Android malware is getting more and more sophisticated. To impede analysis, modern malware families use various anti-analysis techniques such as code encryption, packers, code obfuscators, and detectors for emulators, rooted devices, or hooks as well as integrity checks. Current static code-analysis tools such as apktool or JEB quickly reach their limits with heavily obfuscated code. Dynamic code analysis tool, on the other hand, are frequently tricked by emulator detection. If malware application use such techniques in combination, this can cause many automatic code-analysis tools to fail, due to their intrinsic limitations, leaving a manual analysis as the only viable option - a very difficult and time-consuming undertaking.
To alleviate the problem, we propose CodeInspect, a new integrated reverse-engineering environment (IREE) targeting sophisticated state-of-the-art malware apps for Android. With features such as interactive debugging on a human readable representation of the application’s bytecode, CodeInspect aims to greatly reduce the time an analyst requires to understand and judge applications. CodeInspect relies on the well-known Eclipse RCP framework, giving a familiar experience to users already familiar with Eclipse. Using CodeInspect, the engineer can debug the app live, can rename (obfuscated) identifiers, jump to definitions, remove or add statements and more. Reverse engineers can even add new Java source classes or projects into the application, which can then be called from the original app’s code. CodeInspect then compiles the Java source code modified this way directly into the original application. This is especially useful when implementing decryption methods which can be directly tested within our framework.
On top of the above CodeInspect includes new code-analysis techniques that, to the best of our knowledge, do not exist in any other equivalent tool. These techniques include a fully-automatic de-obfuscation of reflective method calls, string de-obfuscation and a very precise data-flow tracking component that shows suspicious flows from sensitive sources to public sinks, all of which can be easily used in combination.
We will give an introduction into “Jimple”, which is CodeInspect’s typed intermediate language, and contrast it to register-based languages such as the one used in IDAPro. Being very close to source code, Jimple significantly eases the task of analyzing Android apps. Next, we describe the features of CodeInspect, especially the Jimple debugging feature and give a live demo on analyzing current malicious applications containing cutting-edge anti-analysis techniques. An excerpt of CodeInspect can be found on our website.
Slides as PDF