• Corpus ID: 13704219

Deobfuscating Android Applications through Deep Learning

  title={Deobfuscating Android Applications through Deep Learning},
  author={Fang-Hsiang Su and Gail E. Kaiser},
Android applications are nearly always obfuscated before release, making it difficult to analyze them for malware presence or intellectual property violations. Obfuscators might hide the true intent of code by renaming variables, modifying the control flow of methods, or inserting additional code. Prior approaches toward automated deobfuscation of Android applications have relied on certain structural parts of apps remaining as landmarks, un-touched by obfuscation. For instance, some prior… 

Figures and Tables from this paper

Reversing Obfuscated Control Flow Structures in Android Apps using ReDex Optimizer

The experimental results show that ReDex can recover 1089 of 1108 apps obfuscated with control-flows obfuscation techniques of Obfuscapk obfuscator, and the effectiveness and limitations of ReDex in terms of its deobfuscation ability to reverse the control-flow obfuscation of Android apps are analyzed.

ASTANA: Practical String Deobfuscation for Android Applications Using Program Slicing

This work presents ASTANA, a practical tool for Android applications to recovers the human-readable content from obfuscated string literals, and presents a lightweight and optimistic algorithm, based on program slicing techniques, to obtain the relevant deobfuscation logic.

Detecting Obfuscated Function Clones in Binaries using Machine Learning

This work introduces a slim approach for the identification of obfuscated function clones, called O FCI, building on recent advances in machine learning based function clone detection.

A de-obfuscation system based on Markov models

This paper presents an automatic method for de-obfuscation of Android apps based on Markov models that mainly focuses on layout obfuscation created by obfuscator ProGuard, which is one of the most widely used obfuscators.

Statistical Deobfuscation of Android Applications

This work phrases the layout deobfuscation problem of Android APKs as structured prediction in a probabilistic graphical model, instantiates this model with a rich set of features and constraints that capture the Android setting, ensuring both semantic equivalence and high prediction accuracy, and shows how to leverage powerful inference and learning algorithms to achieve overall precision and scalability of the probabilism predictions.

DroidRA: taming reflection to support whole-program analysis of Android apps

The DroidRA instrumentation-based approach to address the issue of reflective calls in Android apps in a non-invasive way, and allows to boost an app so that it can be immediately analyzable, including by such static analyzers that were not reflection-aware.

Catch Me If You Can: Evaluating Android Anti-Malware Against Transformation Attacks

This paper evaluates the state-of-the-art commercial mobile anti-malware products for Android and test how resistant they are against various common obfuscation techniques (even with known malware), and proposes possible remedies for improving the current state of malware detection on mobile devices.

Reliable Third-Party Library Detection in Android and its Security Applications

This paper proposes a library detection technique that is resilient against common code obfuscations and that is capable of pinpointing the exact library version used in apps, and is first to quantify the security impact of third-party libs on the Android ecosystem.

AppContext: Differentiating Malicious and Benign Mobile App Behaviors Using Context

This work introduces AppContext, an approach of static program analysis that extracts the contexts of security-sensitive behaviors to assist app analysis in differentiating between malicious and benign behaviors.

FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps

FlowDroid is presented, a novel and highly precise static taint analysis for Android applications that successfully finds leaks in a subset of 500 apps from Google Play and about 1,000 malware apps from the VirusShare project.

A dynamic birthmark for java

A dynamic birthmark for Java is proposed that observes how a program uses objects provided by the Java Standard API, and reliably identified XML parsers and PNGreaders before and after obfuscating them with state-of-the-art obfuscation tools.

Checking app behavior against app descriptions

Applied on a set of 22,500+ Android applications, the CHABADA prototype identified several anomalies and flagged 56% of novel malware as such, without requiring any known malware patterns.

Design and evaluation of birthmarks for detecting theft of java programs

The proposed birthmarks are able to distinguish non-copied files in practical Java application and are quite tolerant of attacks with automatic program optimizers/obfuscators.

discovRE: Efficient Cross-Architecture Identification of Bugs in Binary Code

A new approach to efficiently search for similar functions in binary code, called discovRE, that supports four instruction set architectures (x86, x64, ARM, MIPS) and is four orders of magnitude faster than the state-of-the-art academic approach for cross-architecture bug search in binaries.