Hybrid Dynamic Analysis for Android Malware Protected by Anti-Analysis Techniques with DOOLDA

網際網路技術學刊 Pub Date : 2024-03-01 DOI:10.53106/160792642024032502003

Sunjun Lee Sunjun Lee, Yonggu Shin Sunjun Lee, Minseong Choi Yonggu Shin, Haehyun Cho Minseong Choi, Jeong Hyun Yi Haehyun Cho

{"title":"Hybrid Dynamic Analysis for Android Malware Protected by Anti-Analysis Techniques with DOOLDA","authors":"Sunjun Lee Sunjun Lee, Yonggu Shin Sunjun Lee, Minseong Choi Yonggu Shin, Haehyun Cho Minseong Choi, Jeong Hyun Yi Haehyun Cho","doi":"10.53106/160792642024032502003","DOIUrl":null,"url":null,"abstract":"\n A lot of the recently reported malware is equipped with the anti-analysis techniques (e.g., anti-emulation, anti-debugging, etc.) for preventing from being the analyzed, which can delay detection and make malware alive for a longer period. Therefore, it is of the great importance of developing automated approaches to defeat such anti-analysis techniques so that we can handle and effectively mitigate numerous malware. In this paper, by analyzing 1,535 malicious applications, we found that 18.31% of them equipped with anti-analysis techniques. Next, we propose a novel, dynamic analyzer, named DOOLDA, for automatically invalidating anti-analysis techniques through dynamic instrumentation. DOOLDA monitors executions of Android applications’ entire code layers (i.e., bytecode and native code). Based on monitoring results, DOOLDA finds the code related to anti-analysis techniques and invalidates the anti-analysis techniques by instrumenting it. To demonstrate the effectiveness of DOOLDA, we show that it can invalidate all known anti-analysis techniques. Also, we compare DOOLDA with other dynamic analyzers.\n \n","PeriodicalId":442331,"journal":{"name":"網際網路技術學刊","volume":"52 3","pages":""},"PeriodicalIF":0.0000,"publicationDate":"2024-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"網際網路技術學刊","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.53106/160792642024032502003","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 0

Abstract

A lot of the recently reported malware is equipped with the anti-analysis techniques (e.g., anti-emulation, anti-debugging, etc.) for preventing from being the analyzed, which can delay detection and make malware alive for a longer period. Therefore, it is of the great importance of developing automated approaches to defeat such anti-analysis techniques so that we can handle and effectively mitigate numerous malware. In this paper, by analyzing 1,535 malicious applications, we found that 18.31% of them equipped with anti-analysis techniques. Next, we propose a novel, dynamic analyzer, named DOOLDA, for automatically invalidating anti-analysis techniques through dynamic instrumentation. DOOLDA monitors executions of Android applications’ entire code layers (i.e., bytecode and native code). Based on monitoring results, DOOLDA finds the code related to anti-analysis techniques and invalidates the anti-analysis techniques by instrumenting it. To demonstrate the effectiveness of DOOLDA, we show that it can invalidate all known anti-analysis techniques. Also, we compare DOOLDA with other dynamic analyzers.

查看原文本刊更多论文

用 DOOLDA 对受反分析技术保护的安卓恶意软件进行混合动态分析

最近报告的许多恶意软件都配备了反分析技术（如反仿真、反调试等），以防止被分析，这可能会延迟检测并使恶意软件存活更长时间。因此，开发自动方法来破解这些反分析技术，以便我们能够处理和有效缓解众多恶意软件，就显得尤为重要。本文通过分析 1,535 个恶意应用程序，发现其中 18.31% 的应用程序配备了反分析技术。接下来，我们提出了一种名为 DOOLDA 的新型动态分析器，用于通过动态仪器自动失效反分析技术。DOOLDA 监控 Android 应用程序整个代码层（即字节码和本地代码）的执行情况。根据监控结果，DOOLDA 找到与反分析技术相关的代码，并通过仪器化使反分析技术失效。为了证明 DOOLDA 的有效性，我们展示了它可以使所有已知的反分析技术失效。此外，我们还将 DOOLDA 与其他动态分析器进行了比较。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

網際網路技術學刊

自引率

0.00%

发文量