Enriching reverse engineering through visual exploration of Android binaries

Abstract

The appearance of the Android platform and its popularity has resulted in a sharp rise in the number of reported vulnerabilities and consequently in the number of mobile threats. Leveraging openness of Android app markets and the lack of security testing, malware authors commonly employ a suite of widely available tools to facilitate the app development. Analysis of individual apps for malware detection often requires understanding of app functionality and complex, time-consuming analysis of its behavior. Since tools tend to leave traces in the program structure, we can potentially use visual exploration of these artifacts to enrich reverse engineering of malware analysis. In this paper, we focus on this approach and investigate internal structure of Android executable files and their characteristics under various tools and development conditions. We show that the majority of obfuscation and optimization tools leave distinct artifacts that can be leveraged in Android binary analysis to trace origin of a malware sample on hand. © 2015 copyright Held by the Owner/Author(s).