SlideShare a Scribd company logo

A Large-Scale Empirical Study on the Effects of Code Obfuscations on Android Apps and Anti-Malware Products

Mahmoud Hammad
Mahmoud Hammad

The Android platform has been the dominant mobile platform in recent years resulting in millions of apps and security threats against those apps. Anti-malware products aim to protect smartphone users from these threats, especially from malicious apps. However, malware authors use code obfuscation on their apps to evade detection by anti-malware products. To assess the effects of code obfuscation on Android apps and anti-malware products, we have conducted a large-scale empirical study that evaluates the effectiveness of the top anti-malware products against various obfuscation tools and strategies. To that end, we have obfuscated 3,000 benign apps and 3,000 malicious apps and generated 73,362 obfuscated apps using 29 obfuscation strategies from 7 open-source, academic, and commercial obfuscation tools. The findings of our study indicate that (1) code obfuscation significantly impacts Android anti-malware products; (2) the majority of anti-malware products are severely impacted by even trivial obfuscations; (3) in general, combined obfuscation strategies do not successfully evade anti-malware products more than individual strategies; (4) the detection of anti-malware products depend not only on the applied obfuscation strategy but also on the leveraged obfuscation tool; (5) anti-malware products are slow to adopt signatures of malicious apps; and (6) code obfuscation often results in changes to an app’s semantic behaviors.

Data & Analytics
1 of 29
A Large-Scale Empirical Study on the Effects of Code Obfuscations on Android Apps and Anti-Malware Products Mahmoud Hammad Joshua Garcia Sam Malek
Source: IDC 85% 2 Mobile market share
Explosive growth of Android malware 3 Source:
Protection through anti-malware products • Smartphone users rely on anti-malware products to protect their devices
Anti-malware evasion through obfuscation 5 • Code obfuscations • Identifier renaming • Encryption • Reflection • …
Code obfuscation in Android • Transforms code into a format that is more difficult to reverse engineer while preserving its semantics 6 AndroidManifest.xml classes.dex Resources APK file Obfuscation strategy Obfuscated APK file
Obfuscation for benign purposes 7 • Intellectual Property • Make reverse engineering of intellectual property more difficult
Obfuscation tools • Academic • DroidChameleon • ADAM 8 • Commercial • Allatori • • Open-source • ProGuard • Apktool • Jarsigner
Obfuscation strategies • Trivial strategies - does not change bytecode • Non-trivial strategies – changes bytecode • Combined strategies • Combination of two or more of the previous ones 9 Junk code insertion String encryption Reflection Identifier renaming Member reordering Class renaming Control-flow manipulation Repackaging Android Manifest transformation Disassembly/ Reassembly Alignment
Overall Research Goal • Goal: To assess the performance of commercial anti-malware products against various obfuscation tools and strategies • Large-Scale Empirical Study • Many anti-malware products • Many malicious and benign apps • Wide variety of obfuscation tools and strategies • Relation between time and anti-malware effectiveness • Obfuscations effects on validity, installability, and runnability of apps 10
Scope of the study 11 Android apps Obfuscation tools Obfuscation strategies Anti-malware products RQ1 RQ3 RQ2 RQ4
Experiment setup 12 Android apps Obfuscation tools Obfuscation strategies Anti-malware products 7 tools: 2 academia 2 commercial 3 open source 3,000 benign 3,000 malicious 73,362 obfuscated 29 strategies: 4 trivial 7 non-trivial 18 combined 61 products
Obfuscation framework • The framework is reusable and extendable • Written in Python and available to public [1] 13 [1] http://www.ics.uci.edu/~seal/projects/obfuscation/ IR Converter IR Transformer APK Generator Data Analyzer IR Obfuscated IR
RQ1: Obfuscation strategies 14 Android apps Obfuscation tools Obfuscation strategies Anti-malware products RQ1 RQ3 RQ2 RQ4
RQ1 Findings 15 Code obfuscation decreases the detection rate of anti- malware products by, on average, 20% and up to 90% Manifest transformation, a trivial strategy, decreases the detection rate of anti-malware, on average, by 28%
RQ1 Findings 16 Reflection strategy makes apps looks suspicious, increasing the chance of an app being labeled as malicious Combined strategies do not affect detection rate more than single transformations
RQ2: Obfuscation tools 17 Android apps Obfuscation tools Obfuscation strategies Anti-malware products RQ1 RQ3 RQ2 RQ4
RQ2 Finding 18 • Detection rate varies based on the obfuscation tools. • DashO affects obfuscation tools the most. • ADAM and Apktool/Jarsigner affects detection rate the least. 0 10 20 30 40 50 60 70 80 90 100 Detectionrate(%) Obfuscation Tools
RQ3: Time-aware analysis 19 Android apps Obfuscation tools Obfuscation strategies Anti-malware products RQ1 RQ3 RQ2 RQ4
RQ3: Time-aware analysis 20 Average detection rate decreases over time, indicating slow adoption of malicious signatures
21 Android apps Obfuscation tools Obfuscation strategies Anti-malware products RQ1 RQ3 RQ2 RQ4 RQ4: Does code obfuscation affect the functionality of apps?
RQ4: Does code obfuscation affect the functionality of apps? • Installable app: successfully installed onto Android device • Runnable app: runtime behavior is similar to original app • Apps tested using Monkey with 1,000 events and same seed • Order-aware vs. Order-agnostic 22
Runnability of Apps – Order-Aware • Order-aware: the same set of components run in the same sequence before and after obfuscation 23 Original app C1 C2 C3 Execution traces using the same test suit Order-aware C1 C2 C3
Runnability of Apps – Order-Agnostic • Order-agnostic: the same set of components run in any sequence before and after obfuscation 24 Original app C1 C2 C3 Execution traces using the same test suit Order-agnostic C2 C3 C1
RQ4: Does code obfuscation affect the functionality of apps? 25 Code obfuscation significantly affects the behavior of apps, showing the need for improving obfuscation tools.
Lessons Learned • Deeper analysis for anti-malware products • Program analysis instead of just lexical analysis • For benign-app developers • Reflection to be avoided • Combined obfuscations generally non-problematic • For obfuscation-tool developers • Many transformations result in invalid, non-installable, or unrunnable apps 26
Anti-malware products and obfuscation tools 27 DashO ProGuard DroidChameleon Original Allatori Apktool/Jarsigner ADAM ADAM DashO DroidChameleon ProGuard Allatori Apktool/Jarsigner Original Ideal for • Benign app developers • Obfuscation-tool developers • Anti-malware vendors Ideal for malware authors
Conclusion • Large-scale empirical study of the effects of code obfuscation on Android apps and anti-malware products • Code obfuscations decrease commercial anti-malware detection rates by, on average, 20% and up to 90% • Future • Tomorrow – RevealDroid, an approach that detects malware despite such obfuscations • Obfuscation tools for the white hats and not the black hats 28 Thank You!
MMNB N Thank you! 29

