SlideShare a Scribd company logo
1 of 29
A Large-Scale Empirical Study on the
Effects of Code Obfuscations on Android
Apps and Anti-Malware Products
Mahmoud Hammad Joshua Garcia Sam Malek
Source: IDC
85%
2
Mobile market share
Explosive growth of Android malware
3
Source:
Protection through anti-malware products
• Smartphone users rely on anti-malware
products to protect their devices
Anti-malware evasion through obfuscation
5
• Code obfuscations
• Identifier renaming
• Encryption
• Reflection
• …
Code obfuscation in Android
• Transforms code into a format that is more difficult to
reverse engineer while preserving its semantics
6
AndroidManifest.xml
classes.dex
Resources
APK file
Obfuscation strategy
Obfuscated
APK file
Obfuscation for benign purposes
7
• Intellectual Property
• Make reverse engineering of intellectual property more
difficult
Obfuscation tools
• Academic
• DroidChameleon
• ADAM
8
• Commercial
• Allatori
•
• Open-source
• ProGuard
• Apktool
• Jarsigner
Obfuscation strategies
• Trivial strategies - does not change bytecode
• Non-trivial strategies – changes bytecode
• Combined strategies
• Combination of two or more of the previous ones
9
Junk code
insertion
String encryption Reflection
Identifier
renaming
Member
reordering
Class renaming Control-flow manipulation
Repackaging
Android Manifest
transformation
Disassembly/
Reassembly Alignment
Overall Research Goal
• Goal: To assess the performance of commercial
anti-malware products against various obfuscation
tools and strategies
• Large-Scale Empirical Study
• Many anti-malware products
• Many malicious and benign apps
• Wide variety of obfuscation tools and strategies
• Relation between time and anti-malware effectiveness
• Obfuscations effects on validity, installability, and
runnability of apps
10
Scope of the study
11
Android apps
Obfuscation
tools
Obfuscation
strategies
Anti-malware products
RQ1
RQ3
RQ2
RQ4
Experiment setup
12
Android apps
Obfuscation
tools
Obfuscation
strategies
Anti-malware products
7 tools:
2 academia
2 commercial
3 open source
3,000 benign
3,000 malicious
73,362 obfuscated
29 strategies:
4 trivial
7 non-trivial
18 combined
61 products
Obfuscation framework
• The framework is reusable and extendable
• Written in Python and available to public [1]
13
[1] http://www.ics.uci.edu/~seal/projects/obfuscation/
IR
Converter
IR
Transformer
APK
Generator
Data
Analyzer
IR
Obfuscated
IR
RQ1: Obfuscation strategies
14
Android apps
Obfuscation
tools
Obfuscation
strategies
Anti-malware products
RQ1
RQ3
RQ2
RQ4
RQ1 Findings
15
Code obfuscation decreases the detection rate of anti-
malware products by, on average, 20% and up to 90%
Manifest transformation, a trivial strategy, decreases the
detection rate of anti-malware, on average, by 28%
RQ1 Findings
16
Reflection strategy makes apps looks suspicious, increasing
the chance of an app being labeled as malicious
Combined strategies do not affect detection rate more than
single transformations
RQ2: Obfuscation tools
17
Android apps
Obfuscation
tools
Obfuscation
strategies
Anti-malware products
RQ1
RQ3
RQ2
RQ4
RQ2 Finding
18
• Detection rate varies based on the obfuscation tools.
• DashO affects obfuscation tools the most.
• ADAM and Apktool/Jarsigner affects detection rate the least.
0
10
20
30
40
50
60
70
80
90
100
Detectionrate(%)
Obfuscation Tools
RQ3: Time-aware analysis
19
Android apps
Obfuscation
tools
Obfuscation
strategies
Anti-malware products
RQ1
RQ3
RQ2
RQ4
RQ3: Time-aware analysis
20
Average detection rate decreases over time, indicating
slow adoption of malicious signatures
21
Android apps
Obfuscation
tools
Obfuscation
strategies
Anti-malware products
RQ1
RQ3
RQ2
RQ4
RQ4: Does code obfuscation affect the
functionality of apps?
RQ4: Does code obfuscation affect the
functionality of apps?
• Installable app: successfully installed onto Android device
• Runnable app: runtime behavior is similar to original app
• Apps tested using Monkey with 1,000 events and same seed
• Order-aware vs. Order-agnostic
22
Runnability of Apps – Order-Aware
• Order-aware: the same set of components run in
the same sequence before and after obfuscation
23
Original app C1 C2 C3
Execution traces using the same test suit
Order-aware C1 C2 C3
Runnability of Apps – Order-Agnostic
• Order-agnostic: the same set of components run in
any sequence before and after obfuscation
24
Original app C1 C2 C3
Execution traces using the same test suit
Order-agnostic C2 C3 C1
RQ4: Does code obfuscation affect the
functionality of apps?
25
Code obfuscation significantly affects the behavior of apps,
showing the need for improving obfuscation tools.
Lessons Learned
• Deeper analysis for anti-malware products
• Program analysis instead of just lexical analysis
• For benign-app developers
• Reflection to be avoided
• Combined obfuscations generally non-problematic
• For obfuscation-tool developers
• Many transformations result in invalid, non-installable,
or unrunnable apps
26
Anti-malware products and obfuscation tools
27
DashO
ProGuard
DroidChameleon Original
Allatori
Apktool/Jarsigner
ADAM
ADAM
DashO
DroidChameleon
ProGuard
Allatori
Apktool/Jarsigner
Original
Ideal for
• Benign app
developers
• Obfuscation-tool
developers
• Anti-malware
vendors
Ideal for malware authors
Conclusion
• Large-scale empirical study of the effects of code
obfuscation on Android apps and anti-malware
products
• Code obfuscations decrease commercial anti-malware
detection rates by, on average, 20% and up to 90%
• Future
• Tomorrow – RevealDroid, an approach that detects
malware despite such obfuscations
• Obfuscation tools for the white hats and not the black
hats
28
Thank You!
MMNB N
Thank you!
29

