Browse > Article
http://dx.doi.org/10.13089/JKIISC.2019.29.1.45

Android Application Call Relationship Analysis Based on DEX and ELF Binary Reverse Engineering  

Ahn, Jinung (Soongsil University)
Park, Jungsoo (Soongsil University)
Nguyen-Vu, Long (Soongsil University)
Jung, Souhwan (Soongsil University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.29, no.1, 2019 , pp. 45-55 More about this Journal
Abstract
DEX file and share objects (also known as the SO file) are important components that define the behaviors of an Android application. DEX file is implemented in Java code, whereas SO file under ELF file format is implemented in native code(C/C++). The two layers - Java and native can communicate with each other at runtime. Malicious applications have become more and more prevalent in mobile world, they are equipped with different evasion techniques to avoid being detected by anti-malware product. To avoid static analysis, some applications may perform malicious behavior in native code that is difficult to analyze. Existing researches fail to extract the call relationship which includes both Java code and native code, or can not analyze multi-DEX application. In this study, we design and implement a system that effectively extracts the call relationship between Java code and native code by analyzing DEX file and SO file of Android application.
Keywords
Android; Malware; Static Analysis;
Citations & Related Records
연도 인용수 순위
  • Reference
1 Yan Shoshitaishvili, Ruoyu Wang, Christopher Salls, Nick Stephens, Mario Polino, Andrew Dutcher, John Grosen, Siji Feng, Christophe Hauser, Christopher Kruegel and Giovanni Vigna, "Sok:(state of) the art of war: Offensive techniques in binary analysis," 2016 IEEE Symposium on Security and Privacy, pp 138-157, May. 2016.
2 Dalvik Executable format, "DEX format" https://source.android.com/devices/tech/dalvik/dex-format, 2018-09-15.
3 Fengguo Wei, Sankardas Roy, and Xinming Ou, "Amandroid: a precise and general inter-component data flow analysis framework for security vetting of android apps," Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 1329-1341, Nov. 2014.
4 Dalvik Bytecode, "dalvik bytecode" https://source.android.com/devices/tech/dalvik/dalvik-bytecode, 2018-09-15.
5 Capstone Project, "disassembly framework" https://www.capstone-engine.org, 2018-09-23.
6 John Ellson, Emden Gansner, Lefteris Koutsofios, North Stephen C, and Gordon Woodhull, "Graphviz-open source graph drawing tools," In International Symposium on Graph Drawing, Springer Berlin Heidelberg, vol.2265, pp. 483-484, Feb. 2002.
7 Suman R Tiwari, "A survey of android malware detection technique," Journal of Network Communications and Emerging Technologies (JNCET), vol. 8, no. 4, pp. 332-334, Apr. 2018.
8 StateCounter, "Mobile operation market" http://gs.statcounter.com/os-market-share/mobile/worldwide, 2018-09-05.
9 McAfee Labs, "mcAfee mobile threat" https://www.mcafee.com/enterprise/en-us/assets/reports/rp-mobile-threat-report-2017.pdf, 2018-09-06.
10 McAfee Labs, "mcAfee mobile threat" https://www.mcafee.com/enterprise/en-us/assets/reports/rp-mobile-threat-report-2018.pdf, 2018-09-06.
11 dex2jar, "dex2jar github" https://github.com/pxb1988/dex2jar, 2018-09-10.
12 apktool, "apktool" https://ibotpeaches.github.io/Apktool, 2018-09-10.
13 Smalisca, "smalisca github" https://github.com/dorneanu/smalisca, 2018-09-10.
14 Steven Arzt, Siegfried Rasthofer, Christian Fritz, Eric Bodden, Alexandre Bartel, Jacques Klein, Yves Le Traon, Damien Octeau, and Patrick McDaniel, "Flowdroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps," Acm Sigplan Notices, vol.49, no.6, pp. 259-269, Jun. 2014.   DOI
15 Michael I. Gordon, Deokhwan Kim, Jeff Perkins, Limei Gilham, Nguyen Nguyen, and Martin Rinard, "Information Flow Analysis of Android Applications in DroidSafe," NDSS, vol.15, pp. 110, Feb. 2015.
16 Patrik Lantz and Bjorn Johansson, "Towards bridging the gap between dalvik bytecode and native code during static analysis of android applications," Wireless Communications and Mobile Computing Conference (IWCMC), IEEE, pp. 587-593, Aug. 2015.
17 Fengguo Wei, Xingwei Lin, Xinming Ou, Ting Chen, and Xiaosong Zhang, "JN-SAF: Precise and Efficient NDK/JNI-aware Inter-language Static Analysis Framework for Security Vetting of Android Applications with Native Code," Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp. 1137-1150, Oct. 2018.