Recommended

DELDroid: Determination & Enforcement of Least Privilege Architecture in AnDroid
DELDroid: Determination & Enforcement of Least Privilege Architecture in AnDroidDELDroid: Determination & Enforcement of Least Privilege Architecture in AnDroid
DELDroid: Determination & Enforcement of Least Privilege Architecture in AnDroidMahmoud Hammad
 
Tech Report: On the Effectiveness of Malware Protection on Android
Tech Report: On the Effectiveness of Malware Protection on AndroidTech Report: On the Effectiveness of Malware Protection on Android
Tech Report: On the Effectiveness of Malware Protection on AndroidFraunhofer AISEC
 
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration TestingStephan Chenette
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineDevOps.com
 
Proving the Security of Low-Level Software Components & TEEs
Proving the Security of Low-Level Software Components & TEEsProving the Security of Low-Level Software Components & TEEs
Proving the Security of Low-Level Software Components & TEEsAshley Zupkus
 
DevSecOps: The Open Source Way
DevSecOps: The Open Source WayDevSecOps: The Open Source Way
DevSecOps: The Open Source WayBlack Duck by Synopsys
 
Revisiting Code Ownership and Its Relationship with Software Quality in the S...
Revisiting Code Ownership and Its Relationship with Software Quality in the S...Revisiting Code Ownership and Its Relationship with Software Quality in the S...
Revisiting Code Ownership and Its Relationship with Software Quality in the S...The University of Adelaide
 
Making the Strategic Shift to Open Source at Fujitsu Network Communication
Making the Strategic Shift to Open Source at Fujitsu Network CommunicationMaking the Strategic Shift to Open Source at Fujitsu Network Communication
Making the Strategic Shift to Open Source at Fujitsu Network CommunicationBlack Duck by Synopsys
 

Recommended

DELDroid: Determination & Enforcement of Least Privilege Architecture in AnDroid
DELDroid: Determination & Enforcement of Least Privilege Architecture in AnDroidDELDroid: Determination & Enforcement of Least Privilege Architecture in AnDroid
DELDroid: Determination & Enforcement of Least Privilege Architecture in AnDroidMahmoud Hammad
 
Tech Report: On the Effectiveness of Malware Protection on Android
Tech Report: On the Effectiveness of Malware Protection on AndroidTech Report: On the Effectiveness of Malware Protection on Android
Tech Report: On the Effectiveness of Malware Protection on AndroidFraunhofer AISEC
 
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration TestingStephan Chenette
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineDevOps.com
 
Proving the Security of Low-Level Software Components & TEEs
Proving the Security of Low-Level Software Components & TEEsProving the Security of Low-Level Software Components & TEEs
Proving the Security of Low-Level Software Components & TEEsAshley Zupkus
 
DevSecOps: The Open Source Way
DevSecOps: The Open Source WayDevSecOps: The Open Source Way
DevSecOps: The Open Source WayBlack Duck by Synopsys
 
Revisiting Code Ownership and Its Relationship with Software Quality in the S...
Revisiting Code Ownership and Its Relationship with Software Quality in the S...Revisiting Code Ownership and Its Relationship with Software Quality in the S...
Revisiting Code Ownership and Its Relationship with Software Quality in the S...The University of Adelaide
 
Making the Strategic Shift to Open Source at Fujitsu Network Communication
Making the Strategic Shift to Open Source at Fujitsu Network CommunicationMaking the Strategic Shift to Open Source at Fujitsu Network Communication
Making the Strategic Shift to Open Source at Fujitsu Network CommunicationBlack Duck by Synopsys
 
Stack overflow code_laundering
Stack overflow code_launderingStack overflow code_laundering
Stack overflow code_launderingFoutse Khomh
 
José Vila - ¿Otro parche más? No, por favor. [rooted2018]
José Vila - ¿Otro parche más? No, por favor. [rooted2018]José Vila - ¿Otro parche más? No, por favor. [rooted2018]
José Vila - ¿Otro parche más? No, por favor. [rooted2018]RootedCON
 
Software Composition Analysis Deep Dive
Software Composition Analysis Deep DiveSoftware Composition Analysis Deep Dive
Software Composition Analysis Deep DiveUlisses Albuquerque
 
Advanced red teaming all your badges are belong to us
Advanced red teaming all your badges are belong to usAdvanced red teaming all your badges are belong to us
Advanced red teaming all your badges are belong to usPriyanka Aash
 
Appendix g iocs readme
Appendix g iocs readmeAppendix g iocs readme
Appendix g iocs readmeYury Chemerkin
 
Investigating Code Review Practices in Defective Files
Investigating Code Review Practices in Defective FilesInvestigating Code Review Practices in Defective Files
Investigating Code Review Practices in Defective FilesThe University of Adelaide
 
Sec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security Assurance
Sec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security AssuranceSec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security Assurance
Sec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security AssuranceAbdessamad TEMMAR
 
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Testing in a Continuous Delivery Pipeline - Better, Faster, CheaperTesting in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Testing in a Continuous Delivery Pipeline - Better, Faster, CheaperGene Gotimer
 
Sast 2021
Sast 2021Sast 2021
Sast 2021Felix Dobslaw
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliveryTim Mackey
 
