String Deobfuscation Scheme based on Dynamic Code Extraction for Mobile Malwares

WooJong Yoo, Myeongju Ji, MinKoo Kang, and Jeong Hyun Yi+
 

Soongsil University, Seoul, 06978, Korea

{msecwj, wlaudwn007, minku1024}@gmail.com, jhyi@ssu.ac.kr
 

Abstract

Various code protection schemes are being implemented to offer protection and address the vulnerabilities of Android applications. Among these schemes, code obfuscation is widely used. Because the program code string is especially fundamental in identifying methods or variables, if this information is exposed to the attacker, reverse engineering analysis becomes that much easier. Consequently, string encryption should be prioritized among obfuscation techniques. If malware rather than normal code happens to misuse such a protection function, it can actually bring about an opposite effect by making code analysis more difficult. Hence, in this paper, we first propose a string deobfuscation scheme that, to effectively analyze malware that uses string encryption, acquires the decrypted string through dynamic code extraction and then introduce the system design and implementation.

Keywords: Deobfuscation, Malwares, Reverse Engineering.

 

+: Corresponding author: Jeong Hyun Yi
School of Software, Soongsil University, Seoul, 06978, Korea, Tel: +82-2-828-7360

IT Convergence Practice (INPRA), Vol. 4, No. 2, pp. 1-8, June 2016 [pdf]