Android Security Symposium 2017

Android compiler fingerprinting

About the speakers

Tim Strazzere

RedNaga, Oakland, CA, USA
Tim “diff” Strazzere is the Security Engineer at Cloudflare, specializing in mobile and linux security. Along with writing security automation software, he specializes in reverse engineering and malware analysis. Some interesting past projects include having reversed the Android Market protocol, Dalvik decompilers and memory manipulation on mobile devices. Past speaking and training engagements have included DEFCON, BlackHat, SyScan, HiTCON and EICAR, QSPI.

Caleb Fenton

RedNaga, Oakland, CA, USA
Caleb Fenton is a security researcher at SentinelOne and has spent the past 6 years reversing Android apps and researching malware. He's created or maintains several open source Android reverse engineering and anti-malware tools such as Simplify and dex-oracle (Android deobfuscators), smalivm (Smali emulator / virtual machine), and APKiD (PEiD for Android).

Abstract

Compiler fingerprinting is a technique for identifying the compiler used to create an executable. Executable file formats are usually flexible and different compilers may introduce subtle differences in structure and organization. We have developed a tool called APKiD which can determine the compiler used to create or modify Dalvik executables and Android binary XML files. This allows us to distinguish between apps compiled from the original source code and apps which have been modified using non-standard compilers such as dexlib. We believed the two main reasons for modifying an Android app were for 1.) cracking and piracy and 2.) injecting malicious code. We tested this belief by comparing the compiler profiles of various app markets with different tolerances for cracked or malicious apps to see if the percentage of modified apps was inversely proportional to how strict the store was about policing submissions. We found that strict markets such as Google Play had significantly lower rates of modified apps compared to less strict markets such as Aptoide and BlapkMarket. Additionally, we analyzed ~138,000 benign apps and known malware samples to compare the rates of modification between both groups. We found much higher rates of modification for malware than with benign apps. Thus, knowing if an app is modified seems to be a good signal for maliciousness or software piracy.

This talk presents the history and evolution of various Android compilers, introduces APKiD, summarizes the technical details for how APKiD works, and reviews applications for using compiler fingerprinting to improve detection and classification of malware and pirated apps.

Slides

Get the slides here.

Video