Customer Case Study: ScienceLogic - Many Paths to Compliance
Customer Case Study: ScienceLogic - Many Paths to ComplianceCustomer Case Study: ScienceLogic - Many Paths to Compliance
Customer Case Study: ScienceLogic - Many Paths to ComplianceBlack Duck by Synopsys
 
DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...
DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...
DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...DevSecCon
 
Integrating Black Duck into your Agile DevOps Environment
Integrating Black Duck into your Agile DevOps EnvironmentIntegrating Black Duck into your Agile DevOps Environment
Integrating Black Duck into your Agile DevOps EnvironmentBlack Duck by Synopsys
 
Open Source and Cyber Security: Open Source Software's Role in Government Cyb...
Open Source and Cyber Security: Open Source Software's Role in Government Cyb...Open Source and Cyber Security: Open Source Software's Role in Government Cyb...
Open Source and Cyber Security: Open Source Software's Role in Government Cyb...Great Wide Open
 
7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to Adversaries7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to AdversariesDerek E. Weeks
 
The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementTim Mackey
 
Shift Risk Left: Security Considerations When Migrating Apps to the Cloud
Shift Risk Left: Security Considerations When Migrating Apps to the CloudShift Risk Left: Security Considerations When Migrating Apps to the Cloud
Shift Risk Left: Security Considerations When Migrating Apps to the CloudBlack Duck by Synopsys
 
Open Source Insight: NVD's New Look, Struts Vuln Ransomware & Google Open So...
Open Source Insight: NVD's New Look, Struts Vuln Ransomware & Google Open So...Open Source Insight: NVD's New Look, Struts Vuln Ransomware & Google Open So...
Open Source Insight: NVD's New Look, Struts Vuln Ransomware & Google Open So...Black Duck by Synopsys
 
Zero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOpsZero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOpsDevSecOps Days
 
Managing Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development LifecycleManaging Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development LifecycleBlack Duck by Synopsys
 
Software Protection on the Go: A Large-Scale Empirical Study on Mobile App Ob...
Software Protection on the Go: A Large-Scale Empirical Study on Mobile App Ob...Software Protection on the Go: A Large-Scale Empirical Study on Mobile App Ob...
Software Protection on the Go: A Large-Scale Empirical Study on Mobile App Ob...Pei Wang
 
Mobile App Security - Best Practices
Mobile App Security - Best PracticesMobile App Security - Best Practices
Mobile App Security - Best PracticesRedBlackTree
 

More Related Content

What's hot

Stack overflow code_laundering
Stack overflow code_launderingStack overflow code_laundering
Stack overflow code_launderingFoutse Khomh
 
José Vila - ¿Otro parche más? No, por favor. [rooted2018]
José Vila - ¿Otro parche más? No, por favor. [rooted2018]José Vila - ¿Otro parche más? No, por favor. [rooted2018]
José Vila - ¿Otro parche más? No, por favor. [rooted2018]RootedCON
 
Software Composition Analysis Deep Dive
Software Composition Analysis Deep DiveSoftware Composition Analysis Deep Dive
Software Composition Analysis Deep DiveUlisses Albuquerque
 
Advanced red teaming all your badges are belong to us
Advanced red teaming all your badges are belong to usAdvanced red teaming all your badges are belong to us
Advanced red teaming all your badges are belong to usPriyanka Aash
 
Appendix g iocs readme
Appendix g iocs readmeAppendix g iocs readme
Appendix g iocs readmeYury Chemerkin
 
Investigating Code Review Practices in Defective Files
Investigating Code Review Practices in Defective FilesInvestigating Code Review Practices in Defective Files
Investigating Code Review Practices in Defective FilesThe University of Adelaide
 
Sec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security Assurance
Sec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security AssuranceSec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security Assurance
Sec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security AssuranceAbdessamad TEMMAR
 
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Testing in a Continuous Delivery Pipeline - Better, Faster, CheaperTesting in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Testing in a Continuous Delivery Pipeline - Better, Faster, CheaperGene Gotimer
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliveryTim Mackey
 
Customer Case Study: ScienceLogic - Many Paths to Compliance
Customer Case Study: ScienceLogic - Many Paths to ComplianceCustomer Case Study: ScienceLogic - Many Paths to Compliance
Customer Case Study: ScienceLogic - Many Paths to ComplianceBlack Duck by Synopsys
 
DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...
DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...
DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...DevSecCon
 
Integrating Black Duck into your Agile DevOps Environment
Integrating Black Duck into your Agile DevOps EnvironmentIntegrating Black Duck into your Agile DevOps Environment
Integrating Black Duck into your Agile DevOps EnvironmentBlack Duck by Synopsys
 
Open Source and Cyber Security: Open Source Software's Role in Government Cyb...
Open Source and Cyber Security: Open Source Software's Role in Government Cyb...Open Source and Cyber Security: Open Source Software's Role in Government Cyb...
Open Source and Cyber Security: Open Source Software's Role in Government Cyb...Great Wide Open
 
7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to Adversaries7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to AdversariesDerek E. Weeks
 
The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementTim Mackey
 
Shift Risk Left: Security Considerations When Migrating Apps to the Cloud
Shift Risk Left: Security Considerations When Migrating Apps to the CloudShift Risk Left: Security Considerations When Migrating Apps to the Cloud
Shift Risk Left: Security Considerations When Migrating Apps to the CloudBlack Duck by Synopsys
 
Open Source Insight: NVD's New Look, Struts Vuln Ransomware & Google Open So...
Open Source Insight: NVD's New Look, Struts Vuln Ransomware & Google Open So...Open Source Insight: NVD's New Look, Struts Vuln Ransomware & Google Open So...
Open Source Insight: NVD's New Look, Struts Vuln Ransomware & Google Open So...Black Duck by Synopsys
 
Zero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOpsZero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOpsDevSecOps Days
 
Managing Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development LifecycleManaging Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development LifecycleBlack Duck by Synopsys
 

What's hot (20)

Stack overflow code_laundering
Stack overflow code_launderingStack overflow code_laundering
Stack overflow code_laundering
 
