Abstract
Recently, malicious Android applications have become intelligent to bypass traditional static analysis. Among them, which using dynamic loading techniques hide malicious code by separating DEX files. These additional DEX files can be installed together during the installation time in different directory or downloaded from the command and control server. However intelligent malwares delete the DEX files after execution to avoid analysis. Therefore, It is difficult to figure out the some of hidden behavior without extracting files used for dynamic loading. In this paper, we propose a extraction algorithms to save the loaded or deleted DEX file using Xposed. After that, verifies whether the extracted DEX file is malicious by using the proposed technique. This method allows you to analyze additional actions performed by malware through analysis. As a result, it contributes to find hidden features of Application.
This work was supported by Institute of Information & communications Technology Planning & Evaluation (IITP) grant funded by the Korea government (MSIT) (No. 2019-0-00477, Development of android security framework technology using virtualized trusted execution environment) and this work was supported by Institute of Information & communications Technology Planning & Evaluation (IITP) grant funded by the Korea government (MSIT) (No. 2020-0-00952, Development of 5G Edge Security Technology for Ensuring 5G+ Service Stability and Availability).
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Dupuy, E.: JD-GUI (2019). https://github.com/java-decompiler/jd-gui. Accessed May 2019
ElderDrivers: EdXposed (2019). https://github.com/ElderDrivers/EdXposed. Accessed May 2019
Google: Android open source project (2004–2019). https://source.android.com/n. Accessed May 2019
Google: Monkey (2016–2019). https://developer.android.com/studio/test/monkey. Accessed May 2019
Google: SafetyNet (2017–2019). https://developer.android.com/training/safetynet/attestation. Accessed May 2019
Google: Android debug bridge (2019). https://developer.android.com/studio/command-line/adb?hl=ko. Accessed May 2019
Google: Android virtual device (2019). https://developer.android.com/studio/run/managing-avds. Accessed May 2019
Google: Androidmanifest.xml (2019). https://developer.android.com/guide/topics/manifest/manifest-intro?hl=ko. Accessed May 2019
Google: NDK (2019). https://developer.android.com/ndk. Accessed May 2019
Google: UI Automator (2019). https://developer.android.com/training/testing/ui-automator. Accessed May 2019
Google: Zygote (2019). https://blog.codecentric.de/en/2018/04/android-zygote-boot-process/. Accessed May 2019
Honeynet: DroidBot (2019). https://github.com/honeynet/droidbot. Accessed May 2019
IDC: Smartphone market share (2019). https://www.idc.com/promo/smartphone-market-share/os. Accessed March 2019
Kanwal, M., Thakur, S.: An app based on static analysis for Android ransomware. In: 2017 International Conference on Computing, Communication and Automation (ICCCA), pp. 813–818. IEEE (May 2017)
Li, L., Bissyandé, T.F., Octeau, D., Klein, J.: Reflection-aware static analysis of android apps. In: 2016 31st IEEE/ACM International Conference on Automated Software Engineering (ASE), pp. 756–761. IEEE (September 2016)
C.S.I. Limited: Virus total (2011–2019). https://www.virustotal.com/. Accessed May 2019
McAfee: McAfee mobile threat report q1 (2019). https://www.mcafee.com/enterprise/en-us/assets/reports/rp-mobile-threat-report-2019.pdf. Accessed March 2019
Panxiaobo: Dex2jar (2019). https://sourceforge.net/projects/dex2jar. Accessed May 2019
rovo89: Xposed (2019). https://repo.xposed.info/module/de.robv.android.xposed.installer. Accessed May 2019
Ryszard Wiśniewski: APKTool (2010–2019). https://ibotpeaches.github.io/Apktool/install/. Accessed May 2019
S4URC: AMAaaS (2018–2019). https://amaaas.com/. Accessed May 2019
Shan, Z., Neamtiu, I., Samuel, R.: Self-hiding behavior in android apps: detection and characterization. In: 2018 IEEE/ACM 40th International Conference on Software Engineering (ICSE), pp. 728–739. IEEE (May 2018)
Statista: Global mobile OS market share in sales to end users from 1st quarter 2009 to 2nd quarter 2018 (2019). https://www.statista.com/statistics/266136/global-market-share-held-by-smartphone-operating-systems. Accessed March 2019
topjohnwu: Magisk (2018–2019). https://github.com/topjohnwu/Magisk/releases. Accessed May 2019
Wan, J., Zulkernine, M., Eisen, P., Liem, C.: Defending application cache integrity of Android runtime. In: Liu, J.K., Samarati, P. (eds.) ISPEC 2017. LNCS, vol. 10701, pp. 727–746. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-72359-4_45
Wikipedia: Java virtual machine, 2019 (2019). https://en.wikipedia.org/wiki/Java_virtual_machine. Accessed March 2019
Wong, M.Y., Lie, D.: Tackling runtime-based obfuscation in Android with TIRO. In: 27th USENIX Security Symposium, pp. 1247–1262 (2018)
Yang, W., et al.: AppSpear: bytecode decrypting and DEX reassembling for packed Android malware. In: Bos, H., Monrose, F., Blanc, G. (eds.) RAID 2015. LNCS, vol. 9404, pp. 359–381. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-26362-5_17
Zhang, Y., Luo, X., Yin, H.: DexHunter: toward extracting hidden code from packed Android applications. In: Pernul, G., Ryan, P.Y.A., Weippl, E. (eds.) ESORICS 2015. LNCS, vol. 9327, pp. 293–311. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-24177-7_15
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Yoon, H., Shim, H., Jung, S. (2020). A Hidden File Extraction Scheme Defeating Malware Using Android Dynamic Loading. In: You, I., Chen, HC., Leu, FY., Kotenko, I. (eds) Mobile Internet Security. MobiSec 2019. Communications in Computer and Information Science, vol 1121. Springer, Singapore. https://doi.org/10.1007/978-981-15-9609-4_7
Download citation
DOI: https://doi.org/10.1007/978-981-15-9609-4_7
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-15-9608-7
Online ISBN: 978-981-15-9609-4
eBook Packages: Computer ScienceComputer Science (R0)