I had the opportunity to attend 2013 RSA last week. Compared with less than five vendors last year, there were more than 20 vendors focusing on mobile security. I found something interesting on android application obfuscation. Arxan was one of them. This company showcased its Mobile Application Protection Suite to protect code integrity and intellectual property from reversing engineering mobile applications. It works in the similar approach as PE packer by obfuscating codes and injecting scramble code instructions. Another vendor, Allatori, also provides similar services.
With more and more techniques of mobile app obfuscation on the market, it is possible that hackers will leverage them to mass-produce mobile malware by repackaging the obfuscation shell around known malicious codes, just like what had happened in PC threat landscape.
In this blog, I will do DEX analysis 101: reverse engineering a few repackaged samples. DEX file contains most program codes of Android application package file (APK). I use 101 Editor as the tool to view DEX files. 010 Editor offers generic interface for various types of file format. In this case, after I downloaded DEX template file and imported it into 010 Editor, I can go throug DEX format, shown as the following:
One sample was processed by zipalign so its DEX content was the same as the original file. It still had 116 strings. Other files was injected with some codes or their strings was encrypted. As the result, they showed different number of strings, methods, and even classes.
Afterwards, I submitted them to Mobile Sandbox online service (www.mobile-sandbox.com) .
The output reports showed that they shared the same behavior activities.
It is a simple demo. However, the concern behind it is that we need to keep track of each application coming out of application obfuscators (by certificate?) The "mobile packer" software companies should work with security vendors so that the latter can determine if a submitted sample with a certain certificate is malicious or not. For more details, please refer IEEE taggant system.