More Related Content

What's hot

Appendix g iocs readme
Appendix g iocs readmeAppendix g iocs readme
Appendix g iocs readme
Yury Chemerkin
 
Investigating Code Review Practices in Defective Files
Investigating Code Review Practices in Defective FilesInvestigating Code Review Practices in Defective Files
Investigating Code Review Practices in Defective Files
The University of Adelaide
 
Managing Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development LifecycleManaging Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development Lifecycle
Black Duck by Synopsys
 

What's hot (20)

Stack overflow code_laundering
Stack overflow code_launderingStack overflow code_laundering
Stack overflow code_laundering
 
José Vila - ¿Otro parche más? No, por favor. [rooted2018]
José Vila - ¿Otro parche más? No, por favor. [rooted2018]José Vila - ¿Otro parche más? No, por favor. [rooted2018]
José Vila - ¿Otro parche más? No, por favor. [rooted2018]
 
Software Composition Analysis Deep Dive
Software Composition Analysis Deep DiveSoftware Composition Analysis Deep Dive
Software Composition Analysis Deep Dive
 
Advanced red teaming all your badges are belong to us
Advanced red teaming  all your badges are belong to usAdvanced red teaming  all your badges are belong to us
Advanced red teaming all your badges are belong to us
 
Appendix g iocs readme
Appendix g iocs readmeAppendix g iocs readme
Appendix g iocs readme
 
Investigating Code Review Practices in Defective Files
Investigating Code Review Practices in Defective FilesInvestigating Code Review Practices in Defective Files
Investigating Code Review Practices in Defective Files
 
Sec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security Assurance
Sec4dev 2021  - Catch Me If You can : Continuous Delivery vs. Security AssuranceSec4dev 2021  - Catch Me If You can : Continuous Delivery vs. Security Assurance
Sec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security Assurance
 
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Testing in a Continuous Delivery Pipeline - Better, Faster, CheaperTesting in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
 
Sast 2021
Sast 2021Sast 2021
Sast 2021
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous delivery
 
Customer Case Study: ScienceLogic - Many Paths to Compliance
Customer Case Study: ScienceLogic - Many Paths to ComplianceCustomer Case Study: ScienceLogic - Many Paths to Compliance
Customer Case Study: ScienceLogic - Many Paths to Compliance
 
DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...
DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...
DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...
 
Integrating Black Duck into your Agile DevOps Environment
Integrating Black Duck into your Agile DevOps EnvironmentIntegrating Black Duck into your Agile DevOps Environment
Integrating Black Duck into your Agile DevOps Environment
 
Open Source and Cyber Security: Open Source Software's Role in Government Cyb...
Open Source and Cyber Security: Open Source Software's Role in Government Cyb...Open Source and Cyber Security: Open Source Software's Role in Government Cyb...
Open Source and Cyber Security: Open Source Software's Role in Government Cyb...
 