José Vila - ¿Otro parche más? No, por favor. [rooted2018]
José Vila - ¿Otro parche más? No, por favor. [rooted2018]José Vila - ¿Otro parche más? No, por favor. [rooted2018]
José Vila - ¿Otro parche más? No, por favor. [rooted2018]
 
Software Composition Analysis Deep Dive
Software Composition Analysis Deep DiveSoftware Composition Analysis Deep Dive
Software Composition Analysis Deep Dive
 
Advanced red teaming all your badges are belong to us
Advanced red teaming all your badges are belong to usAdvanced red teaming all your badges are belong to us
Advanced red teaming all your badges are belong to us
 
Appendix g iocs readme
Appendix g iocs readmeAppendix g iocs readme
Appendix g iocs readme
 
Investigating Code Review Practices in Defective Files
Investigating Code Review Practices in Defective FilesInvestigating Code Review Practices in Defective Files
Investigating Code Review Practices in Defective Files
 
Sec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security Assurance
Sec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security AssuranceSec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security Assurance
Sec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security Assurance
 
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Testing in a Continuous Delivery Pipeline - Better, Faster, CheaperTesting in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
 
Sast 2021
Sast 2021Sast 2021
Sast 2021
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous delivery
 
Customer Case Study: ScienceLogic - Many Paths to Compliance
Customer Case Study: ScienceLogic - Many Paths to ComplianceCustomer Case Study: ScienceLogic - Many Paths to Compliance
Customer Case Study: ScienceLogic - Many Paths to Compliance
 
DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...
DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...
DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...
 
Integrating Black Duck into your Agile DevOps Environment
Integrating Black Duck into your Agile DevOps EnvironmentIntegrating Black Duck into your Agile DevOps Environment
Integrating Black Duck into your Agile DevOps Environment
 
Open Source and Cyber Security: Open Source Software's Role in Government Cyb...
Open Source and Cyber Security: Open Source Software's Role in Government Cyb...Open Source and Cyber Security: Open Source Software's Role in Government Cyb...
Open Source and Cyber Security: Open Source Software's Role in Government Cyb...
 
7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to Adversaries7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to Adversaries
 
The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability Management
 
Shift Risk Left: Security Considerations When Migrating Apps to the Cloud
Shift Risk Left: Security Considerations When Migrating Apps to the CloudShift Risk Left: Security Considerations When Migrating Apps to the Cloud
Shift Risk Left: Security Considerations When Migrating Apps to the Cloud
 
Open Source Insight: NVD's New Look, Struts Vuln Ransomware & Google Open So...
Open Source Insight: NVD's New Look, Struts Vuln Ransomware & Google Open So...Open Source Insight: NVD's New Look, Struts Vuln Ransomware & Google Open So...
Open Source Insight: NVD's New Look, Struts Vuln Ransomware & Google Open So...
 
Zero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOpsZero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOps
 
Managing Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development LifecycleManaging Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development Lifecycle
 

Similar to A Large-Scale Empirical Study on the Effects of Code Obfuscations on Android Apps and Anti-Malware Products

Software Protection on the Go: A Large-Scale Empirical Study on Mobile App Ob...
Software Protection on the Go: A Large-Scale Empirical Study on Mobile App Ob...Software Protection on the Go: A Large-Scale Empirical Study on Mobile App Ob...
Software Protection on the Go: A Large-Scale Empirical Study on Mobile App Ob...Pei Wang
 
Mobile App Security - Best Practices
Mobile App Security - Best PracticesMobile App Security - Best Practices
Mobile App Security - Best PracticesRedBlackTree
 
Outpost24 Webinar - Five steps to build a killer Application Security Program
Outpost24 Webinar - Five steps to build a killer Application Security ProgramOutpost24 Webinar - Five steps to build a killer Application Security Program
Outpost24 Webinar - Five steps to build a killer Application Security ProgramOutpost24
 
Discovering Flaws in Security-Focused Static Analysis Tools for Android using...
Discovering Flaws in Security-Focused Static Analysis Tools for Android using...Discovering Flaws in Security-Focused Static Analysis Tools for Android using...
Discovering Flaws in Security-Focused Static Analysis Tools for Android using...Kevin Moran
 
Are free Android app security analysis tools effective in detecting known vul...
Are free Android app security analysis tools effective in detecting known vul...Are free Android app security analysis tools effective in detecting known vul...
Are free Android app security analysis tools effective in detecting known vul...Venkatesh Prasad Ranganath
 
Automating Open Source Security: A SANS Review of WhiteSource
Automating Open Source Security: A SANS Review of WhiteSourceAutomating Open Source Security: A SANS Review of WhiteSource
Automating Open Source Security: A SANS Review of WhiteSourceWhiteSource
 
Cryptographic misuse in android applications
Cryptographic misuse in android applicationsCryptographic misuse in android applications
Cryptographic misuse in android applicationsAashish R
 
Cryptographic misuse
Cryptographic misuseCryptographic misuse
Cryptographic misuseAashish R
 
PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?Black Duck by Synopsys
 
Secure Code review - Veracode SaaS Platform - Saudi Green Method
Secure Code review - Veracode SaaS Platform - Saudi Green MethodSecure Code review - Veracode SaaS Platform - Saudi Green Method
Secure Code review - Veracode SaaS Platform - Saudi Green MethodSalil Kumar Subramony
 
Transforming Risky Mobile Apps into Self Defending Apps
Transforming Risky Mobile Apps into Self Defending AppsTransforming Risky Mobile Apps into Self Defending Apps
Transforming Risky Mobile Apps into Self Defending AppsBlueboxer2014
 
Open Source Outlook: Expected Developments for 2016
Open Source Outlook: Expected Developments for 2016Open Source Outlook: Expected Developments for 2016
Open Source Outlook: Expected Developments for 2016Black Duck by Synopsys
 
From reactive toproactive mobile security
From reactive toproactive mobile securityFrom reactive toproactive mobile security
From reactive toproactive mobile securityMobileSoft
 
