Friday 26 September 10:00 - 10:30, Red room.
Rowland Yu Sophos
download slides (PDF)
Recently, SophosLabs has noted an increase in the use of Android packers on APK files. Android packers are able to encrypt an original classes.dex file, use an ELF binary to decrypt the dex file to memory at runtime, and then execute via DexclassLoader. In other words, Android packers have the capability of changing the overall structure and flow of an Android APK file, which is more complicated than obfuscation techniques such as ProGuard, DexGuard and junk byte injection.
Android packers were originally created to protect the intellectual property of applications against being copied or altered by others for profit. ApkProtect.com and Bangcle.com are the first two providers of online packing services. Bangcle.com even employs virus scan engines to prevent malware being packed. However, their centralized measuring systems and scanning engines could not ban malware authors from using their services. A growing percentage of malware, such as bank Zeus, SMS Sender, and re-packaged applications, are packed by their services. Besides which, SophosLabs has found malware packed by a customized packer.
As a result, security researchers are facing a great challenge in overcoming the complexity of these packers' anti-decompiler and anti-debugging strategies. Existing reverse engineering (RE) tools are not able to unpack and inspect hidden payloads within packed applications. Android sandboxes have trouble offering dynamic analysis information as packed applications on Android Emulator keep crashing. Therefore, distinguishing Android malware from a group of packed applications is much harder than from a number of obfuscated applications.
This paper attempts to address the anti-decompiler and anti-debugging techniques of the above packers, reveal the latest stats of Android packed malware, use static RE utilities to analyse their logic flow and data structures, and demonstrate runtime behaviours via dynamic tools. Furthermore, we are building solutions to investigate hidden payloads via restoring the original Android dex files from memory dump. Finally, the paper will present a generic method to detect Android packed malware.
Rowland Yu is a senior threat researcher at SophosLabs, where he has worked for eight years. He specializes in spam, malware reverse engineering and remediation, and DLP (data leakage protection). During the last three years, Rowland has focused on the Android security threat and leads a team responsible for Android malware analysis. He has published several papers related to Android, presented at Virus Bulletin and AVAR conferences. Rowland now lives with his wife and son in Sydney, Australia.