TY - GEN
T1 - Parema: An unpacking framework for demystifying VM-based Android packers
AU - Xue, Lei
AU - Yan, Yuxiao
AU - Yan, Luyi
AU - Jiang, Muhui
AU - Luo, Xiapu
AU - Wu, Dinghao
AU - Zhou, Yajin
N1 - Funding Information:
This work is partly supported by Hong Kong RGC Projects (No. 152223/17E), NSFC Young Scientists Fund (No. 62002306), HKPolyU Start-up Fund (ZVU7), CCF-Tencent Open Research Fund (ZDCK), the Fundamental Research Funds for the Central Universities (No. K20200019), Leading Innovative and Entrepreneur Team Introduction Program of Zhejiang (No. 2018R01005), and Zhejiang Key RandD (No. 2019C03133)
Funding Information:
We sincerely thank Dr. Chennian Sun for shepherding our paper and the anonymous reviewers for their constructive comments. We thank Prof. Zhiqiang Lin for his assistance during preparing this paper. This work is partly supported by Hong Kong RGC Projects (No. 152223/17E), NSFC Young Scientists Fund (No. 62002306), HKPolyU Start-up Fund (ZVU7), CCF-Tencent Open Research Fund (ZDCK), the Fundamental Research Funds for the Central Universities (No. K20200019), Leading Innovative and Entrepreneur Team Introduction Program of Zhejiang (No. 2018R01005), and Zhejiang Key R&D (No. 2019C03133).
Publisher Copyright:
© 2021 ACM.
PY - 2021/7/11
Y1 - 2021/7/11
N2 - Android packers have been widely adopted by developers to protect apps from being plagiarized. Meanwhile, various unpacking tools unpack the apps through direct memory dumping. To defend against these off-the-shelf unpacking tools, packers start to adopt virtual machine (VM) based protection techniques, which replace the original Dalvik bytecode (DCode) with customized bytecode (PCode) in memory. This defeats the unpackers using memory dumping mechanisms. However, little is known about whether such packers can provide enough protection to Android apps. In this paper, we aim to shed light on these questions and take the first step towards demystifying the protections provided to the apps by the VM-based packers. We proposed novel program analysis techniques to investigate existing commercial VM-based packers including a learning phase and a deobfuscation phase.We aim at deobfuscating the VM-protection DCode in three scenarios, recovering original DCode or its semantics with training apps, and restoring the semantics without training apps. We also develop a prototype named Parema to automate much work of the deobfuscation procedure. By applying it to the online VM-based Android packers, we reveal that all evaluated packers do not provide adequate protection and could be compromised.
AB - Android packers have been widely adopted by developers to protect apps from being plagiarized. Meanwhile, various unpacking tools unpack the apps through direct memory dumping. To defend against these off-the-shelf unpacking tools, packers start to adopt virtual machine (VM) based protection techniques, which replace the original Dalvik bytecode (DCode) with customized bytecode (PCode) in memory. This defeats the unpackers using memory dumping mechanisms. However, little is known about whether such packers can provide enough protection to Android apps. In this paper, we aim to shed light on these questions and take the first step towards demystifying the protections provided to the apps by the VM-based packers. We proposed novel program analysis techniques to investigate existing commercial VM-based packers including a learning phase and a deobfuscation phase.We aim at deobfuscating the VM-protection DCode in three scenarios, recovering original DCode or its semantics with training apps, and restoring the semantics without training apps. We also develop a prototype named Parema to automate much work of the deobfuscation procedure. By applying it to the online VM-based Android packers, we reveal that all evaluated packers do not provide adequate protection and could be compromised.
KW - App Protection
KW - Code Similarity
KW - Obfuscation
UR - http://www.scopus.com/inward/record.url?scp=85111452661&partnerID=8YFLogxK
U2 - 10.1145/3460319.3464839
DO - 10.1145/3460319.3464839
M3 - Conference article published in proceeding or book
AN - SCOPUS:85111452661
T3 - ISSTA 2021 - Proceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis
SP - 152
EP - 164
BT - ISSTA 2021 - Proceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis
A2 - Cadar, Cristian
A2 - Zhang, Xiangyu
PB - Association for Computing Machinery, Inc
T2 - 30th ACM SIGSOFT International Symposium on Software Testing and Analysis, ISSTA 2021
Y2 - 11 July 2021 through 17 July 2021
ER -