Dare 'DEVIL': beyond your senses with Dex Visualizer

Thursday 1 October 15:00 - 15:30, Red room

Jun Yong Park (AhnLab)
Seolwoo Joo (AhnLab)

  download slides (PDF)

The use of behaviour-based detection is one of the most promising approaches with the rapid growth of Android applications and malware. Many security researchers are struggling with how to determine malicious behaviours and identify malware. The visualization of executables is one of the most effective ways to identify malware. However, there is no well-known or generic way for day-to-day security researchers to visualize the behaviours of Android applications and malware.

In this paper, we will address how the behaviours of Dalvik executables could be visualized effectively by DEVIL. DEVIL is also known as Dex Visualizer and is a graph-based approach for visualizing the flow of various Dalvik objects, typically classes. Currently, DEVIL uses only static analysis information but it can easily be integrated with dynamic analysis information by design. However, this paper will focus on how to generate inter-object relations and visualize a graph of those relations. For example, inter-object relations could be generated by tracing so-called Android Application Lifecycle triggers, which could be Android APIs, permissions, intents and so on. A graph is visualized by force-directed layout algorithm of d3.js framework using inter-object relations.

Finally, we will demonstrate some results of force-directed graph visualization of Android malware and will round off with some examples of how DEVIL could be applied in detecting Android malware.

Click here for more details about the conference.

Jun Yong Park

Jun Yong Park

Jun Yong Park is a senior principal researcher and architect at AhnLab, Inc. where he has made a variety of contributions to anti-virus engines, endpoint products and security researches since 2004. He is not only a professional of programming but also an expert in malware analysis. Hence, he sincerely hopes to eliminate the old-established chasm between programming engineers and malware researchers. During recent years his research interests have included, but are not limited to, Android and the visualization.