DexLego: Reassembleable Bytecode Extraction for Aiding Static Analysis
This addresses the challenge of detecting malicious behavior in Android apps for security analysts, though it is incremental as it builds on existing static analysis methods.
The paper tackles the problem of static analysis tools being hindered by code hiding techniques in Android applications, and presents DexLego, a system that extracts and reassembles bytecode at runtime to create a new DEX file, which significantly improves analysis results in experiments on DroidBench and real-world applications.
The scale of Android applications in the market is growing rapidly. To efficiently detect the malicious behavior in these applications, an array of static analysis tools are proposed. However, static analysis tools suffer from code hiding techniques like packing, dynamic loading, self modifying, and reflection. In this paper, we thus present DexLego, a novel system that performs a reassembleable bytecode extraction for aiding static analysis tools to reveal the malicious behavior of Android applications. DexLego leverages just-in-time collection to extract data and bytecode from an application at runtime, and reassembles them to a new Dalvik Executable (DEX) file offline. The experiments on DroidBench and real-world applications show that DexLego correctly reconstructs the behavior of an application in the reassembled DEX file, and significantly improves analysis result of the existing static analysis systems.