1 Introduction
2 Related works
2.1 Repackaging attacks
2.2 Mobile code packing
2.3 Mobile code reverse engineering
3 Structural analysis on Bangcle
3.1 Packing
assets/bangcle_classes.jar |
assets/bangcleplugin/collector.apk |
assets/bangcleplugin/container.apk |
assets/bangcleplugin/dgc |
assets/com.msec.login |
assets/com.msec.login.art |
assets/com.msec.login.L |
assets/com.msec.login.x86 |
assets/libsecexe.so |
assets/libsecexe.x86.so |
assets/libsecmain.so |
assets/libsecmain.x86.so |
assets/meta-data/manifest.mf |
assets/meta-data/rsa.pub |
assets/meta-data/rsa.sig |
ACall
class manages the interface with library files, and the ApplicationWrapper
class monitors the control flow using the entry point of the compressed app. The FirstApplication
class and MyClassLoader
class are used to load the original app into memory. The Util
class carries out overhead operations needed to execute libsecexe.so and calls functions from libsecexe.so to perform unpacking, anti-debugging, anti-tampering, and anti-runtime injection functions.
Classes | Description |
---|---|
ACall | Interfacing with libraries |
ApplicationWrapper | Entry point of the packed app |
FirstApplication | Loading the original app |
MyClassLoader | Loading the original app |
Util | Other utilities |
3.2 Unpacking
Util
class.
checkX86
method identifies whether the CPU of the device running the app is x86-based or ARM-based. If it is an x86-based CPU, the libsecexe.x86 file is copied to a temporary folder, whereas if it is an ARM-based CPU, the libsecexe.so file is copied to a temporary folder. CopyBinaryFile
takes the bangcle_classes.jar file in the assets folder of the compressed APK file, copies it to the temporary folder /data/data/[package_name]/.cache/
, and renames it as classes.jar (Fig. 4). As a method that provides anti-debugging-related functions, createChildProcess
is explained in more detail in the next section. tryDo
restores the (packed) classes.jar file copied to the temporary folder into the (unpacked) classes.jar file that includes the original classes.dex. runPkg
loads the original classes.dex in the (unpacked) classes.jar file into memory and executes it. After the original classes.dex has been loaded, the (unpacked) classes.jar file is recompressed into the (packed) classes.jar and saved in the temporary folder.1
3.3 Anti-debugging
createChildProcess
generates a child process, so that Java debug wire protocol (JDWP) and a native debugger cannot run. As shown in Fig. 5, first, the libsecexe.so file copied to the temporary folder is loaded into memory. After the file is loaded into memory, the method used to prevent native and/or managed code debuggers is applied.
3.4 Code extraction
Util.java
modified to copy the (unpacked) classes.jar file into the data folder, namely, if the copyFile
method is added in order to copy the file between the tryDo
method and runPkg
method, we can procure the (unpacked) classes.jar with the original classes.dex included.
4 Structural analysis on DexProtector
4.1 Encryption
4.2 Decryption
/data/data/[package_name]/.cache
folder, and, using the generated decryptor APK file, the decryptor is run. The executed decryptor decrypts the (encrypted) classes.dex file saved in the assets folder of the encrypted APK file and saves the original APK file in the /data/data/[package_name]/.cache
folder. Afterwards, the restored original APK file is actually executed. After being executed, the original APK file saved in the /data/data/[package_name]/.cache
folder is deleted. Figure 12 shows the DexProtector class decryption procedure.
4.3 Code extraction
Application
class that is executed for the first time the app is executed by using the smali code level debugger. Then, we set breakpoints such as the dvmJarFileOpen
function from libdvm.so by using native code-level debugger. Afterwards, when the app is rerun, after a new.apk file is generated, the app freezes at the assigned breakpoint. If we obtain the first generated new.apk file and decompile it using the JEB decompiler, we can observe the unpack function, etc., as in Fig. 15. The unpack
function uses the application’s hash value as a decryption key to decrypt the packed classes.dex
. Because hash values change when the application is repackaged, the second new.apk is not generated correctly. Thus, to obtain the second new.apk file (without repackaging), one must connect the debugger and obtain the file before MainActivity
is executed.
dvmJarFileOpen
function [29] is immediately called to load the file type compressed by the functions in the libdvm.so library file (see Fig. 16). The dvmJarFileOpen
function that is called first is a function for loading the installed APK file. The dvmJarFileOpen
function that is called second is a function for loading the first new.apk file generated. The dvmJarFileOpen
function called afterwards is a function for loading the second new.apk file, which includes the decrypted logic.
dvmJarFileOpen
function is called. Because the encrypted class was already decrypted, hereafter, there are no constraints on disassembling and conducting reverse analysis. Figure 18 shows one of methods to obtain the original code from DexProtector.
5 Experiments
5.1 Target app selection
Application
class is included. It was determined that DexProtector is applied based on the log record showing whether, when executed, the DexOpt
process optimizes an identical named apk file twice.5.2 Experimental setup
VERSION_NAME
variables in the Util
class. Because a debugger needs to be used for apps that have applied DexProtector, we used a rooted device to obtain higher privileges than the app process. For the debugger, we used a GDB built for ARM use. Finally, for decompiling and repackaging, we used apktool version 2.0.3.5.3 Experimental results
Analysis engine | Packed application | Unpacked application |
---|---|---|
AVG | Android/Deng.MAO | Android/Deng.GNV |
Alibaba | A.L.Rog.Tgcmbwlbehlb | A.W.Rog.ModelAd |
CAT-QuickHeal | Android.SecApk.A (PUP) | Android.Dowgin.AM (AdWare) |
ESET-NOD32 | Secapk.E potentially unsafe | AdDisplay.Dowgin.Rpotentially unwanted |
Fortinet | Adware/Secapk!Android | Adware/Secapk!Android |
Ikarus | AdWare.AndroidOS.Secapk | PUA.AndroidOS.Dowgin |
Kaspersky | not-a-virus:HEUR: AdWare.AndroidOS.Mmaro.a | HEUR:Trojan-Downloader. AndroidOS.Agent.az |
NANO-Antivirus | Trojan.Android.Dowgin.dtznya | Trojan.Android.Dowgin.dtznya |
Qihoo-360 | Adware.Android.Gen | Adware.Android.Gen |
Sophos | Andr/PornClk-AB | Android Dowgin (PUA) |