Skip to main content
SpringerLink
Log in

A Hidden File Extraction Scheme Defeating Malware Using Android Dynamic Loading

  • Conference paper
  • First Online:
Mobile Internet Security (MobiSec 2019)

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 1121))

Included in the following conference series:

  • 331 Accesses

Abstract

Recently, malicious Android applications have become intelligent to bypass traditional static analysis. Among them, which using dynamic loading techniques hide malicious code by separating DEX files. These additional DEX files can be installed together during the installation time in different directory or downloaded from the command and control server. However intelligent malwares delete the DEX files after execution to avoid analysis. Therefore, It is difficult to figure out the some of hidden behavior without extracting files used for dynamic loading. In this paper, we propose a extraction algorithms to save the loaded or deleted DEX file using Xposed. After that, verifies whether the extracted DEX file is malicious by using the proposed technique. This method allows you to analyze additional actions performed by malware through analysis. As a result, it contributes to find hidden features of Application.

This work was supported by Institute of Information & communications Technology Planning & Evaluation (IITP) grant funded by the Korea government (MSIT) (No. 2019-0-00477, Development of android security framework technology using virtualized trusted execution environment) and this work was supported by Institute of Information & communications Technology Planning & Evaluation (IITP) grant funded by the Korea government (MSIT) (No. 2020-0-00952, Development of 5G Edge Security Technology for Ensuring 5G+ Service Stability and Availability).

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Dupuy, E.: JD-GUI (2019). https://github.com/java-decompiler/jd-gui. Accessed May 2019

  2. ElderDrivers: EdXposed (2019). https://github.com/ElderDrivers/EdXposed. Accessed May 2019

  3. Google: Android open source project (2004–2019). https://source.android.com/n. Accessed May 2019

  4. Google: Monkey (2016–2019). https://developer.android.com/studio/test/monkey. Accessed May 2019

  5. Google: SafetyNet (2017–2019). https://developer.android.com/training/safetynet/attestation. Accessed May 2019

  6. Google: Android debug bridge (2019). https://developer.android.com/studio/command-line/adb?hl=ko. Accessed May 2019

  7. Google: Android virtual device (2019). https://developer.android.com/studio/run/managing-avds. Accessed May 2019

  8. Google: Androidmanifest.xml (2019). https://developer.android.com/guide/topics/manifest/manifest-intro?hl=ko. Accessed May 2019

  9. Google: NDK (2019). https://developer.android.com/ndk. Accessed May 2019

  10. Google: UI Automator (2019). https://developer.android.com/training/testing/ui-automator. Accessed May 2019

  11. Google: Zygote (2019). https://blog.codecentric.de/en/2018/04/android-zygote-boot-process/. Accessed May 2019

  12. Honeynet: DroidBot (2019). https://github.com/honeynet/droidbot. Accessed May 2019

  13. IDC: Smartphone market share (2019). https://www.idc.com/promo/smartphone-market-share/os. Accessed March 2019

  14. Kanwal, M., Thakur, S.: An app based on static analysis for Android ransomware. In: 2017 International Conference on Computing, Communication and Automation (ICCCA), pp. 813–818. IEEE (May 2017)

    Google Scholar 

  15. Li, L., Bissyandé, T.F., Octeau, D., Klein, J.: Reflection-aware static analysis of android apps. In: 2016 31st IEEE/ACM International Conference on Automated Software Engineering (ASE), pp. 756–761. IEEE (September 2016)

    Google Scholar 

  16. C.S.I. Limited: Virus total (2011–2019). https://www.virustotal.com/. Accessed May 2019

  17. McAfee: McAfee mobile threat report q1 (2019). https://www.mcafee.com/enterprise/en-us/assets/reports/rp-mobile-threat-report-2019.pdf. Accessed March 2019

  18. Panxiaobo: Dex2jar (2019). https://sourceforge.net/projects/dex2jar. Accessed May 2019

  19. rovo89: Xposed (2019). https://repo.xposed.info/module/de.robv.android.xposed.installer. Accessed May 2019

  20. Ryszard Wiśniewski: APKTool (2010–2019). https://ibotpeaches.github.io/Apktool/install/. Accessed May 2019

  21. S4URC: AMAaaS (2018–2019). https://amaaas.com/. Accessed May 2019

  22. Shan, Z., Neamtiu, I., Samuel, R.: Self-hiding behavior in android apps: detection and characterization. In: 2018 IEEE/ACM 40th International Conference on Software Engineering (ICSE), pp. 728–739. IEEE (May 2018)

    Google Scholar 

  23. Statista: Global mobile OS market share in sales to end users from 1st quarter 2009 to 2nd quarter 2018 (2019). https://www.statista.com/statistics/266136/global-market-share-held-by-smartphone-operating-systems. Accessed March 2019

  24. topjohnwu: Magisk (2018–2019). https://github.com/topjohnwu/Magisk/releases. Accessed May 2019

  25. Wan, J., Zulkernine, M., Eisen, P., Liem, C.: Defending application cache integrity of Android runtime. In: Liu, J.K., Samarati, P. (eds.) ISPEC 2017. LNCS, vol. 10701, pp. 727–746. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-72359-4_45

    Chapter  Google Scholar 

  26. Wikipedia: Java virtual machine, 2019 (2019). https://en.wikipedia.org/wiki/Java_virtual_machine. Accessed March 2019

  27. Wong, M.Y., Lie, D.: Tackling runtime-based obfuscation in Android with TIRO. In: 27th USENIX Security Symposium, pp. 1247–1262 (2018)

    Google Scholar 

  28. Yang, W., et al.: AppSpear: bytecode decrypting and DEX reassembling for packed Android malware. In: Bos, H., Monrose, F., Blanc, G. (eds.) RAID 2015. LNCS, vol. 9404, pp. 359–381. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-26362-5_17

    Chapter  Google Scholar 

  29. Zhang, Y., Luo, X., Yin, H.: DexHunter: toward extracting hidden code from packed Android applications. In: Pernul, G., Ryan, P.Y.A., Weippl, E. (eds.) ESORICS 2015. LNCS, vol. 9327, pp. 293–311. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-24177-7_15

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Information and Telecommunication Engineering, Soongsil University, Seoul, South Korea

    Hongsun Yoon

  2. Department of Information and Communication Convergence, Soongsil University, Seoul, South Korea

    Hyunseok Shim

  3. School of Electronic Engineering, Soongsil University, Seoul, South Korea

    Souhwan Jung

Authors
  1. Hongsun Yoon
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Hyunseok Shim
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Souhwan Jung
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Souhwan Jung .

Editor information

Editors and Affiliations

  1. Department of Information Security Engineering, Soonchunhyang University, Asan, Korea (Republic of)

    Ilsun You

  2. Asia University, Taichung, Taiwan

    Hsing-Chung Chen

  3. Tunghai University, Taichung, Taiwan

    Fang-Yie Leu

  4. SPIIRAS, St. Petersburg, Russia

    Igor Kotenko

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Singapore Pte Ltd.

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Yoon, H., Shim, H., Jung, S. (2020). A Hidden File Extraction Scheme Defeating Malware Using Android Dynamic Loading. In: You, I., Chen, HC., Leu, FY., Kotenko, I. (eds) Mobile Internet Security. MobiSec 2019. Communications in Computer and Information Science, vol 1121. Springer, Singapore. https://doi.org/10.1007/978-981-15-9609-4_7

Download citation

  • DOI: https://doi.org/10.1007/978-981-15-9609-4_7

  • Published:

  • Publisher Name: Springer, Singapore

  • Print ISBN: 978-981-15-9608-7

  • Online ISBN: 978-981-15-9609-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation