these-ammii/thesis
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages 1 Wiki Activity Actions
thesis/4_class_loader/1_intro.typ
Jean-Marie Mineau 81f49f87d3
All checks were successful
/ test_checkout (push) Successful in 1m21s
Details
wip
2025-08-19 23:27:25 +02:00

23 lines
2.5 KiB
Typst
Raw Permalink Blame History

#import "../lib.typ": etal, ie, ART, DEX, APK, SDK
#import "X_var.typ": *
== Introduction
In this chapter, we study how Android handles the loading of classes in the case of multiple versions of the same class.
Such collision can exist inside the #APK file or between the #APK file and #Asdkc.
We intend to understand if a reverser would be impacted during a static analysis when dealing with such an obfuscated code.
Because this problem is already complex enough with the current operations performed by Android, we exclude the case where a developer recodes a specific class loader or replace a class loader by another one, as it is often the case for example in packed applications~@Duan2018.
We present a new technique that "shadows" a class #ie embeds a class in the #APK file and "presents" it to the reverser instead of the legitimate version.
The goal of such an attack is to confuse them during the reversing process: at runtime the real class will be loaded from another location of the #APK file or from the #Asdk, instead of the shadow version.
This attack can be applied to regular classes of the #Asdk or to hidden classes of Android~@he_systematic_2023 @li_accessing_2016.
We show how these attacks can confuse the tools of the reverser when he performs a static analysis.
In order to evaluate if such attacks are already used in the wild, we analysed #nbapk applications from 2023 that we extracted randomly from AndroZoo~@allixAndroZooCollectingMillions2016.
Our main result is that #shadowsdk of these applications contain shadow collisions against the #SDK and #shadowhidden against hidden classes.
Our investigations conclude that most of these collisions are not voluntary attacks, but we highlight one specific malware sample performing strong obfuscation revealed by our detection of one shadow attack.
The chapter is structured as follows.
@sec:cl-loading investigates the internal mechanisms about class loading and presents how a reverser can be confused by these mechanisms.
Then in @sec:cl-obfuscation, we design obfuscation techniques and we show their effect on static analysis tools.
Next, @sec:cl-wild evaluates if these obfuscation techniques are used in the wild, by searching inside #nbapk APKs if they exploit these techniques.
@sec:cl-conclusion extends on the possible countermesures against those shadow attacks, how they interact with other obfuscation techniques, as well as the limitations of this work and avenues left to explore.
Finally, @sec:cl-conclusion concludes the chapter.
Reference in a new issue View git blame Copy permalink