7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to Adversaries7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to Adversaries
 
The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability Management
 
Shift Risk Left: Security Considerations When Migrating Apps to the Cloud
Shift Risk Left: Security Considerations When Migrating Apps to the CloudShift Risk Left: Security Considerations When Migrating Apps to the Cloud
Shift Risk Left: Security Considerations When Migrating Apps to the Cloud
 
Open Source Insight: NVD's New Look, Struts Vuln Ransomware & Google Open So...
Open Source Insight:  NVD's New Look, Struts Vuln Ransomware & Google Open So...Open Source Insight:  NVD's New Look, Struts Vuln Ransomware & Google Open So...
Open Source Insight: NVD's New Look, Struts Vuln Ransomware & Google Open So...
 
Zero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOpsZero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOps
 
Managing Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development LifecycleManaging Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development Lifecycle
 

Similar to A Large-Scale Empirical Study on the Effects of Code Obfuscations on Android Apps and Anti-Malware Products

Software Protection on the Go: A Large-Scale Empirical Study on Mobile App Ob...
Software Protection on the Go: A Large-Scale Empirical Study on Mobile App Ob...Software Protection on the Go: A Large-Scale Empirical Study on Mobile App Ob...
Software Protection on the Go: A Large-Scale Empirical Study on Mobile App Ob...
Pei Wang
 
Discovering Flaws in Security-Focused Static Analysis Tools for Android using...
Discovering Flaws in Security-Focused Static Analysis Tools for Android using...Discovering Flaws in Security-Focused Static Analysis Tools for Android using...
Discovering Flaws in Security-Focused Static Analysis Tools for Android using...
Kevin Moran
 

Similar to A Large-Scale Empirical Study on the Effects of Code Obfuscations on Android Apps and Anti-Malware Products (20)

Software Protection on the Go: A Large-Scale Empirical Study on Mobile App Ob...
Software Protection on the Go: A Large-Scale Empirical Study on Mobile App Ob...Software Protection on the Go: A Large-Scale Empirical Study on Mobile App Ob...
Software Protection on the Go: A Large-Scale Empirical Study on Mobile App Ob...
 
Mobile App Security - Best Practices
Mobile App Security - Best PracticesMobile App Security - Best Practices
Mobile App Security - Best Practices
 
Outpost24 Webinar - Five steps to build a killer Application Security Program
Outpost24 Webinar - Five steps to build a killer Application Security ProgramOutpost24 Webinar - Five steps to build a killer Application Security Program
Outpost24 Webinar - Five steps to build a killer Application Security Program
 
Discovering Flaws in Security-Focused Static Analysis Tools for Android using...
Discovering Flaws in Security-Focused Static Analysis Tools for Android using...Discovering Flaws in Security-Focused Static Analysis Tools for Android using...
Discovering Flaws in Security-Focused Static Analysis Tools for Android using...
 
Are free Android app security analysis tools effective in detecting known vul...
Are free Android app security analysis tools effective in detecting known vul...Are free Android app security analysis tools effective in detecting known vul...
Are free Android app security analysis tools effective in detecting known vul...
 
Automating Open Source Security: A SANS Review of WhiteSource
Automating Open Source Security: A SANS Review of WhiteSourceAutomating Open Source Security: A SANS Review of WhiteSource
Automating Open Source Security: A SANS Review of WhiteSource
 
Cryptographic misuse in android applications
Cryptographic misuse in android applicationsCryptographic misuse in android applications
Cryptographic misuse in android applications
 
Cryptographic misuse
Cryptographic misuseCryptographic misuse
Cryptographic misuse
 
PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?
 
