Fast Identification of Obfuscation and Mobile Advertising in Mobile Malware

“…The second category is metamorphism, which mutates the application code, but maintains the same behaviour. Malware authors employ obfuscation tools, such as Obfuscapk ( Aonzo et al, 2020 ), ProGuard ( Lafortune, 2002 ), DashO ( Wang et al, 2016 ), KlassMaster ( Kuhnel, Smieschek & Meyer, 2015 ), and JavaGuard ( Sihag, Vardhan & Singh, 2021a ) to encrypt their code and decrypt during runtime; they modify the code itself to evade the heuristic detection and signature analysis of the malware detection techniques.…”

“…This paper refers to Data Encryption as DEN, Bytecode Encryption as BEN, and Payload Encryption as PEN. This paper examines the following types of evasions: Data Encryption (DEN): This evasion technique tends to encrypt specific data vital for the malicious action and decrypt the encrypted data later, which modifies the malware application characteristics to evade the detection techniques ( Kuhnel, Smieschek & Meyer, 2015 ). The data refers to strings or network addresses embedded in the code.…”

“…Reflection evasion facilitates the possibility to call private functions from any technique outside the main class. Recently few studies highlighted the reflection effect on code analysis and considered reflection during the analysis process ( Kuhnel, Smieschek & Meyer, 2015 ; Li et al, 2016 ). Dynamic Code Loading/Modification (DCL/DCM): Since Java has the capability of loading code at runtime using class loader methods, Android malware application dynamically download malicious code using the dynamic code loading (DCL).…”

“…Reflection evasion facilitates the possibility to call private functions from any technique outside the main class. Recently few studies highlighted the reflection effect on code analysis and considered reflection during the analysis process ( Kuhnel, Smieschek & Meyer, 2015 ; Li et al, 2016 ).…”

“…Many researchers ( Apvrille & Apvrille, 2015 ; Bagheri et al, 2015 ; Battista et al, 2016 ; Chenxiong et al, 2015 ; Elish et al, 2015 ; Fratantonio et al, 2016 ; Gonzalez, Stakhanova & Ghorbani, 2014 ; Gurulian et al, 2016 ; Kuhnel, Smieschek & Meyer, 2015 ; Lei et al, 2015 ; Li et al, 2016 ; Martín, Menéndez & Camacho, 2016 ; Preda & Maggi, 2016 ; Sheen, Anitha & Natarajan, 2015 ; Shen et al, 2015 ; Sun, Li & Lui, 2015 ; Wang et al, 2016 ; Wu et al, 2016 ; Zhang, Breitinger & Baggili, 2016 ) examine their frameworks against different evasion techniques, and they take countermeasures to overcome evasion techniques, which prevent the anti-malware framework from detecting malicious applications. These evasions are the leading cause of false negatives, as they allow many malware applications to penetrate freely into Android smart devices.…”

The rise of obfuscated Android malware and impacts on detection methods

“…The second category is metamorphism, which mutates the application code, but maintains the same behaviour. Malware authors employ obfuscation tools, such as Obfuscapk ( Aonzo et al, 2020 ), ProGuard ( Lafortune, 2002 ), DashO ( Wang et al, 2016 ), KlassMaster ( Kuhnel, Smieschek & Meyer, 2015 ), and JavaGuard ( Sihag, Vardhan & Singh, 2021a ) to encrypt their code and decrypt during runtime; they modify the code itself to evade the heuristic detection and signature analysis of the malware detection techniques.…”

“…This paper refers to Data Encryption as DEN, Bytecode Encryption as BEN, and Payload Encryption as PEN. This paper examines the following types of evasions: Data Encryption (DEN): This evasion technique tends to encrypt specific data vital for the malicious action and decrypt the encrypted data later, which modifies the malware application characteristics to evade the detection techniques ( Kuhnel, Smieschek & Meyer, 2015 ). The data refers to strings or network addresses embedded in the code.…”

“…Reflection evasion facilitates the possibility to call private functions from any technique outside the main class. Recently few studies highlighted the reflection effect on code analysis and considered reflection during the analysis process ( Kuhnel, Smieschek & Meyer, 2015 ; Li et al, 2016 ). Dynamic Code Loading/Modification (DCL/DCM): Since Java has the capability of loading code at runtime using class loader methods, Android malware application dynamically download malicious code using the dynamic code loading (DCL).…”

“…Reflection evasion facilitates the possibility to call private functions from any technique outside the main class. Recently few studies highlighted the reflection effect on code analysis and considered reflection during the analysis process ( Kuhnel, Smieschek & Meyer, 2015 ; Li et al, 2016 ).…”

“…Many researchers ( Apvrille & Apvrille, 2015 ; Bagheri et al, 2015 ; Battista et al, 2016 ; Chenxiong et al, 2015 ; Elish et al, 2015 ; Fratantonio et al, 2016 ; Gonzalez, Stakhanova & Ghorbani, 2014 ; Gurulian et al, 2016 ; Kuhnel, Smieschek & Meyer, 2015 ; Lei et al, 2015 ; Li et al, 2016 ; Martín, Menéndez & Camacho, 2016 ; Preda & Maggi, 2016 ; Sheen, Anitha & Natarajan, 2015 ; Shen et al, 2015 ; Sun, Li & Lui, 2015 ; Wang et al, 2016 ; Wu et al, 2016 ; Zhang, Breitinger & Baggili, 2016 ) examine their frameworks against different evasion techniques, and they take countermeasures to overcome evasion techniques, which prevent the anti-malware framework from detecting malicious applications. These evasions are the leading cause of false negatives, as they allow many malware applications to penetrate freely into Android smart devices.…”

The rise of obfuscated Android malware and impacts on detection methods

MAdLens: Investigating Into Android In-App Ad Practice at API Granularity

A Taxonomy and Qualitative Comparison of Program Analysis Techniques for Security Assessment of Android Software