Create a Unified View of Your Application Security Program – Black Duck Hub a...
Create a Unified View of Your Application Security Program – Black Duck Hub a...Create a Unified View of Your Application Security Program – Black Duck Hub a...
Create a Unified View of Your Application Security Program – Black Duck Hub a...Denim Group
 
malware detection-machine learning-reverse engineered.ppt
malware detection-machine learning-reverse engineered.pptmalware detection-machine learning-reverse engineered.ppt
malware detection-machine learning-reverse engineered.pptPallavi Goli
 
MobSecCon 2015 - CertifiGate
MobSecCon 2015 - CertifiGateMobSecCon 2015 - CertifiGate
MobSecCon 2015 - CertifiGateRon Munitz
 
Outpost24 webinar Why API security matters and how to get it right.pdf
Outpost24 webinar Why API security matters and how to get it right.pdfOutpost24 webinar Why API security matters and how to get it right.pdf
Outpost24 webinar Why API security matters and how to get it right.pdfOutpost24
 
(Isc)² secure johannesburg
(Isc)² secure johannesburg (Isc)² secure johannesburg
(Isc)² secure johannesburg Tunde Ogunkoya
 
Webcast Presentation: Accelerate Continuous Delivery with Development Testing...
Webcast Presentation: Accelerate Continuous Delivery with Development Testing...Webcast Presentation: Accelerate Continuous Delivery with Development Testing...
Webcast Presentation: Accelerate Continuous Delivery with Development Testing...GRUC
 
ASE 2016 Taming Android Fragmentation: Characterizing and Detecting Compatibi...
ASE 2016 Taming Android Fragmentation: Characterizing and Detecting Compatibi...ASE 2016 Taming Android Fragmentation: Characterizing and Detecting Compatibi...
ASE 2016 Taming Android Fragmentation: Characterizing and Detecting Compatibi...Lili Wei
 

Similar to A Large-Scale Empirical Study on the Effects of Code Obfuscations on Android Apps and Anti-Malware Products (20)

Software Protection on the Go: A Large-Scale Empirical Study on Mobile App Ob...
Software Protection on the Go: A Large-Scale Empirical Study on Mobile App Ob...Software Protection on the Go: A Large-Scale Empirical Study on Mobile App Ob...
Software Protection on the Go: A Large-Scale Empirical Study on Mobile App Ob...
 
Mobile App Security - Best Practices
Mobile App Security - Best PracticesMobile App Security - Best Practices
Mobile App Security - Best Practices
 
Outpost24 Webinar - Five steps to build a killer Application Security Program
Outpost24 Webinar - Five steps to build a killer Application Security ProgramOutpost24 Webinar - Five steps to build a killer Application Security Program
Outpost24 Webinar - Five steps to build a killer Application Security Program
 
Discovering Flaws in Security-Focused Static Analysis Tools for Android using...
Discovering Flaws in Security-Focused Static Analysis Tools for Android using...Discovering Flaws in Security-Focused Static Analysis Tools for Android using...
Discovering Flaws in Security-Focused Static Analysis Tools for Android using...
 
Are free Android app security analysis tools effective in detecting known vul...
Are free Android app security analysis tools effective in detecting known vul...Are free Android app security analysis tools effective in detecting known vul...
Are free Android app security analysis tools effective in detecting known vul...
 
Automating Open Source Security: A SANS Review of WhiteSource
Automating Open Source Security: A SANS Review of WhiteSourceAutomating Open Source Security: A SANS Review of WhiteSource
Automating Open Source Security: A SANS Review of WhiteSource
 
Cryptographic misuse in android applications
Cryptographic misuse in android applicationsCryptographic misuse in android applications
Cryptographic misuse in android applications
 
Cryptographic misuse
Cryptographic misuseCryptographic misuse
Cryptographic misuse
 
PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?
 
Secure Code review - Veracode SaaS Platform - Saudi Green Method
Secure Code review - Veracode SaaS Platform - Saudi Green MethodSecure Code review - Veracode SaaS Platform - Saudi Green Method
Secure Code review - Veracode SaaS Platform - Saudi Green Method
 
Transforming Risky Mobile Apps into Self Defending Apps
Transforming Risky Mobile Apps into Self Defending AppsTransforming Risky Mobile Apps into Self Defending Apps
Transforming Risky Mobile Apps into Self Defending Apps
 
Open Source Outlook: Expected Developments for 2016
Open Source Outlook: Expected Developments for 2016Open Source Outlook: Expected Developments for 2016
Open Source Outlook: Expected Developments for 2016
 
From reactive toproactive mobile security
From reactive toproactive mobile securityFrom reactive toproactive mobile security
From reactive toproactive mobile security
 
Create a Unified View of Your Application Security Program – Black Duck Hub a...
Create a Unified View of Your Application Security Program – Black Duck Hub a...Create a Unified View of Your Application Security Program – Black Duck Hub a...
Create a Unified View of Your Application Security Program – Black Duck Hub a...
 
malware detection-machine learning-reverse engineered.ppt
malware detection-machine learning-reverse engineered.pptmalware detection-machine learning-reverse engineered.ppt
malware detection-machine learning-reverse engineered.ppt
 
MobSecCon 2015 - CertifiGate
MobSecCon 2015 - CertifiGateMobSecCon 2015 - CertifiGate
MobSecCon 2015 - CertifiGate
 
Outpost24 webinar Why API security matters and how to get it right.pdf
Outpost24 webinar Why API security matters and how to get it right.pdfOutpost24 webinar Why API security matters and how to get it right.pdf
Outpost24 webinar Why API security matters and how to get it right.pdf
 
(Isc)² secure johannesburg
(Isc)² secure johannesburg (Isc)² secure johannesburg
(Isc)² secure johannesburg
 
Webcast Presentation: Accelerate Continuous Delivery with Development Testing...
Webcast Presentation: Accelerate Continuous Delivery with Development Testing...Webcast Presentation: Accelerate Continuous Delivery with Development Testing...
Webcast Presentation: Accelerate Continuous Delivery with Development Testing...
 
ASE 2016 Taming Android Fragmentation: Characterizing and Detecting Compatibi...
ASE 2016 Taming Android Fragmentation: Characterizing and Detecting Compatibi...ASE 2016 Taming Android Fragmentation: Characterizing and Detecting Compatibi...
ASE 2016 Taming Android Fragmentation: Characterizing and Detecting Compatibi...
 

