Cited By
View all- Sutter TKehrer TRennhard MTellenbach BKlein J(2024)Dynamic Security Analysis on Android: A Systematic Literature ReviewIEEE Access10.1109/ACCESS.2024.339061212(57261-57287)Online publication date: 2024
What did you pack in my app? a systematic analysis of commercial Android packers
Authors: 
Zikan Dong, Hongxuan Liu, Liu Wang, Xiapu Luo, Yao Guo, Guoai Xu, Xusheng Xiao, Haoyu WangAuthors Info & Claims
Zikan Dong, Hongxuan Liu, Liu Wang, Xiapu Luo, Yao Guo, Guoai Xu, Xusheng Xiao, Haoyu WangAuthors Info & ClaimsPages 1430 - 1440
Abstract
Commercial Android packers have been widely used by developers as a way to protect their apps from being tampered with. However, app packer is usually provided as an online service developed by security vendors, and the packed apps are well protected. It is thus hard to know what exactly is packed in the app, and few existing studies in the community have systematically analyzed the behaviors of commercial app packers. In this paper, we propose PackDiff, a dynamic analysis system to inspect the fine-grained behaviors of commercial packers. By instrumenting the Android system, PackDiff records the runtime behaviors of Android apps (e.g., Linux system call invocations, Java API calls, Binder interactions, etc.), which are further processed to pinpoint the additional sensitive behaviors introduced by packers. By applying PackDiff to roughly 200 apps protected by seven commercial packers, we observe the disappointing facts of existing commercial packers. Most app packers have introduced unnecessary behaviors (e.g., accessing sensitive data), serious performance and compatibility issues, and they can even be abused to create evasive malware and repackaged apps, which contradicts with their design purposes.
References
[1]
2014. Kisskiss: Android Unpacker presented at Defcon 22: Android Hacker Protection Level 0. https://github.com/strazzere/android-unpacker
[2]
2014. The Ultimate Disassembly Framework – Capstone. https://www.capstone-engine.org/
[3]
2015. baksmali: an disassembler for the dex format used by dalvik. https://github.com/JesusFreke/smali
[4]
2015. dex2jar: Tools to work with android .dex and java .class files. https://github.com/pxb1988/dex2jar
[5]
2016. Frida: A world-class dynamic instrumentation framework. https://frida.re/
[6]
2016. Xposed: a framework for modules that can change the behavior of the system and apps without touching any APKs. https://repo.xposed.info/module/de.robv.android.xposed.installer
[7]
2017. Qihoo packing service embeds charging advertisements for third-party applications. https://www.zhihu.com/question/55519031?sort=created
[8]
2018. uiautomator2 - A library provided by Google for Android automated testing. https://github.com/openatx/uiautomator2
[9]
2019. Jadx: Dex to Java decompiler. https://github.com/skylot/jadx
[10]
2020. Android Runtime (ART) and Dalvik. https://source.android.com/devices/tech/dalvik
[11]
2022. ApkTool:A tool for reverse engineering Android apk files. https://ibotpeaches.github.io/Apktool/
[12]
2022. ART runtime. https://source.android.com/docs/core/dalvik
[13]
2022. Baidu Inc. https://app.baidu.com
[14]
2022. Bangcle Inc. https://www.bangcle.com/
[15]
2022. F-Droid - Free and Open Source Android App Repository. https://f-droid.org/
[16]
2022. IDA:State-of-the-art binary code analysis tools. https://hex-rays.com/
[17]
2022. Ijiami Inc. http://www.ijiami.cn/
[18]
2022. Manxi Inc. https://www.manxi-inc.com/
[19]
2022. NAGA IN Inc. http://www.nagain.com/
[20]
2022. PackDiff. https://github.com/PackDiff/PackDiff
[21]
2022. Qihoo360 Inc. https://dev.360.cn/
[22]
2022. Summary of App Upload App Market Issues. https://wenku.baidu.com/view/4bc04063cb50ad02de80d4d8d15abe23482f03db.html
[23]
2022. Tencent Inc. https://cloud.tencent.com/
[24]
2022. WeTest - one-stop quality open platform officially produced by Tencent. https://wetest.qq.com/
[25]
Yue Duan, Mu Zhang, Abhishek Vasisht Bhaskar, Heng Yin, Xiaorui Pan, Tongxin Li, Xueqiang Wang, and XiaoFeng Wang. 2018. Things You May Not Know About Android (Un) Packers: A Systematic Study based on Whole-System Emulation. In NDSS.
[26]
William Enck, Peter Gilbert, Seungyeop Han, Vasant Tendulkar, Byung-Gon Chun, Landon P Cox, Jaeyeon Jung, Patrick McDaniel, and Anmol N Sheth. 2014. Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. ACM Transactions on Computer Systems (TOCS), 32, 2 (2014), 1–29.