Secure Code review - Veracode SaaS Platform - Saudi Green Method
Secure Code review - Veracode SaaS Platform - Saudi Green MethodSecure Code review - Veracode SaaS Platform - Saudi Green Method
Secure Code review - Veracode SaaS Platform - Saudi Green Method
 
Transforming Risky Mobile Apps into Self Defending Apps
Transforming Risky Mobile Apps into Self Defending AppsTransforming Risky Mobile Apps into Self Defending Apps
Transforming Risky Mobile Apps into Self Defending Apps
 
Open Source Outlook: Expected Developments for 2016
Open Source Outlook: Expected Developments for 2016Open Source Outlook: Expected Developments for 2016
Open Source Outlook: Expected Developments for 2016
 
From reactive toproactive mobile security
From reactive toproactive mobile securityFrom reactive toproactive mobile security
From reactive toproactive mobile security
 
Create a Unified View of Your Application Security Program – Black Duck Hub a...
Create a Unified View of Your Application Security Program – Black Duck Hub a...Create a Unified View of Your Application Security Program – Black Duck Hub a...
Create a Unified View of Your Application Security Program – Black Duck Hub a...
 
malware detection-machine learning-reverse engineered.ppt
malware detection-machine learning-reverse engineered.pptmalware detection-machine learning-reverse engineered.ppt
malware detection-machine learning-reverse engineered.ppt
 
MobSecCon 2015 - CertifiGate
MobSecCon 2015 - CertifiGateMobSecCon 2015 - CertifiGate
MobSecCon 2015 - CertifiGate
 
Outpost24 webinar Why API security matters and how to get it right.pdf
Outpost24 webinar Why API security matters and how to get it right.pdfOutpost24 webinar Why API security matters and how to get it right.pdf
Outpost24 webinar Why API security matters and how to get it right.pdf
 
(Isc)² secure johannesburg
(Isc)² secure johannesburg (Isc)² secure johannesburg
(Isc)² secure johannesburg
 
Webcast Presentation: Accelerate Continuous Delivery with Development Testing...
Webcast Presentation: Accelerate Continuous Delivery with Development Testing...Webcast Presentation: Accelerate Continuous Delivery with Development Testing...
Webcast Presentation: Accelerate Continuous Delivery with Development Testing...
 
ASE 2016 Taming Android Fragmentation: Characterizing and Detecting Compatibi...
ASE 2016 Taming Android Fragmentation: Characterizing and Detecting Compatibi...ASE 2016 Taming Android Fragmentation: Characterizing and Detecting Compatibi...
ASE 2016 Taming Android Fragmentation: Characterizing and Detecting Compatibi...
 

Recently uploaded

一比一原版阿德莱德大学毕业证成绩单如何办理
一比一原版阿德莱德大学毕业证成绩单如何办理一比一原版阿德莱德大学毕业证成绩单如何办理
一比一原版阿德莱德大学毕业证成绩单如何办理
pyhepag
 
Data Analytics for Digital Marketing Lecture for Advanced Digital & Social Me...
Data Analytics for Digital Marketing Lecture for Advanced Digital & Social Me...Data Analytics for Digital Marketing Lecture for Advanced Digital & Social Me...
Data Analytics for Digital Marketing Lecture for Advanced Digital & Social Me...
Valters Lauzums
 
如何办理(UPenn毕业证书)宾夕法尼亚大学毕业证成绩单本科硕士学位证留信学历认证
如何办理(UPenn毕业证书)宾夕法尼亚大学毕业证成绩单本科硕士学位证留信学历认证如何办理(UPenn毕业证书)宾夕法尼亚大学毕业证成绩单本科硕士学位证留信学历认证
如何办理(UPenn毕业证书)宾夕法尼亚大学毕业证成绩单本科硕士学位证留信学历认证
acoha1
 
一比一原版(Monash毕业证书)莫纳什大学毕业证成绩单如何办理
一比一原版(Monash毕业证书)莫纳什大学毕业证成绩单如何办理一比一原版(Monash毕业证书)莫纳什大学毕业证成绩单如何办理
一比一原版(Monash毕业证书)莫纳什大学毕业证成绩单如何办理
pyhepag
 
如何办理滑铁卢大学毕业证(Waterloo毕业证)成绩单本科学位证原版一比一
如何办理滑铁卢大学毕业证(Waterloo毕业证)成绩单本科学位证原版一比一如何办理滑铁卢大学毕业证(Waterloo毕业证)成绩单本科学位证原版一比一
如何办理滑铁卢大学毕业证(Waterloo毕业证)成绩单本科学位证原版一比一
0uyfyq0q4
 
NO1 Best Kala Jadu Expert Specialist In Germany Kala Jadu Expert Specialist I...
NO1 Best Kala Jadu Expert Specialist In Germany Kala Jadu Expert Specialist I...NO1 Best Kala Jadu Expert Specialist In Germany Kala Jadu Expert Specialist I...
NO1 Best Kala Jadu Expert Specialist In Germany Kala Jadu Expert Specialist I...
Amil baba
 
