Technical Report: Evaluating Analysis Tools for Android Apps: Status Quo and Robustness Against Obfuscation

Johannes Hoffmann, Teemu Rytilahti, Marcel Winandy, Giorgio Giacinto, Thorsten Holz

TR-HGI-2016-003, Ruhr-Uni­ver­si­tät Bo­chum, Horst Görtz In­sti­tut für IT-Si­cher­heit (HGI), August 2016


The recent past has shown that Android smartphones became the most popular target for malware authors. Contemporary malware families present a variety of features that allow, among others, to steal arbitrary data and to cause significant monetary losses. These circumstances led to the development of many different analysis methods that are aimed to assess the absence of potential harm or malicious behavior in mobile apps. In return, malware authors devised more sophisticated methods to write mobile malware that attempt to thwart such analyses.

In this work, we first survey the systems devised to analyze and verify mobile apps and describe the assumptions they rely on to detect malicious content and behavior. We then present a new obfuscation framework that aims to break such assumptions, thus modifying Android apps to avoid them being analyzed by the targeted systems.

We use our framework to evaluate the robustness of static and dynamic analysis systems for Android apps against such transformations. In particular, we provide a comprehensive report of the status quo of Android analysis tools against well-obfuscated malware and we demonstrate that most systems could be easily evaded. With our analysis, we point out research problems that should be addressed by future analysis tools and we propose our framework as a possible aid to improve their robustness.


tags: Android, Obfuscation