Obfuscation in the Android ecosystem
by Eduardo Blázquez (University Carlos III Madrid)
Modifying a software application to make it harder to analyse is a task that has been done for years. One common goal is hiding Intellectual Property (IP) that is embedded in the code, and also licensing algorithms or program’s logic. Software protection techniques are also used by threat actors to hide malicious behavior in malware. The term obfuscation is typically used to refer to such modifications.
Due to the relatively low complexity of the analysis of Android applications, and since more and more apps carry sensitive user information (e.g., financial applications, medical records, or user contacts), obfuscation techniques are becoming more prevalent also in Android. Currently, we find several companies focused on the development and commercialisation of protections for Android applications, which implement obfuscation techniques in a way easy to implement for developers.
As previously mentioned, obfuscation techniques are not only present in benign software applications, but also implemented by malicious developers, increasing the complexity of the analysis. We can find applications where the malicious code is not implemented directly in the application’s code but loaded (and often decrypted) at runtime, thwarting any kind of static analysis. These malicious applications can also apply checks to the environment where they are running, detecting different sandboxing systems and avoiding some dynamic analyses.
Due to these obstacles, in TRUST aWARE we face various challenges for the analysis of Android applications. These are relatively well-known limitations that the research community has already identified and for which different solutions are proposed. For example, in the research by Zhou et al. [1], they already talked about the problems of malware in Android and the challenges with obfuscated samples, where some of the tested Anti-Virus software failed to detect these applications. We can go even further back in time to the work of Collberg et al. [2], who discussed and implemented different techniques for obfuscating Java code. We can also find other research focused on solving these issues, where the authors try to circumvent the obfuscation problems retrieving the original code, like the research by Xue et al. [3].
In TRUST aWARE we work with different technologies for addressing the problems present in obfuscated applications. We use a two-stage pipeline of analysis that involves both static and dynamic analysis. We are currently characterising the software protection techniques used by both benign and malicious applications in the wild, and exploring the concrete limitations that they impose to existing analysis techniques – especially for security and privacy analysis. The results from this analysis are sent to other components developed in the project to be processed and presented to analysts together with other Threat Intelligence information through a MISP platform.
[1]: Yajin Zhou and Xuxian Jiang. 2012. Dissecting Android Malware: Characterization and Evolution. In 2012 IEEE Symposium on Security and Privacy. 95–109. https://doi.org/10.1109/SP.2012.16
[2]: Christian Collberg, Clark Thomborson, and Douglas Low. 1997. A Taxonomy of Obfuscating Transformations. http://www.cs.auckland.ac.nz/staff-cgi-bin/mjd/csTRcgi.pl?serial (01 1997).
[3]: Lei Xue, Hao Zhou, Xiapu Luo, Yajin Zhou, Yang Shi, Guofei Gu, Fengwei Zhang, and Man Ho Au. 2021. Happer: Unpacking Android Apps via a Hardware-Assisted Approach. In 2021 IEEE Symposium on Security and Privacy (SP). 1641–1658. https://doi.org/10.1109/SP40001.2021.00105