如何办理英国卡迪夫大学毕业证(Cardiff毕业证书)成绩单留信学历认证
如何办理英国卡迪夫大学毕业证(Cardiff毕业证书)成绩单留信学历认证如何办理英国卡迪夫大学毕业证(Cardiff毕业证书)成绩单留信学历认证
如何办理英国卡迪夫大学毕业证(Cardiff毕业证书)成绩单留信学历认证
ju0dztxtn
 
1:1原版定制伦敦政治经济学院毕业证(LSE毕业证)成绩单学位证书留信学历认证
1:1原版定制伦敦政治经济学院毕业证(LSE毕业证)成绩单学位证书留信学历认证1:1原版定制伦敦政治经济学院毕业证(LSE毕业证)成绩单学位证书留信学历认证
1:1原版定制伦敦政治经济学院毕业证(LSE毕业证)成绩单学位证书留信学历认证
dq9vz1isj
 

Recently uploaded (20)

How I opened a fake bank account and didn't go to prison
How I opened a fake bank account and didn't go to prisonHow I opened a fake bank account and didn't go to prison
How I opened a fake bank account and didn't go to prison
 
Statistics Informed Decisions Using Data 5th edition by Michael Sullivan solu...
Statistics Informed Decisions Using Data 5th edition by Michael Sullivan solu...Statistics Informed Decisions Using Data 5th edition by Michael Sullivan solu...
Statistics Informed Decisions Using Data 5th edition by Michael Sullivan solu...
 
The Significance of Transliteration Enhancing
The Significance of Transliteration EnhancingThe Significance of Transliteration Enhancing
The Significance of Transliteration Enhancing
 
一比一原版阿德莱德大学毕业证成绩单如何办理
一比一原版阿德莱德大学毕业证成绩单如何办理一比一原版阿德莱德大学毕业证成绩单如何办理
一比一原版阿德莱德大学毕业证成绩单如何办理
 
What is Insertion Sort. Its basic information
What is Insertion Sort. Its basic informationWhat is Insertion Sort. Its basic information
What is Insertion Sort. Its basic information
 
Data Analytics for Digital Marketing Lecture for Advanced Digital & Social Me...
Data Analytics for Digital Marketing Lecture for Advanced Digital & Social Me...Data Analytics for Digital Marketing Lecture for Advanced Digital & Social Me...
Data Analytics for Digital Marketing Lecture for Advanced Digital & Social Me...
 
如何办理(UPenn毕业证书)宾夕法尼亚大学毕业证成绩单本科硕士学位证留信学历认证
如何办理(UPenn毕业证书)宾夕法尼亚大学毕业证成绩单本科硕士学位证留信学历认证如何办理(UPenn毕业证书)宾夕法尼亚大学毕业证成绩单本科硕士学位证留信学历认证
如何办理(UPenn毕业证书)宾夕法尼亚大学毕业证成绩单本科硕士学位证留信学历认证
 
Seven tools of quality control.slideshare
Seven tools of quality control.slideshareSeven tools of quality control.slideshare
Seven tools of quality control.slideshare
 
Artificial_General_Intelligence__storm_gen_article.pdf
Artificial_General_Intelligence__storm_gen_article.pdfArtificial_General_Intelligence__storm_gen_article.pdf
Artificial_General_Intelligence__storm_gen_article.pdf
 
社内勉強会資料  Mamba - A new era or ephemeral
社内勉強会資料   Mamba - A new era or ephemeral社内勉強会資料   Mamba - A new era or ephemeral
社内勉強会資料  Mamba - A new era or ephemeral
 
一比一原版(Monash毕业证书)莫纳什大学毕业证成绩单如何办理
一比一原版(Monash毕业证书)莫纳什大学毕业证成绩单如何办理一比一原版(Monash毕业证书)莫纳什大学毕业证成绩单如何办理
一比一原版(Monash毕业证书)莫纳什大学毕业证成绩单如何办理
 
如何办理滑铁卢大学毕业证(Waterloo毕业证)成绩单本科学位证原版一比一
如何办理滑铁卢大学毕业证(Waterloo毕业证)成绩单本科学位证原版一比一如何办理滑铁卢大学毕业证(Waterloo毕业证)成绩单本科学位证原版一比一
如何办理滑铁卢大学毕业证(Waterloo毕业证)成绩单本科学位证原版一比一
 
NO1 Best Kala Jadu Expert Specialist In Germany Kala Jadu Expert Specialist I...
NO1 Best Kala Jadu Expert Specialist In Germany Kala Jadu Expert Specialist I...NO1 Best Kala Jadu Expert Specialist In Germany Kala Jadu Expert Specialist I...
NO1 Best Kala Jadu Expert Specialist In Germany Kala Jadu Expert Specialist I...
 
