Gupacker: Generalized Unpacking Framework for Android Malware

Android malware authors often use packers to evade analysis. Although many unpacking tools have been proposed, they face two significant challenges: 1) They are easily impeded by anti-analysis techniques employed by packers, preventing efficient collection of hidden Dex data. 2) They are typically designed to unpack a specific packer and cannot handle malware packed with mixed packers. Consequently, many packed malware samples evade detection. To bridge this gap, we propose $\textsf {Gupacker}$ , a novel generalized unpacking framework. $\textsf {Gupacker}$ offers a generic solution for first-generation holistic packer by customizing the Android system source code. It identifies the type of packer and selects an appropriate unpacking function, constructs a deeper active call chain to achieve generic unpacking of second-generation function extraction packers, and uses JNI function and instruction monitoring to handle third-generation virtual obfuscation packer. On this basis, we counteract a diverse array of anti-analysis techniques. We conduct extensive experiments on 5K packed Android malware samples, comparing $\textsf {Gupacker}$ with 2 commercial and 4 state-of-the-art academic unpacking tools. The results demonstrate that $\textsf {Gupacker}$ significantly improves the efficiency of Android malware unpacking with acceptable system overhead. We analyze real packed applications based on $\textsf {Gupacker}$ and found several are second-packed by attackers, including WPS for Android, with tens of millions of users. We receive and responsibly report 13 0day vulnerabilities and also assist in the remediation of all vulnerabilities.