Empirical Analysis on the Use of Dynamic Code Updates in Android and Its Security Implications

Abstract

Dynamic code update techniques, such as reflection and dynamic class loading (DCL), enable an application (app) to change its behavior at runtime. These techniques are heavily used in Android apps for extensibility. However, malware developers misuse these techniques to conceal malicious functionality, bypass static analysis tools and expose the malicious functionality only when the app is installed and run on a user’s device. Although, the use of these techniques alone may not be sufficient to bypass analysis tools, it is the use of reflection/DCL APIs with obfuscated parameters that makes the state-of-art static analysis tools for Android unable to infer the correct behavior of the app. To understand the current trends in real apps, it is important to perform a study on the sources of the parameters used in reflection/DCL APIs. In this paper, we describe how malicious apps bypass analysis tools using reflection/DCL with parameters provided by sources, such as network, files, encrypted strings, etc., which are hard to analyze statically. We further develop a tool to analyze a dataset of 3,645 real world malware samples and 16,528 benign apps in order to investigate the sources of the parameters used in reflection/DCL APIs. The results of our analysis indicate the presence of such programming practices in both legitimate and malicious apps. However, malicious apps tend to obfuscate the parameters of reflection/DCL APIs more often. The use of Crypto related APIs as sources of the parameters of reflection/DCL APIs is significantly higher in malicious apps, which endorses the fact that malicious apps try to thwart static analysis tools.