Lei Xue, Hao Zhou, Xiapu Luo, Yajin Zhou, Yang Shi, G. Gu, Fengwei Zhang, M. Au
{"title":"Happer:通过硬件辅助方法解压Android应用程序","authors":"Lei Xue, Hao Zhou, Xiapu Luo, Yajin Zhou, Yang Shi, G. Gu, Fengwei Zhang, M. Au","doi":"10.1109/SP40001.2021.00105","DOIUrl":null,"url":null,"abstract":"Malware authors are abusing packers (or runtime-based obfuscators) to protect malicious apps from being analyzed. Although many unpacking tools have been proposed, they can be easily impeded by the anti-analysis methods adopted by the packers, and they fail to effectively collect the hidden Dex data due to the evolving protection strategies of packers. Consequently, many packing behaviors are unknown to analysts and packed malware can circumvent the inspection. To fill the gap, in this paper, we propose a novel hardware-assisted approach that first monitors the packing behaviors and then selects the proper approach to unpack the packed apps. Moreover, we develop a prototype named Happerwith a domain-specific language named behavior description language (BDL) for the ease of extending Happerafter tackling several technical challenges. We conduct extensive experiments with 12 commercial Android packers and more than 24k Android apps to evaluate Happer. The results show that Happerobserved 27 packing behaviors, 17 of which have not been elaborated by previous studies. Based on the observed packing behaviors, Happeradopted proper approaches to collect all the hidden Dex data and assembled them to valid Dex files.","PeriodicalId":6786,"journal":{"name":"2021 IEEE Symposium on Security and Privacy (SP)","volume":"25 22 1","pages":"1641-1658"},"PeriodicalIF":0.0000,"publicationDate":"2021-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"14","resultStr":"{\"title\":\"Happer: Unpacking Android Apps via a Hardware-Assisted Approach\",\"authors\":\"Lei Xue, Hao Zhou, Xiapu Luo, Yajin Zhou, Yang Shi, G. Gu, Fengwei Zhang, M. Au\",\"doi\":\"10.1109/SP40001.2021.00105\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Malware authors are abusing packers (or runtime-based obfuscators) to protect malicious apps from being analyzed. Although many unpacking tools have been proposed, they can be easily impeded by the anti-analysis methods adopted by the packers, and they fail to effectively collect the hidden Dex data due to the evolving protection strategies of packers. Consequently, many packing behaviors are unknown to analysts and packed malware can circumvent the inspection. To fill the gap, in this paper, we propose a novel hardware-assisted approach that first monitors the packing behaviors and then selects the proper approach to unpack the packed apps. Moreover, we develop a prototype named Happerwith a domain-specific language named behavior description language (BDL) for the ease of extending Happerafter tackling several technical challenges. We conduct extensive experiments with 12 commercial Android packers and more than 24k Android apps to evaluate Happer. The results show that Happerobserved 27 packing behaviors, 17 of which have not been elaborated by previous studies. Based on the observed packing behaviors, Happeradopted proper approaches to collect all the hidden Dex data and assembled them to valid Dex files.\",\"PeriodicalId\":6786,\"journal\":{\"name\":\"2021 IEEE Symposium on Security and Privacy (SP)\",\"volume\":\"25 22 1\",\"pages\":\"1641-1658\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2021-05-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"14\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2021 IEEE Symposium on Security and Privacy (SP)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/SP40001.2021.00105\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2021 IEEE Symposium on Security and Privacy (SP)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/SP40001.2021.00105","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Happer: Unpacking Android Apps via a Hardware-Assisted Approach
Malware authors are abusing packers (or runtime-based obfuscators) to protect malicious apps from being analyzed. Although many unpacking tools have been proposed, they can be easily impeded by the anti-analysis methods adopted by the packers, and they fail to effectively collect the hidden Dex data due to the evolving protection strategies of packers. Consequently, many packing behaviors are unknown to analysts and packed malware can circumvent the inspection. To fill the gap, in this paper, we propose a novel hardware-assisted approach that first monitors the packing behaviors and then selects the proper approach to unpack the packed apps. Moreover, we develop a prototype named Happerwith a domain-specific language named behavior description language (BDL) for the ease of extending Happerafter tackling several technical challenges. We conduct extensive experiments with 12 commercial Android packers and more than 24k Android apps to evaluate Happer. The results show that Happerobserved 27 packing behaviors, 17 of which have not been elaborated by previous studies. Based on the observed packing behaviors, Happeradopted proper approaches to collect all the hidden Dex data and assembled them to valid Dex files.