File Download
There are no files associated with this item.
Links for fulltext
(May Require Subscription)
- Publisher Website: 10.1109/SP40001.2021.00105
- Scopus: eid_2-s2.0-85114659378
- Find via
Supplementary
-
Citations:
- Scopus: 0
- Appears in Collections:
Conference Paper: Happer: Unpacking Android Apps via a Hardware-Assisted Approach
| Title | Happer: Unpacking Android Apps via a Hardware-Assisted Approach |
|---|---|
| Authors | |
| Keywords | Android-Packer ARM-ETM Android-App-Analysis |
| Issue Date | 2021 |
| Publisher | IEEE. The Journal's web site is located at https://ieeexplore.ieee.org/xpl/conhome/1000646/all-proceedings |
| Citation | The 42nd IEEE Symposium on Security and Privacy (IEEE S&P 2021), San Francisco, CA, USA, 24-27 May 2021, p. 1641-1658 How to Cite? |
| Abstract | Malware authors are abusing packers (or runtime-based obfuscators) to protect malicious apps from being analyzed. Although many unpacking tools have been proposed, they can be easily impeded by the anti-analysis methods adopted by the packers, and they fail to effectively collect the hidden Dex data due to the evolving protection strategies of packers. Consequently, many packing behaviors are unknown to analysts and packed malware can circumvent the inspection. To fill the gap, in this paper, we propose a novel hardware-assisted approach that first monitors the packing behaviors and then selects the proper approach to unpack the packed apps. Moreover, we develop a prototype named Happerwith a domain-specific language named behavior description language (BDL) for the ease of extending Happerafter tackling several technical challenges. We conduct extensive experiments with 12 commercial Android packers and more than 24k Android apps to evaluate Happer. The results show that Happerobserved 27 packing behaviors, 17 of which have not been elaborated by previous studies. Based on the observed packing behaviors, Happeradopted proper approaches to collect all the hidden Dex data and assembled them to valid Dex files. |
| Persistent Identifier | http://hdl.handle.net/10722/306177 |
| ISSN | 2020 SCImago Journal Rankings: 2.407 |
| DC Field | Value | Language |
|---|---|---|
| dc.contributor.author | Xue, L | - |
| dc.contributor.author | Zhou, H | - |
| dc.contributor.author | Luo, X | - |
| dc.contributor.author | Zhou, Y | - |
| dc.contributor.author | Shi, Y | - |
| dc.contributor.author | Gu, G | - |
| dc.contributor.author | Zhang, F | - |
| dc.contributor.author | Au, AMH | - |
| dc.date.accessioned | 2021-10-20T10:19:53Z | - |
| dc.date.available | 2021-10-20T10:19:53Z | - |
| dc.date.issued | 2021 | - |
| dc.identifier.citation | The 42nd IEEE Symposium on Security and Privacy (IEEE S&P 2021), San Francisco, CA, USA, 24-27 May 2021, p. 1641-1658 | - |
| dc.identifier.issn | 1081-6011 | - |
| dc.identifier.uri | http://hdl.handle.net/10722/306177 | - |
| dc.description.abstract | Malware authors are abusing packers (or runtime-based obfuscators) to protect malicious apps from being analyzed. Although many unpacking tools have been proposed, they can be easily impeded by the anti-analysis methods adopted by the packers, and they fail to effectively collect the hidden Dex data due to the evolving protection strategies of packers. Consequently, many packing behaviors are unknown to analysts and packed malware can circumvent the inspection. To fill the gap, in this paper, we propose a novel hardware-assisted approach that first monitors the packing behaviors and then selects the proper approach to unpack the packed apps. Moreover, we develop a prototype named Happerwith a domain-specific language named behavior description language (BDL) for the ease of extending Happerafter tackling several technical challenges. We conduct extensive experiments with 12 commercial Android packers and more than 24k Android apps to evaluate Happer. The results show that Happerobserved 27 packing behaviors, 17 of which have not been elaborated by previous studies. Based on the observed packing behaviors, Happeradopted proper approaches to collect all the hidden Dex data and assembled them to valid Dex files. | - |
| dc.language | eng | - |
| dc.publisher | IEEE. The Journal's web site is located at https://ieeexplore.ieee.org/xpl/conhome/1000646/all-proceedings | - |
| dc.relation.ispartof | The 42nd IEEE Symposium on Security and Privacy (IEEE S&P 2021) | - |
| dc.rights | IEEE Symposium on Security and Privacy Proceedings. Copyright © IEEE. | - |
| dc.rights | ©2021 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works. | - |
| dc.subject | Android-Packer | - |
| dc.subject | ARM-ETM | - |
| dc.subject | Android-App-Analysis | - |
| dc.title | Happer: Unpacking Android Apps via a Hardware-Assisted Approach | - |
| dc.type | Conference_Paper | - |
| dc.identifier.email | Au, AMH: manhoau@hku.hk | - |
| dc.identifier.authority | Au, AMH=rp02638 | - |
| dc.description.nature | link_to_subscribed_fulltext | - |
| dc.identifier.doi | 10.1109/SP40001.2021.00105 | - |
| dc.identifier.scopus | eid_2-s2.0-85114659378 | - |
| dc.identifier.hkuros | 327846 | - |
| dc.identifier.spage | 1641 | - |
| dc.identifier.epage | 1658 | - |
| dc.publisher.place | United States | - |