Title: Thwarting Android app repackaging by executable code fragmentation
Authors: Ruxia Fan; Dingyi Fang; Zhanyong Tang; Xiaojiang Chen; Fangyuan Liu; Zhengqiao Li
Addresses: Department of Information Science and Technology, Northwest University, 1 Xuefu Ave., Guodu Education and Hi-Tech Industries Zone, Chang'an District, Xi'an, Shaanxi Province, China ' Department of Information Science and Technology, Northwest University, 1 Xuefu Ave., Guodu Education and Hi-Tech Industries Zone, Chang'an District, Xi'an, Shaanxi Province, China ' Department of Information Science and Technology, Northwest University, 1 Xuefu Ave., Guodu Education and Hi-Tech Industries Zone, Chang'an District, Xi'an, Shaanxi Province, China ' Department of Information Science and Technology, Northwest University, 1 Xuefu Ave., Guodu Education and Hi-Tech Industries Zone, Chang'an District, Xi'an, Shaanxi Province, China ' Department of Information Science and Technology, Northwest University, 1 Xuefu Ave., Guodu Education and Hi-Tech Industries Zone, Chang'an District, Xi'an, Shaanxi Province, China ' Department of Information Science and Technology, Northwest University, 1 Xuefu Ave., Guodu Education and Hi-Tech Industries Zone, Chang'an District, Xi'an, Shaanxi Province, China
Abstract: With the increasing popularity and adoption of Android-based smartphones, there are more and more Android malwares in app marketplaces. What's more, most malwares are repackaged versions of legitimate applications. Existing solutions have mostly focused on post-mortem detection of repackaged application. Lately, packing mechanism has been proposed to enable self-defence for Android apps against repackaging. However, since current app packing systems all load the executable file into process memory in plaintext intactly, it can be easily dumped, which would enable the repackaging again. To address this problem, we propose a more effective protection model, DexSplit, to prevent app repackaging. Inspired by the weakness of current app packing model, DexSplit maintains the protected dex file as several pieces throughout this application's entire lifecycle, which makes it difficult to be dumped. Experiments with a DexSplit prototype using six typical apps show that DexSplit effectively defends against app repackaging threats with reasonable performance overhead.
Keywords: Android security; malware; repackaging; memory dump.
DOI: 10.1504/IJHPCN.2017.086536
International Journal of High Performance Computing and Networking, 2017 Vol.10 No.4/5, pp.320 - 331
Received: 05 Oct 2015
Accepted: 06 Jan 2016
Published online: 12 Sep 2017 *