[27]
Pascal Junod, Julien Rinaldini, Johan Wehrli, and Julie Michielin. 2015. Obfuscator-LLVM – Software Protection for the Masses. In Proceedings of the IEEE/ACM 1st International Workshop on Software Protection, SPRO’15, Firenze, Italy, May 19th, 2015, Brecht Wyseur (Ed.). IEEE, 3–9. https://doi.org/10.1109/SPRO.2015.10
[28]
Kobra Khanmohammadi, Neda Ebrahimi, Abdelwahab Hamou-Lhadj, and Raphaël Khoury. 2019. Empirical study of android repackaged applications. Empirical Software Engineering, 24, 6 (2019), 3587–3629.
[29]
Wenna Song, Jiang Ming, Lin Jiang, Han Yan, Yi Xiang, Yuan Chen, Jianming Fu, and Guojun Peng. 2021. App’s Auto-Login Function Security Testing via Android OS-Level Virtualization. In 2021 IEEE/ACM 43rd International Conference on Software Engineering (ICSE). 1683–1694.
[30]
Yeali S Sun, Chien-Chun Chen, Shun-Wen Hsiao, and Meng Chang Chen. 2018. ANTSdroid: Automatic malware family behaviour generation and analysis for Android apps. In Australasian Conference on Information Security and Privacy. 796–804.
[31]
Kimberly Tam, Ali Feizollah, Nor Badrul Anuar, Rosli Salleh, and Lorenzo Cavallaro. 2017. The evolution of android malware and android analysis techniques. ACM Computing Surveys (CSUR), 49, 4 (2017), 1–41.
[32]
Wenyu Wang, Wing Lam, and Tao Xie. 2021. An infrastructure approach to improving effectiveness of Android UI testing tools. In Proceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis. 165–176.
[33]
Michelle Y Wong and David Lie. 2018. Tackling runtime-based obfuscation in android with $TIRO$. In 27th USENIX Security Symposium (USENIX Security 18). 1247–1262.
[34]
Lei Xue, Xiapu Luo, Le Yu, Shuai Wang, and Dinghao Wu. 2017. Adaptive unpacking of Android apps. In 2017 IEEE/ACM 39th International Conference on Software Engineering (ICSE). 358–369.
[35]
Lei Xue, Chenxiong Qian, Hao Zhou, Xiapu Luo, Yajin Zhou, Yuru Shao, and Alvin TS Chan. 2018. NDroid: Toward tracking information flows across multiple Android contexts. IEEE Transactions on Information Forensics and Security, 14, 3 (2018), 814–828.
[36]
Lei Xue, Hao Zhou, Xiapu Luo, Le Yu, Dinghao Wu, Yajin Zhou, and Xiaobo Ma. 2020. Packergrind: An adaptive unpacking system for android apps. IEEE Transactions on Software Engineering.
[37]
Wenbo Yang, Yuanyuan Zhang, Juanru Li, Junliang Shu, Bodong Li, Wenjun Hu, and Dawu Gu. 2015. Appspear: Bytecode decrypting and dex reassembling for packed android malware. In International Symposium on Recent Advances in Intrusion Detection. 359–381.
[38]
Yueqian Zhang, Xiapu Luo, and Haoyang Yin. 2015. Dexhunter: toward extracting hidden code from packed android applications. In European Symposium on Research in Computer Security. 293–311.
[39]
Yajin Zhou and Xuxian Jiang. 2012. Dissecting android malware: Characterization and evolution. In 2012 IEEE symposium on security and privacy. 95–109.
Index Terms
- What did you pack in my app? a systematic analysis of commercial Android packers
Index terms have been assigned to the content through auto-classification.
Recommendations
Understanding Android app piggybacking
ICSE-C '17: Proceedings of the 39th International Conference on Software Engineering CompanionThe Android packaging model offers adequate opportunities for attackers to inject malicious code into popular benign apps, attempting to develop new malicious apps that can then be easily spread to a large user base. Despite the fact that the literature ...
Inter-app communication between Android apps developed in app-inventor and Android studio
MOBILESoft '16: Proceedings of the International Conference on Mobile Software Engineering and SystemsCommunications between mobile apps are an important aspect of mobile platforms. Android is specifically designed with inter-app communication in mind and depends on this to provide different platform specific functionalities. Android Apps can either be ...
Comments
Information & Contributors
Information
Published In
November 2022
1822 pages
ISBN:9781450394130
DOI:10.1145/3540250
- General Chair:
- Abhik Roychoudhury,
- Program Chairs:
- Cristian Cadar,
- Miryung Kim
Copyright © 2022 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 09 November 2022
Check for updates
Author Tags
Qualifiers
- Research-article
Conference
ESEC/FSE '22: 30th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering
November 14 - 18, 2022
Singapore, Singapore
Acceptance Rates
Overall Acceptance Rate 112 of 543 submissions, 21%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- View Citations1Total Citations
- 249Total Downloads
- Downloads (Last 12 months)109
- Downloads (Last 6 weeks)9
Reflects downloads up to 30 Aug 2024
Other Metrics
Citations
Cited By
View all- Sutter TKehrer TRennhard MTellenbach BKlein J(2024)Dynamic Security Analysis on Android: A Systematic Literature ReviewIEEE Access10.1109/ACCESS.2024.339061212(57261-57287)Online publication date: 2024
View Options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in