Automated Detection and Classification for Packed Android...
Transcript of Automated Detection and Classification for Packed Android...
AutomatedDetectionandClassificationforPackedAndroid
Applications
YibinLiao,Jiakuan Li,BoLi,Guodong Zhu,YueYin,Ruoyan Cai
NetworkSystemandSecurity(NSS)LabUniversityofGeorgia(UGA)
Goal
• Detection– AutomaticallyidentifypackedAndroidapps
• Classification– Automaticallyclassifydifferentpackersintodifferentgroups
How Android App is Built and Run
JavaSourceCode(.java)Java
Compiler
JavaBytecode(.class)Dex
Compiler
Dalvik Bytecode(.dex)
Dalvik VM
Dalvik Executable
Packed Android App
JavaSourceCode(.java)Java
Compiler
JavaBytecode(.class)Dex
Compiler
Dalvik Bytecode(.dex)
Dalvik VM
Dalvik Executable
Code Tree of Decompiled Dex
Original ijiami Bangcle Ali
Currentproblems
• PackedAndroidMalware• Manualeffortforanalysis– Tedious
• Packersareevolving.– Unpackingapproachesonlyworksforalimitedtime,orparticulartypeofpackers.
Currentpackingtechniques
• Codeobfuscation• Anti-debugging• Bytecode hiding• Dynamiccodemodification• Dynamicloading
Ourapproach
Detection• CombinedStaticand
Dynamicanalysis– Static
• Staticanalysistools(baksmali)
– Dynamic• DVMinstrumentation
– Compareclassesfromstaticanddynamicanalysis
Classification• Runtimeenvironment
monitoringtocapturetheexecutionbehaviorpattern– Systemcalls
• Kernelmodules
– IPCtransaction• Bindertrace
– Native-to-Javainteraction• JNItrace
InstrumentedDVM
Baksmali
Comparer
Classes
Smalifiles Classes
DynamicAnalysis
StaticAnalysis
AndroidApps
PackedApps
SystemCallMonitor
Native-to-JavaMonitor
BinderTransactionMonitor
BehaviorPatterns Classifier
PackedAppsSet1
DetectionModule ClassificationModule
…
PackedAppsSet2
PackedAppsSet3
PackedAppsSetN
Overview
InstrumentedDVM
Baksmali
Comparer
Classes
Smalifiles Classes
DynamicAnalysis
StaticAnalysis
AndroidApps
PackedApps
SystemCallMonitor
Native-to-JavaMonitor
BinderTransactionMonitor
BehaviorPatterns Classifier
PackedAppsSet1
DetectionModule ClassificationModule
…
PackedAppsSet2
PackedAppsSet3
PackedAppsSetN
Overview
InstrumentedDVM
Baksmali
Comparer
Classes
Smalifiles Classes
DynamicAnalysis
StaticAnalysis
AndroidApps
PackedApps
SystemCallMonitor
Native-to-JavaMonitor
BinderTransactionMonitor
BehaviorPatterns Classifier
PackedAppsSet1
DetectionModule ClassificationModule
…
PackedAppsSet2
PackedAppsSet3
PackedAppsSetN
Overview
InstrumentedDVM
Baksmali
Comparer
Classes
Smalifiles Classes
DynamicAnalysis
Static Analysis
AndroidApps
PackedApps
SystemCallMonitor
Native-to-JavaMonitor
BinderTransactionMonitor
BehaviorPatterns Classifier
PackedAppsSet1
DetectionModule ClassificationModule
…
PackedAppsSet2
PackedAppsSet3
PackedAppsSetN
Overview
InstrumentedDVM
Baksmali
Comparer
Classes
Smalifiles Classes
DynamicAnalysis
StaticAnalysis
AndroidApps
PackedApps
SystemCallMonitor
Native-to-JavaMonitor
BinderTransactionMonitor
BehaviorPatterns Classifier
PackedAppsSet1
DetectionModule ClassificationModule
…
PackedAppsSet2
PackedAppsSet3
PackedAppsSetN
Overview
InstrumentedDVM
Baksmali
Comparer
Classes
Smalifiles Classes
DynamicAnalysis
StaticAnalysis
AndroidApps
PackedApps
SystemCallMonitor
Native-to-JavaMonitor
BinderTransactionMonitor
BehaviorPatterns Classifier
PackedAppsSet1
DetectionModule ClassificationModule
…
PackedAppsSet2
PackedAppsSet3
PackedAppsSetN
Overview
InstrumentedDVM
Baksmali
Comparer
Classes
Smalifiles Classes
DynamicAnalysis
StaticAnalysis
AndroidApps
PackedApps
SystemCallMonitor
Native-to-JavaMonitor
BinderTransactionMonitor
BehaviorPatterns Classifier
PackedAppsSet1
DetectionModule ClassificationModule
…
PackedAppsSet2
PackedAppsSet3
PackedAppsSetN
Overview
InstrumentedDVM
Baksmali
Comparer
Classes
Smalifiles Classes
DynamicAnalysis
StaticAnalysis
AndroidApps
PackedApps
SystemCallMonitor
Native-to-JavaMonitor
BinderTransactionMonitor
BehaviorPatterns Classifier
PackedAppsSet1
DetectionModule ClassificationModule
…
PackedAppsSet2
PackedAppsSet3
PackedAppsSetN
Overview
InstrumentedDVM
Baksmali
Comparer
Classes
Smalifiles Classes
DynamicAnalysis
StaticAnalysis
AndroidApps
PackedApps
SystemCallMonitor
Native-to-JavaMonitor
BinderTransactionMonitor
BehaviorPatterns Classifier
PackedAppsSet1
DetectionModule ClassificationModule
…
PackedAppsSet2
PackedAppsSet3
PackedAppsSetN
Overview
InstrumentedDVM
Baksmali
Comparer
Classes
Smalifiles Classes
DynamicAnalysis
StaticAnalysis
AndroidApps
PackedApps
SystemCallMonitor
Native-to-JavaMonitor
BinderTransactionMonitor
BehaviorPatterns Classifier
PackedAppsSet1
DetectionModule ClassificationModule
…
PackedAppsSet2
PackedAppsSet3
PackedAppsSetN
Overview
InstrumentedDVM
Baksmali
Comparer
Classes
Smalifiles Classes
DynamicAnalysis
StaticAnalysis
AndroidApps
PackedApps
SystemCallMonitor
Native-to-JavaMonitor
BinderTransactionMonitor
BehaviorPatterns Classifier
PackedAppsSet1
DetectionModule ClassificationModule
…
PackedAppsSet2
PackedAppsSet3
PackedAppsSetN
Overview
InstrumentedDVM
Baksmali
Comparer
Classes
Smalifiles Classes
DynamicAnalysis
StaticAnalysis
AndroidApps
PackedApps
SystemCallMonitor
Native-to-JavaMonitor
BinderTransactionMonitor
BehaviorPatterns Classifier
PackedAppsSet1
DetectionModule ClassificationModule
…
PackedAppsSet2
PackedAppsSet3
PackedAppsSetN
Overview
VMinstrumentation(DVM)
Unzipapk ->dex files
Openandreaddexfile
InitializeClasses
LoadclassesInsertcodestocapturetheclassinformation(names,methods,,fields,etc.)
Conclusion
• ImplementedadetectionmoduletoidentifypackedAndroidApps
• Proposedapproachestoextracttheexecutionbehaviorfromdifferentpackers
Thankyou
QA?