Code packing is one of the most frequently used protection techniques for malware to evade detection. Particularly, Android packers originally designed to protect intellectual property are widely utilized by Android malware nowadays to hide their malicious behaviors. What's worse, Android code packing techniques are evolving rapidly with new features of Android system (e.g., the use of new Android runtime). Meanwhile, unpacking techniques and tools generally do not respond to the evolving of packers immediately, which weakens the effectiveness of new malware detection. To address the unpacking challenge especially for Android packers with advanced code hiding strategies, in this paper we propose APPSPEAR, an automated unpacking system for both Dalvik and ART. APPSPEAR adopts a universal unpacking strategy that combines runtime instrumentation, interpreter-enforced execution, and executable reassembling to guarantee the hidden code is extracted and reconstructed as a complete executable. Our experimental evaluation with 530 packed samples shows that APPSPEAR is able to unpack protected code generated by latest versions of mainstream Android packers effectively.

• 出版日期2018-6
• 单位上海交通大学