Abstract

Both Android application developers and malware authors use sophisticated obfuscation tools to prevent their mobile applications from being repackaged and analyzed. These tools obfuscate sensitive strings and classes, API calls, and control flows in the Dalvik bytecode. Consequently, it is inevitable for the security analysts to spend significant amount of time for understanding the robustness of these obfuscation techniques and fully comprehending the intentions of each application. Since such analyses are often errorprone and require extensive analysis experience, it is critical to explore a novel approach to systematically analyze Android application bytecode. In this paper, we propose an approach to address such a critical challenge by placing hooks in the Dalvik virtual machine at the point where a Dalvik instruction is about to be executed. Also, we demonstrate the effectiveness of our approach through case studies on real-world applications with our prototype, called DexMonitor.

Original languageEnglish (US)
JournalIEEE Access
DOIs
StateAccepted/In press - Jan 1 2018

Fingerprint

Monitoring
Hooks
Application programming interfaces (API)
Flow control
Virtual machine
Malware

Keywords

  • Android Application Analysis
  • Bytecode Monitoring
  • Encryption
  • Java
  • Malware
  • Mobile Security
  • Monitoring
  • Static analysis
  • Virtual machining

ASJC Scopus subject areas

  • Computer Science(all)
  • Materials Science(all)
  • Engineering(all)

Cite this

DexMonitor : Dynamically Analyzing and Monitoring Obfuscated Android Applications. / Cho, Haehyun; Yi, Jeong Hyun; Ahn, Gail-Joon.

In: IEEE Access, 01.01.2018.

Research output: Contribution to journalArticle

@article{d5a0292a7da24e8ba7aad4f4f07eff0e,
title = "DexMonitor: Dynamically Analyzing and Monitoring Obfuscated Android Applications",
abstract = "Both Android application developers and malware authors use sophisticated obfuscation tools to prevent their mobile applications from being repackaged and analyzed. These tools obfuscate sensitive strings and classes, API calls, and control flows in the Dalvik bytecode. Consequently, it is inevitable for the security analysts to spend significant amount of time for understanding the robustness of these obfuscation techniques and fully comprehending the intentions of each application. Since such analyses are often errorprone and require extensive analysis experience, it is critical to explore a novel approach to systematically analyze Android application bytecode. In this paper, we propose an approach to address such a critical challenge by placing hooks in the Dalvik virtual machine at the point where a Dalvik instruction is about to be executed. Also, we demonstrate the effectiveness of our approach through case studies on real-world applications with our prototype, called DexMonitor.",
keywords = "Android Application Analysis, Bytecode Monitoring, Encryption, Java, Malware, Mobile Security, Monitoring, Static analysis, Virtual machining",
author = "Haehyun Cho and Yi, {Jeong Hyun} and Gail-Joon Ahn",
year = "2018",
month = "1",
day = "1",
doi = "10.1109/ACCESS.2018.2881699",
language = "English (US)",
journal = "IEEE Access",
issn = "2169-3536",
publisher = "Institute of Electrical and Electronics Engineers Inc.",

}

TY - JOUR

T1 - DexMonitor

T2 - Dynamically Analyzing and Monitoring Obfuscated Android Applications

AU - Cho, Haehyun

AU - Yi, Jeong Hyun

AU - Ahn, Gail-Joon

PY - 2018/1/1

Y1 - 2018/1/1

N2 - Both Android application developers and malware authors use sophisticated obfuscation tools to prevent their mobile applications from being repackaged and analyzed. These tools obfuscate sensitive strings and classes, API calls, and control flows in the Dalvik bytecode. Consequently, it is inevitable for the security analysts to spend significant amount of time for understanding the robustness of these obfuscation techniques and fully comprehending the intentions of each application. Since such analyses are often errorprone and require extensive analysis experience, it is critical to explore a novel approach to systematically analyze Android application bytecode. In this paper, we propose an approach to address such a critical challenge by placing hooks in the Dalvik virtual machine at the point where a Dalvik instruction is about to be executed. Also, we demonstrate the effectiveness of our approach through case studies on real-world applications with our prototype, called DexMonitor.

AB - Both Android application developers and malware authors use sophisticated obfuscation tools to prevent their mobile applications from being repackaged and analyzed. These tools obfuscate sensitive strings and classes, API calls, and control flows in the Dalvik bytecode. Consequently, it is inevitable for the security analysts to spend significant amount of time for understanding the robustness of these obfuscation techniques and fully comprehending the intentions of each application. Since such analyses are often errorprone and require extensive analysis experience, it is critical to explore a novel approach to systematically analyze Android application bytecode. In this paper, we propose an approach to address such a critical challenge by placing hooks in the Dalvik virtual machine at the point where a Dalvik instruction is about to be executed. Also, we demonstrate the effectiveness of our approach through case studies on real-world applications with our prototype, called DexMonitor.

KW - Android Application Analysis

KW - Bytecode Monitoring

KW - Encryption

KW - Java

KW - Malware

KW - Mobile Security

KW - Monitoring

KW - Static analysis

KW - Virtual machining

UR - http://www.scopus.com/inward/record.url?scp=85056699828&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85056699828&partnerID=8YFLogxK

U2 - 10.1109/ACCESS.2018.2881699

DO - 10.1109/ACCESS.2018.2881699

M3 - Article

AN - SCOPUS:85056699828

JO - IEEE Access

JF - IEEE Access

SN - 2169-3536

ER -