier
renaming
Member
reordering
Class renaming Control-flow manipulation
Repackaging
Android Manifest
transformation
Disassembly/
Reassembly Alignment
10. Overall Research Goal
• Goal: To assess the performance of commercial
anti-malware products against various obfuscation
tools and strategies
• Large-Scale Empirical Study
• Many anti-malware products
• Many malicious and benign apps
• Wide variety of obfuscation tools and strategies
• Relation between time and anti-malware effectiveness
• Obfuscations effects on validity, installability, and
runnability of apps
10
11. Scope of the study
11
Android apps
Obfuscation
tools
Obfuscation
strategies
Anti-malware products
RQ1
RQ3
RQ2
RQ4
13. Obfuscation framework
• The framework is reusable and extendable
• Written in Python and available to public [1]
13
[1] http://www.ics.uci.edu/~seal/projects/obfuscation/
IR
Converter
IR
Transformer
APK
Generator
Data
Analyzer
IR
Obfuscated
IR
15. RQ1 Findings
15
Code obfuscation decreases the detection rate of anti-
malware products by, on average, 20% and up to 90%
Manifest transformation, a trivial strategy, decreases the
detection rate of anti-malware, on average, by 28%
16. RQ1 Findings
16
Reflection strategy makes apps looks suspicious, increasing
the chance of an app being labeled as malicious
Combined strategies do not affect detection rate more than
single transformations
22. RQ4: Does code obfuscation affect the
functionality of apps?
• Installable app: successfully installed onto Android device
• Runnable app: runtime behavior is similar to original app
• Apps tested using Monkey with 1,000 events and same seed
• Order-aware vs. Order-agnostic
22
23. Runnability of Apps – Order-Aware
• Order-aware: the same set of components run in
the same sequence before and after obfuscation
23
Original app C1 C2 C3
Execution traces using the same test suit
Order-aware C1 C2 C3
24. Runnability of Apps – Order-Agnostic
• Order-agnostic: the same set of components run in
any sequence before and after obfuscation
24
Original app C1 C2 C3
Execution traces using the same test suit
Order-agnostic C2 C3 C1
25. RQ4: Does code obfuscation affect the
functionality of apps?
25
Code obfuscation significantly affects the behavior of apps,
showing the need for improving obfuscation tools.
26. Lessons Learned
• Deeper analysis for anti-malware products
• Program analysis instead of just lexical analysis
• For benign-app developers
• Reflection to be avoided
• Combined obfuscations generally non-problematic
• For obfuscation-tool developers
• Many transformations result in invalid, non-installable,
or unrunnable apps
26
27. Anti-malware products and obfuscation tools
27
DashO
ProGuard
DroidChameleon Original
Allatori
Apktool/Jarsigner
ADAM
ADAM
DashO
DroidChameleon
ProGuard
Allatori
Apktool/Jarsigner
Original
Ideal for
• Benign app
developers
• Obfuscation-tool
developers
• Anti-malware
vendors
Ideal for malware authors
28. Conclusion
• Large-scale empirical study of the effects of code
obfuscation on Android apps and anti-malware
products
• Code obfuscations decrease commercial anti-malware
detection rates by, on average, 20% and up to 90%
• Future
• Tomorrow – RevealDroid, an approach that detects
malware despite such obfuscations
• Obfuscation tools for the white hats and not the black
hats
28
Thank You!
21 products selected for paper based on “Most popular anti-malware products with big star rating, i.e., above 4.0/5”
The importance of performing deeper analysis is further highlighted by (1) the fact that transformations need not necessarily be combined to evade anti-malware products (Finding 4) and (2) this evasion worsens for newer apps (Finding 8).