IEEE Access (Jan 2022)

Deoptfuscator: Defeating Advanced Control-Flow Obfuscation Using Android Runtime (ART)

  • Geunha You,
  • Gyoosik Kim,
  • Sangchul Han,
  • Minkyu Park,
  • Seong-Je Cho

DOI
https://doi.org/10.1109/ACCESS.2022.3181373
Journal volume & issue
Vol. 10
pp. 61426 – 61440

Abstract

Read online

Code obfuscation is a technique that makes it difficult for code analyzers to understand a program by transforming its structures or operations while maintaining its original functionality. Android app developers often employ obfuscation techniques to protect business logic and core algorithm inside their app against reverse engineering attacks. On the other hand, malicious app writers also use obfuscation techniques to avoid being detected by anti-malware software. If malware analysts can mitigate the code obfuscation applied to malicious apps, they can analyze and detect the malicious apps more efficiently. This paper proposes a new tool, Deoptfuscator, to detect obfuscated an Android app and to restore the original source codes. Deoptfuscator detects an app control-flow obfuscated by DexGuard and tries to restore the original control-flows. Deoptfuscator deobfuscates in two steps: it determines whether an control-flow obfuscation technique is applied and then deobfuscates the obfuscated codes. Through experiments, we analyze how similar a deobfuscated app is to the original one and show that the obfuscated app can be effectively restored to the one similar to the original. We also show that the deobfuscated apps run normally.

Keywords