Recently uploaded

{Pooja: 9892124323 } Call Girl in Mumbai | Jas Kaur Rate 4500 Free Hotel Del...
{Pooja: 9892124323 } Call Girl in Mumbai | Jas Kaur Rate 4500 Free Hotel Del...{Pooja: 9892124323 } Call Girl in Mumbai | Jas Kaur Rate 4500 Free Hotel Del...
{Pooja: 9892124323 } Call Girl in Mumbai | Jas Kaur Rate 4500 Free Hotel Del...Pooja Nehwal
 
PKS-TGC-1084-630 - Stage 1 Proposal.pptx
PKS-TGC-1084-630 - Stage 1 Proposal.pptxPKS-TGC-1084-630 - Stage 1 Proposal.pptx
PKS-TGC-1084-630 - Stage 1 Proposal.pptxPramod Kumar Srivastava
 
Low Rate Call Girls Bhilai Anika 8250192130 Independent Escort Service Bhilai
Low Rate Call Girls Bhilai Anika 8250192130 Independent Escort Service BhilaiLow Rate Call Girls Bhilai Anika 8250192130 Independent Escort Service Bhilai
Low Rate Call Girls Bhilai Anika 8250192130 Independent Escort Service BhilaiSuhani Kapoor
 
Customer Service Analytics - Make Sense of All Your Data.pptx
Customer Service Analytics - Make Sense of All Your Data.pptxCustomer Service Analytics - Make Sense of All Your Data.pptx
Customer Service Analytics - Make Sense of All Your Data.pptxEmmanuel Dauda
 
定制英国白金汉大学毕业证(UCB毕业证书) 成绩单原版一比一
定制英国白金汉大学毕业证(UCB毕业证书) 成绩单原版一比一定制英国白金汉大学毕业证(UCB毕业证书) 成绩单原版一比一
定制英国白金汉大学毕业证(UCB毕业证书) 成绩单原版一比一ffjhghh
 
100-Concepts-of-AI by Anupama Kate .pptx
100-Concepts-of-AI by Anupama Kate .pptx100-Concepts-of-AI by Anupama Kate .pptx
100-Concepts-of-AI by Anupama Kate .pptxAnupama Kate
 
RA-11058_IRR-COMPRESS Do 198 series of 1998
RA-11058_IRR-COMPRESS Do 198 series of 1998RA-11058_IRR-COMPRESS Do 198 series of 1998
RA-11058_IRR-COMPRESS Do 198 series of 1998YohFuh
 
B2 Creative Industry Response Evaluation.docx
B2 Creative Industry Response Evaluation.docxB2 Creative Industry Response Evaluation.docx
B2 Creative Industry Response Evaluation.docxStephen266013
 
Indian Call Girls in Abu Dhabi O5286O24O8 Call Girls in Abu Dhabi By Independ...
Indian Call Girls in Abu Dhabi O5286O24O8 Call Girls in Abu Dhabi By Independ...Indian Call Girls in Abu Dhabi O5286O24O8 Call Girls in Abu Dhabi By Independ...
Indian Call Girls in Abu Dhabi O5286O24O8 Call Girls in Abu Dhabi By Independ...dajasot375
 
VIP High Profile Call Girls Amravati Aarushi 8250192130 Independent Escort Se...
VIP High Profile Call Girls Amravati Aarushi 8250192130 Independent Escort Se...VIP High Profile Call Girls Amravati Aarushi 8250192130 Independent Escort Se...
VIP High Profile Call Girls Amravati Aarushi 8250192130 Independent Escort Se...Suhani Kapoor
 
(PARI) Call Girls Wanowrie ( 7001035870 ) HI-Fi Pune Escorts Service
(PARI) Call Girls Wanowrie ( 7001035870 ) HI-Fi Pune Escorts Service(PARI) Call Girls Wanowrie ( 7001035870 ) HI-Fi Pune Escorts Service
(PARI) Call Girls Wanowrie ( 7001035870 ) HI-Fi Pune Escorts Serviceranjana rawat
 
Ukraine War presentation: KNOW THE BASICS
Ukraine War presentation: KNOW THE BASICSUkraine War presentation: KNOW THE BASICS
Ukraine War presentation: KNOW THE BASICSAishani27
 
VIP High Class Call Girls Bikaner Anushka 8250192130 Independent Escort Servi...
VIP High Class Call Girls Bikaner Anushka 8250192130 Independent Escort Servi...VIP High Class Call Girls Bikaner Anushka 8250192130 Independent Escort Servi...
VIP High Class Call Girls Bikaner Anushka 8250192130 Independent Escort Servi...Suhani Kapoor
 
Brighton SEO | April 2024 | Data Storytelling
Brighton SEO | April 2024 | Data StorytellingBrighton SEO | April 2024 | Data Storytelling
Brighton SEO | April 2024 | Data StorytellingNeil Barnes
 
Call Girls in Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Defence Colony Delhi 💯Call Us 🔝8264348440🔝Call Girls in Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Defence Colony Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
代办国外大学文凭《原版美国UCLA文凭证书》加州大学洛杉矶分校毕业证制作成绩单修改
代办国外大学文凭《原版美国UCLA文凭证书》加州大学洛杉矶分校毕业证制作成绩单修改代办国外大学文凭《原版美国UCLA文凭证书》加州大学洛杉矶分校毕业证制作成绩单修改
代办国外大学文凭《原版美国UCLA文凭证书》加州大学洛杉矶分校毕业证制作成绩单修改atducpo
 
Kantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdf
Kantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdfKantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdf
Kantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdfSocial Samosa
 

Recently uploaded (20)

{Pooja: 9892124323 } Call Girl in Mumbai | Jas Kaur Rate 4500 Free Hotel Del...
{Pooja: 9892124323 } Call Girl in Mumbai | Jas Kaur Rate 4500 Free Hotel Del...{Pooja: 9892124323 } Call Girl in Mumbai | Jas Kaur Rate 4500 Free Hotel Del...
{Pooja: 9892124323 } Call Girl in Mumbai | Jas Kaur Rate 4500 Free Hotel Del...
 
