In an ecosystem full of
potentially malicious apps, you need to be careful about the tools you
use to analyze them. Without a full understanding of how the Android
Dalvik VM or dex file interpreters actually work, it's easy for things
to slip through the cracks. Based on learnings from the evolution of
PC-based malware, it's clear that someone, somewhere will someday
attempt to break the most commonly used tools for static and dynamic
analysis of mobile malware. So we set out to see who was already
breaking them and how, then, how we could break them more.
We've
taken a deep dive into Android's dex file format that has yielded
interesting results related to detection of post-compilation file
modification. After deconstructing some of the intricacies of the dex
file format, we turned our attention to dex file analysis tools
themselves, analyzing how they parse and manage the dex format. Along
the way we observed a number of easily exploitable functionality,
documenting specifically why they fail and how to fix them. From this
output we've developed a proof of concept tool - APKfuscator - that
shows how to exploit these flaws. It's our hope that it can be a tool
that helps everyone practice safe dex.
This is the proof of
concept tool which was presented for the talk; "Dex Education:
Practicing Safe Dex" Slides for this talk can be found here, www.strazzere.com/papers/DexEducation-PracticingSafeDex.pdf
Hope everything is okay.
Regards,
AHA