Easy and simple project file on mp online
Easy and simple project file on mp onlineEasy and simple project file on mp online
Easy and simple project file on mp online
 
如何办理英国卡迪夫大学毕业证(Cardiff毕业证书)成绩单留信学历认证
如何办理英国卡迪夫大学毕业证(Cardiff毕业证书)成绩单留信学历认证如何办理英国卡迪夫大学毕业证(Cardiff毕业证书)成绩单留信学历认证
如何办理英国卡迪夫大学毕业证(Cardiff毕业证书)成绩单留信学历认证
 
Atlantic Grupa Case Study (Mintec Data AI)
Atlantic Grupa Case Study (Mintec Data AI)Atlantic Grupa Case Study (Mintec Data AI)
Atlantic Grupa Case Study (Mintec Data AI)
 
1:1原版定制伦敦政治经济学院毕业证(LSE毕业证)成绩单学位证书留信学历认证
1:1原版定制伦敦政治经济学院毕业证(LSE毕业证)成绩单学位证书留信学历认证1:1原版定制伦敦政治经济学院毕业证(LSE毕业证)成绩单学位证书留信学历认证
1:1原版定制伦敦政治经济学院毕业证(LSE毕业证)成绩单学位证书留信学历认证
 
2024 Q2 Orange County (CA) Tableau User Group Meeting
2024 Q2 Orange County (CA) Tableau User Group Meeting2024 Q2 Orange County (CA) Tableau User Group Meeting
2024 Q2 Orange County (CA) Tableau User Group Meeting
 
NOAM AAUG Adobe Summit 2024: Summit Slam Dunks
NOAM AAUG Adobe Summit 2024: Summit Slam DunksNOAM AAUG Adobe Summit 2024: Summit Slam Dunks
NOAM AAUG Adobe Summit 2024: Summit Slam Dunks
 
Aggregations - The Elasticsearch "GROUP BY"
Aggregations - The Elasticsearch "GROUP BY"Aggregations - The Elasticsearch "GROUP BY"
Aggregations - The Elasticsearch "GROUP BY"
 

A Large-Scale Empirical Study on the Effects of Code Obfuscations on Android Apps and Anti-Malware Products

