1,829 research outputs found
Understanding Android Obfuscation Techniques: A Large-Scale Investigation in the Wild
In this paper, we seek to better understand Android obfuscation and depict a
holistic view of the usage of obfuscation through a large-scale investigation
in the wild. In particular, we focus on four popular obfuscation approaches:
identifier renaming, string encryption, Java reflection, and packing. To obtain
the meaningful statistical results, we designed efficient and lightweight
detection models for each obfuscation technique and applied them to our massive
APK datasets (collected from Google Play, multiple third-party markets, and
malware databases). We have learned several interesting facts from the result.
For example, malware authors use string encryption more frequently, and more
apps on third-party markets than Google Play are packed. We are also interested
in the explanation of each finding. Therefore we carry out in-depth code
analysis on some Android apps after sampling. We believe our study will help
developers select the most suitable obfuscation approach, and in the meantime
help researchers improve code analysis systems in the right direction
Partial Evaluation for Java Malware Detection
The fact that Java is platform independent gives hackers the opportunity to write exploits that can target users on any platform, which has a JVM implementation. Metasploit is a well-known source of Java exploits and to circumvent detection by Anti Virus (AV) software, obfuscation techniques are routinely applied to make an exploit more difficult to recognise. Popular obfuscation techniques for Java include string obfuscation and applying reflection to hide method calls; two techniques that can either be used together or independently. This paper shows how to apply partial evaluation to remove these obfuscations and thereby improve AV matching. The paper presents a partial evaluator for Jimple, which is a typed three-address code suitable for optimisation and program analysis, and also demonstrates how the residual Jimple code, when transformed back into Java, improves the detection rates of a number of commercial AV products
Partial Evaluation of String Obfuscations for Java Malware Detection
The fact that Java is platform independent gives hackers the opportunity to write exploits that can target users on any platform, which has a JVM implementation. Metasploit is a well-known source of Javaexploits and to circumvent detection by Anti Virus (AV) software, obfuscation techniques are routinely applied to make an exploit more difficult to recognise. Popular obfuscation techniques for Java include stringobfuscation and applying reflection to hide method calls; two techniques that can either be used together or independently. This paper shows how to apply partial evaluation to remove these obfuscations and thereby improve AV matching. The paper presents a partial evaluator for Jimple, which is an intermediate language for JVM bytecode designed for optimisation and program analysis, and demonstrates how partially evaluated Jimple code, when transformed back into Java, improves the detection rates of a number of commercial AV products
Assessment of Source Code Obfuscation Techniques
Obfuscation techniques are a general category of software protections widely
adopted to prevent malicious tampering of the code by making applications more
difficult to understand and thus harder to modify. Obfuscation techniques are
divided in code and data obfuscation, depending on the protected asset. While
preliminary empirical studies have been conducted to determine the impact of
code obfuscation, our work aims at assessing the effectiveness and efficiency
in preventing attacks of a specific data obfuscation technique - VarMerge. We
conducted an experiment with student participants performing two attack tasks
on clear and obfuscated versions of two applications written in C. The
experiment showed a significant effect of data obfuscation on both the time
required to complete and the successful attack efficiency. An application with
VarMerge reduces by six times the number of successful attacks per unit of
time. This outcome provides a practical clue that can be used when applying
software protections based on data obfuscation.Comment: Post-print, SCAM 201
Achieving Obfuscation Through Self-Modifying Code: A Theoretical Model
With the extreme amount of data and software available on networks, the protection of online information is one of the most important tasks of this technological age. There is no such thing as safe computing, and it is inevitable that security breaches will occur. Thus, security professionals and practices focus on two areas: security, preventing a breach from occurring, and resiliency, minimizing the damages once a breach has occurred. One of the most important practices for adding resiliency to source code is through obfuscation, a method of re-writing the code to a form that is virtually unreadable. This makes the code incredibly hard to decipher by attackers, protecting intellectual property and reducing the amount of information gained by the malicious actor. Achieving obfuscation through the use of self-modifying code, code that mutates during runtime, is a complicated but impressive undertaking that creates an incredibly robust obfuscating system. While there is a great amount of research that is still ongoing, the preliminary results of this subject suggest that the application of self-modifying code to obfuscation may yield self-maintaining software capable of healing itself following an attack
Eight years of rider measurement in the Android malware ecosystem: evolution and lessons learned
Despite the growing threat posed by Android malware,
the research community is still lacking a comprehensive
view of common behaviors and trends exposed by malware families
active on the platform. Without such view, the researchers
incur the risk of developing systems that only detect outdated
threats, missing the most recent ones. In this paper, we conduct
the largest measurement of Android malware behavior to date,
analyzing over 1.2 million malware samples that belong to 1.2K
families over a period of eight years (from 2010 to 2017). We
aim at understanding how the behavior of Android malware
has evolved over time, focusing on repackaging malware. In
this type of threats different innocuous apps are piggybacked
with a malicious payload (rider), allowing inexpensive malware
manufacturing.
One of the main challenges posed when studying repackaged
malware is slicing the app to split benign components apart from
the malicious ones. To address this problem, we use differential
analysis to isolate software components that are irrelevant to the
campaign and study the behavior of malicious riders alone. Our
analysis framework relies on collective repositories and recent
advances on the systematization of intelligence extracted from
multiple anti-virus vendors. We find that since its infancy in
2010, the Android malware ecosystem has changed significantly,
both in the type of malicious activity performed by the malicious
samples and in the level of obfuscation used by malware to avoid
detection. We then show that our framework can aid analysts
who attempt to study unknown malware families. Finally, we
discuss what our findings mean for Android malware detection
research, highlighting areas that need further attention by the
research community.Accepted manuscrip
Obfuscating Java Programs by Translating Selected Portions of Bytecode to Native Libraries
Code obfuscation is a popular approach to turn program comprehension and
analysis harder, with the aim of mitigating threats related to malicious
reverse engineering and code tampering. However, programming languages that
compile to high level bytecode (e.g., Java) can be obfuscated only to a limited
extent. In fact, high level bytecode still contains high level relevant
information that an attacker might exploit.
In order to enable more resilient obfuscations, part of these programs might
be implemented with programming languages (e.g., C) that compile to low level
machine-dependent code. In fact, machine code contains and leaks less high
level information and it enables more resilient obfuscations.
In this paper, we present an approach to automatically translate critical
sections of high level Java bytecode to C code, so that more effective
obfuscations can be resorted to. Moreover, a developer can still work with a
single programming language, i.e., Java
- …