PKS-TGC-1084-630 - Stage 1 Proposal.pptx
PKS-TGC-1084-630 - Stage 1 Proposal.pptxPKS-TGC-1084-630 - Stage 1 Proposal.pptx
PKS-TGC-1084-630 - Stage 1 Proposal.pptx
 
꧁❤ Aerocity Call Girls Service Aerocity Delhi ❤꧂ 9999965857 ☎️ Hard And Sexy ...
꧁❤ Aerocity Call Girls Service Aerocity Delhi ❤꧂ 9999965857 ☎️ Hard And Sexy ...꧁❤ Aerocity Call Girls Service Aerocity Delhi ❤꧂ 9999965857 ☎️ Hard And Sexy ...
꧁❤ Aerocity Call Girls Service Aerocity Delhi ❤꧂ 9999965857 ☎️ Hard And Sexy ...
 
Low Rate Call Girls Bhilai Anika 8250192130 Independent Escort Service Bhilai
Low Rate Call Girls Bhilai Anika 8250192130 Independent Escort Service BhilaiLow Rate Call Girls Bhilai Anika 8250192130 Independent Escort Service Bhilai
Low Rate Call Girls Bhilai Anika 8250192130 Independent Escort Service Bhilai
 
Customer Service Analytics - Make Sense of All Your Data.pptx
Customer Service Analytics - Make Sense of All Your Data.pptxCustomer Service Analytics - Make Sense of All Your Data.pptx
Customer Service Analytics - Make Sense of All Your Data.pptx
 
定制英国白金汉大学毕业证(UCB毕业证书) 成绩单原版一比一
定制英国白金汉大学毕业证(UCB毕业证书) 成绩单原版一比一定制英国白金汉大学毕业证(UCB毕业证书) 成绩单原版一比一
定制英国白金汉大学毕业证(UCB毕业证书) 成绩单原版一比一
 
100-Concepts-of-AI by Anupama Kate .pptx
100-Concepts-of-AI by Anupama Kate .pptx100-Concepts-of-AI by Anupama Kate .pptx
100-Concepts-of-AI by Anupama Kate .pptx
 
RA-11058_IRR-COMPRESS Do 198 series of 1998
RA-11058_IRR-COMPRESS Do 198 series of 1998RA-11058_IRR-COMPRESS Do 198 series of 1998
RA-11058_IRR-COMPRESS Do 198 series of 1998
 
B2 Creative Industry Response Evaluation.docx
B2 Creative Industry Response Evaluation.docxB2 Creative Industry Response Evaluation.docx
B2 Creative Industry Response Evaluation.docx
 
Indian Call Girls in Abu Dhabi O5286O24O8 Call Girls in Abu Dhabi By Independ...
Indian Call Girls in Abu Dhabi O5286O24O8 Call Girls in Abu Dhabi By Independ...Indian Call Girls in Abu Dhabi O5286O24O8 Call Girls in Abu Dhabi By Independ...
Indian Call Girls in Abu Dhabi O5286O24O8 Call Girls in Abu Dhabi By Independ...
 
VIP High Profile Call Girls Amravati Aarushi 8250192130 Independent Escort Se...
VIP High Profile Call Girls Amravati Aarushi 8250192130 Independent Escort Se...VIP High Profile Call Girls Amravati Aarushi 8250192130 Independent Escort Se...
VIP High Profile Call Girls Amravati Aarushi 8250192130 Independent Escort Se...
 
(PARI) Call Girls Wanowrie ( 7001035870 ) HI-Fi Pune Escorts Service
(PARI) Call Girls Wanowrie ( 7001035870 ) HI-Fi Pune Escorts Service(PARI) Call Girls Wanowrie ( 7001035870 ) HI-Fi Pune Escorts Service
(PARI) Call Girls Wanowrie ( 7001035870 ) HI-Fi Pune Escorts Service
 
Ukraine War presentation: KNOW THE BASICS
Ukraine War presentation: KNOW THE BASICSUkraine War presentation: KNOW THE BASICS
Ukraine War presentation: KNOW THE BASICS
 
VIP High Class Call Girls Bikaner Anushka 8250192130 Independent Escort Servi...
VIP High Class Call Girls Bikaner Anushka 8250192130 Independent Escort Servi...VIP High Class Call Girls Bikaner Anushka 8250192130 Independent Escort Servi...
VIP High Class Call Girls Bikaner Anushka 8250192130 Independent Escort Servi...
 
Delhi 99530 vip 56974 Genuine Escort Service Call Girls in Kishangarh
Delhi 99530 vip 56974 Genuine Escort Service Call Girls in KishangarhDelhi 99530 vip 56974 Genuine Escort Service Call Girls in Kishangarh
Delhi 99530 vip 56974 Genuine Escort Service Call Girls in Kishangarh
 
VIP Call Girls Service Charbagh { Lucknow Call Girls Service 9548273370 } Boo...
VIP Call Girls Service Charbagh { Lucknow Call Girls Service 9548273370 } Boo...VIP Call Girls Service Charbagh { Lucknow Call Girls Service 9548273370 } Boo...
VIP Call Girls Service Charbagh { Lucknow Call Girls Service 9548273370 } Boo...
 
Brighton SEO | April 2024 | Data Storytelling
Brighton SEO | April 2024 | Data StorytellingBrighton SEO | April 2024 | Data Storytelling
Brighton SEO | April 2024 | Data Storytelling
 
Call Girls in Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Defence Colony Delhi 💯Call Us 🔝8264348440🔝Call Girls in Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Defence Colony Delhi 💯Call Us 🔝8264348440🔝
 
代办国外大学文凭《原版美国UCLA文凭证书》加州大学洛杉矶分校毕业证制作成绩单修改
代办国外大学文凭《原版美国UCLA文凭证书》加州大学洛杉矶分校毕业证制作成绩单修改代办国外大学文凭《原版美国UCLA文凭证书》加州大学洛杉矶分校毕业证制作成绩单修改
代办国外大学文凭《原版美国UCLA文凭证书》加州大学洛杉矶分校毕业证制作成绩单修改
 
Kantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdf
Kantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdfKantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdf
Kantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdf
 

A Large-Scale Empirical Study on the Effects of Code Obfuscations on Android Apps and Anti-Malware Products

  • 1. A Large-Scale Empirical Study on the Effects of Code Obfuscations on Android Apps and Anti-Malware Products Mahmoud Hammad Joshua Garcia Sam Malek
  • 3. Explosive growth of Android malware 3 Source:
  • 4. Protection through anti-malware products • Smartphone users rely on anti-malware products to protect their devices
  • 5. Anti-malware evasion through obfuscation 5 • Code obfuscations • Identifier renaming • Encryption • Reflection • …
  • 6. Code obfuscation in Android • Transforms code into a format that is more difficult to reverse engineer while preserving its semantics 6 AndroidManifest.xml classes.dex Resources APK file Obfuscation strategy Obfuscated APK file
  • 7. Obfuscation for benign purposes 7 • Intellectual Property • Make reverse engineering of intellectual property more difficult
  • 8. Obfuscation tools • Academic • DroidChameleon • ADAM 8 • Commercial • Allatori • • Open-source • ProGuard • Apktool • Jarsigner
  • 9. Obfuscation strategies • Trivial strategies - does not change bytecode • Non-trivial strategies – changes bytecode • Combined strategies • Combination of two or more of the previous ones 9 Junk code insertion String encryption Reflection Identifier renaming Member reordering Class renaming Control-flow manipulation Repackaging Android Manifest transformation Disassembly/ Reassembly Alignment
  • 10. Overall Research Goal • Goal: To assess the performance of commercial anti-malware products against various obfuscation tools and strategies • Large-Scale Empirical Study • Many anti-malware products • Many malicious and benign apps • Wide variety of obfuscation tools and strategies • Relation between time and anti-malware effectiveness • Obfuscations effects on validity, installability, and runnability of apps 10
  • 11. Scope of the study 11 Android apps Obfuscation tools Obfuscation strategies Anti-malware products RQ1 RQ3 RQ2 RQ4
  • 12. Experiment setup 12 Android apps Obfuscation tools Obfuscation strategies Anti-malware products 7 tools: 2 academia 2 commercial 3 open source 3,000 benign 3,000 malicious 73,362 obfuscated 29 strategies: 4 trivial 7 non-trivial 18 combined 61 products
  • 13. Obfuscation framework • The framework is reusable and extendable • Written in Python and available to public [1] 13 [1] http://www.ics.uci.edu/~seal/projects/obfuscation/ IR Converter IR Transformer APK Generator Data Analyzer IR Obfuscated IR
  • 14. RQ1: Obfuscation strategies 14 Android apps Obfuscation tools Obfuscation strategies Anti-malware products RQ1 RQ3 RQ2 RQ4
  • 15. RQ1 Findings 15 Code obfuscation decreases the detection rate of anti- malware products by, on average, 20% and up to 90% Manifest transformation, a trivial strategy, decreases the detection rate of anti-malware, on average, by 28%
  • 16. RQ1 Findings 16 Reflection strategy makes apps looks suspicious, increasing the chance of an app being labeled as malicious Combined strategies do not affect detection rate more than single transformations
  • 17. RQ2: Obfuscation tools 17 Android apps Obfuscation tools Obfuscation strategies Anti-malware products RQ1 RQ3 RQ2 RQ4
  • 18. RQ2 Finding 18 • Detection rate varies based on the obfuscation tools. • DashO affects obfuscation tools the most. • ADAM and Apktool/Jarsigner affects detection rate the least. 0 10 20 30 40 50 60 70 80 90 100 Detectionrate(%) Obfuscation Tools
  • 19. RQ3: Time-aware analysis 19 Android apps Obfuscation tools Obfuscation strategies Anti-malware products RQ1 RQ3 RQ2 RQ4
  • 20. RQ3: Time-aware analysis 20 Average detection rate decreases over time, indicating slow adoption of malicious signatures
  • 22. RQ4: Does code obfuscation affect the functionality of apps? • Installable app: successfully installed onto Android device • Runnable app: runtime behavior is similar to original app • Apps tested using Monkey with 1,000 events and same seed • Order-aware vs. Order-agnostic 22
  • 23. Runnability of Apps – Order-Aware • Order-aware: the same set of components run in the same sequence before and after obfuscation 23 Original app C1 C2 C3 Execution traces using the same test suit Order-aware C1 C2 C3
  • 24. Runnability of Apps – Order-Agnostic • Order-agnostic: the same set of components run in any sequence before and after obfuscation 24 Original app C1 C2 C3 Execution traces using the same test suit Order-agnostic C2 C3 C1
  • 25. RQ4: Does code obfuscation affect the functionality of apps? 25 Code obfuscation significantly affects the behavior of apps, showing the need for improving obfuscation tools.
  • 26. Lessons Learned • Deeper analysis for anti-malware products • Program analysis instead of just lexical analysis • For benign-app developers • Reflection to be avoided • Combined obfuscations generally non-problematic • For obfuscation-tool developers • Many transformations result in invalid, non-installable, or unrunnable apps 26
  • 27. Anti-malware products and obfuscation tools 27 DashO ProGuard DroidChameleon Original Allatori Apktool/Jarsigner ADAM ADAM DashO DroidChameleon ProGuard Allatori Apktool/Jarsigner Original Ideal for • Benign app developers • Obfuscation-tool developers • Anti-malware vendors Ideal for malware authors
  • 28. Conclusion • Large-scale empirical study of the effects of code obfuscation on Android apps and anti-malware products • Code obfuscations decrease commercial anti-malware detection rates by, on average, 20% and up to 90% • Future • Tomorrow – RevealDroid, an approach that detects malware despite such obfuscations • Obfuscation tools for the white hats and not the black hats 28 Thank You!

Editor's Notes

  1. 21 products selected for paper based on “Most popular anti-malware products with big star rating, i.e., above 4.0/5”
  2. The importance of performing deeper analysis is further highlighted by (1) the fact that transformations need not necessarily be combined to evade anti-malware products (Finding 4) and (2) this evasion worsens for newer apps (Finding 8).