  • 1. A Large-Scale Empirical Study on the Effects of Code Obfuscations on Android Apps and Anti-Malware Products Mahmoud Hammad Joshua Garcia Sam Malek
  • 3. Explosive growth of Android malware 3 Source:
  • 4. Protection through anti-malware products • Smartphone users rely on anti-malware products to protect their devices
  • 5. Anti-malware evasion through obfuscation 5 • Code obfuscations • Identifier renaming • Encryption • Reflection • …
  • 6. Code obfuscation in Android • Transforms code into a format that is more difficult to reverse engineer while preserving its semantics 6 AndroidManifest.xml classes.dex Resources APK file Obfuscation strategy Obfuscated APK file
  • 7. Obfuscation for benign purposes 7 • Intellectual Property • Make reverse engineering of intellectual property more difficult
  • 8. Obfuscation tools • Academic • DroidChameleon • ADAM 8 • Commercial • Allatori • • Open-source • ProGuard • Apktool • Jarsigner
  • 9. Obfuscation strategies • Trivial strategies - does not change bytecode • Non-trivial strategies – changes bytecode • Combined strategies • Combination of two or more of the previous ones 9 Junk code insertion String encryption Reflection Identifier renaming Member reordering Class renaming Control-flow manipulation Repackaging Android Manifest transformation Disassembly/ Reassembly Alignment
  • 10. Overall Research Goal • Goal: To assess the performance of commercial anti-malware products against various obfuscation tools and strategies • Large-Scale Empirical Study • Many anti-malware products • Many malicious and benign apps • Wide variety of obfuscation tools and strategies • Relation between time and anti-malware effectiveness • Obfuscations effects on validity, installability, and runnability of apps 10
  • 11. Scope of the study 11 Android apps Obfuscation tools Obfuscation strategies Anti-malware products RQ1 RQ3 RQ2 RQ4
  • 12. Experiment setup 12 Android apps Obfuscation tools Obfuscation strategies Anti-malware products 7 tools: 2 academia 2 commercial 3 open source 3,000 benign 3,000 malicious 73,362 obfuscated 29 strategies: 4 trivial 7 non-trivial 18 combined 61 products
  • 13. Obfuscation framework • The framework is reusable and extendable • Written in Python and available to public [1] 13 [1] http://www.ics.uci.edu/~seal/projects/obfuscation/ IR Converter IR Transformer APK Generator Data Analyzer IR Obfuscated IR
  • 14. RQ1: Obfuscation strategies 14 Android apps Obfuscation tools Obfuscation strategies Anti-malware products RQ1 RQ3 RQ2 RQ4
  • 15. RQ1 Findings 15 Code obfuscation decreases the detection rate of anti- malware products by, on average, 20% and up to 90% Manifest transformation, a trivial strategy, decreases the detection rate of anti-malware, on average, by 28%
  • 16. RQ1 Findings 16 Reflection strategy makes apps looks suspicious, increasing the chance of an app being labeled as malicious Combined strategies do not affect detection rate more than single transformations
  • 17. RQ2: Obfuscation tools 17 Android apps Obfuscation tools Obfuscation strategies Anti-malware products RQ1 RQ3 RQ2 RQ4
  • 18. RQ2 Finding 18 • Detection rate varies based on the obfuscation tools. • DashO affects obfuscation tools the most. • ADAM and Apktool/Jarsigner affects detection rate the least. 0 10 20 30 40 50 60 70 80 90 100 Detectionrate(%) Obfuscation Tools
  • 19. RQ3: Time-aware analysis 19 Android apps Obfuscation tools Obfuscation strategies Anti-malware products RQ1 RQ3 RQ2 RQ4
  • 20. RQ3: Time-aware analysis 20 Average detection rate decreases over time, indicating slow adoption of malicious signatures
  • 22. RQ4: Does code obfuscation affect the functionality of apps? • Installable app: successfully installed onto Android device • Runnable app: runtime behavior is similar to original app • Apps tested using Monkey with 1,000 events and same seed • Order-aware vs. Order-agnostic 22
  • 23. Runnability of Apps – Order-Aware • Order-aware: the same set of components run in the same sequence before and after obfuscation 23 Original app C1 C2 C3 Execution traces using the same test suit Order-aware C1 C2 C3
  • 24. Runnability of Apps – Order-Agnostic • Order-agnostic: the same set of components run in any sequence before and after obfuscation 24 Original app C1 C2 C3 Execution traces using the same test suit Order-agnostic C2 C3 C1
  • 25. RQ4: Does code obfuscation affect the functionality of apps? 25 Code obfuscation significantly affects the behavior of apps, showing the need for improving obfuscation tools.
  • 26. Lessons Learned • Deeper analysis for anti-malware products • Program analysis instead of just lexical analysis • For benign-app developers • Reflection to be avoided • Combined obfuscations generally non-problematic • For obfuscation-tool developers • Many transformations result in invalid, non-installable, or unrunnable apps 26
  • 27. Anti-malware products and obfuscation tools 27 DashO ProGuard DroidChameleon Original Allatori Apktool/Jarsigner ADAM ADAM DashO DroidChameleon ProGuard Allatori Apktool/Jarsigner Original Ideal for • Benign app developers • Obfuscation-tool developers • Anti-malware vendors Ideal for malware authors
  • 28. Conclusion • Large-scale empirical study of the effects of code obfuscation on Android apps and anti-malware products • Code obfuscations decrease commercial anti-malware detection rates by, on average, 20% and up to 90% • Future • Tomorrow – RevealDroid, an approach that detects malware despite such obfuscations • Obfuscation tools for the white hats and not the black hats 28 Thank You!

Editor's Notes

  1. 21 products selected for paper based on “Most popular anti-malware products with big star rating, i.e., above 4.0/5”
  2. The importance of performing deeper analysis is further highlighted by (1) the fact that transformations need not necessarily be combined to evade anti-malware products (Finding 4) and (2) this evasion worsens for newer apps (Finding 8).