'I am not the D'r.0,1d you are looking for': an analysis of Android malware obfuscation

Samir Mody K7 Computing

  download slides (PDF)

Many Android malware scanners, including Google's own built-in one, rely heavily on checksum-based signatures or cloud look-ups, and simple generic patterns to detect malicious apps. Simple pattern-matching is effective since obfuscation techniques currently used by Android malware authors are primitive, typically involving a modification of the metadata constituents within a self-signed ZIP-based APK archive to change its hash. The app's functionality, and hence its core binaries, remain unchanged.

However, Android malware authors have shown a tendency to follow the Windows malware model, but over a significantly shorter timeframe. As the volume of Android malware grows and more anti-virus vendors provide protection against it, it is to be expected that Android malware, like its Windows counterpart, will begin to exhibit more sophisticated detection-evasion and anti-reversing functionality. Today's Windows malware is dominated by obfuscation and packing which sets the tone for tomorrow's Android malware. In fact, the legitimate obfuscation tool ProGuard from android.com currently obscures class and method names in Android apps.

Nevertheless, it is code obfuscation which would complicate the detection strategy for Android malware, especially given memory footprint limitations. Code obfuscation in malicious apps or PUAs is not only possible, it is inevitable, GooglePlay restrictions notwithstanding. The Dalvik executable (.dex) byte-code instruction set supports registers, arithmetic operators, and even nops, thus providing scope for the insertion of junk polymorphic instructions and metamorphism.

This paper analyses the methods of obfuscation currently used by Android malware authors, and presents examples of .dex byte-code and data obfuscation techniques which are likely to be abused in the future. Let us understand the scope of tomorrow's attack.

VB2013 takes place 2-4 October 2013 in Berlin, Germany.

The full programme for VB2013, including abstracts for each paper, can be viewed here.

Click here for more details about the conference.


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.