these-android-re/thesis
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages 1 Wiki Activity Actions

wip

Browse source
This commit is contained in:
Jean-Marie Mineau 2025-10-01 15:51:12 +02:00
parent 346151125e
commit b5583dbae9
Signed by: histausse
GPG key ID: B66AEEDA9B645AD2
8 changed files with 110 additions and 41 deletions
Download patch file Download diff file Expand all files Collapse all files

12
bibliography.bib
View file

@ -16,16 +16,20 @@
@article{classloaderinthemiddle,
author = {Mineau, Jean-Marie and Lalande, Jean-Fran\c{c}ois},
title = {Class loaders in the middle: confusing Android static analyzers},
title = {Class Loaders in the Middle: Confusing Android Static Analyzers},
year = {2025},
issue_date = {September 2025},
publisher = {Association for Computing Machinery},
address = {New York, NY, USA},
volume = {6},
number = {3},
url = {https://doi.org/10.1145/3754457},
doi = {10.1145/3754457},
abstract = {When executing a mobile application, Android executes either the classes provided by the developer or the ones provided by the operating system. The dynamic linking and loading of the different classes is a complex task that may be exploited by an attacker. In particular, if the developer adds a class whose name collides with another class of Android, they may confuse a reverse engineer. In this paper, we explore the possible collisions that can occur between classes defined multiple times at different locations, i.e., multiple times in the APK file or, at the same time, in the APK and the operating system. We highlight three attacks that we call shadow attacks. In particular, we show that static analysis tools used by a reverse engineer choose the shadow implementation for most of the evaluated tools, and output a wrong result. In particular, the flow analysis of Androguard or Flowdroid can be fooled by an attacker. In a dataset of 49 975 applications, we also explored if shadow attacks are used in the wild and found that most of the time, there is no malicious behavior behind them. The main results are that 23.52 \% of applications shadow a class of the SDK and 3.11 \% a hidden class of the system.},
note = {Just Accepted},
abstract = {When executing a mobile application, Android executes either the classes provided by the developer or the ones provided by the operating system. The dynamic linking and loading of the different classes is a complex task that may be exploited by an attacker. In particular, if the developer adds a class whose name collides with another class of Android, they may confuse a reverse engineer. In this article, we explore the possible collisions that can occur between classes defined multiple times at different locations, i.e., multiple times in the APK file or, at the same time, in the APK and the operating system. We highlight three attacks that we call shadow attacks. In particular, we show that static analysis tools used by a reverse engineer choose the shadow implementation for most of the evaluated tools, and output a wrong result. In particular, the flow analysis of Androguard or Flowdroid can be fooled by an attacker. In a dataset of 49,975 applications, we also explored if shadow attacks are used in the wild and found that most of the time, there is no malicious behavior behind them. The main results are that 23.52\% of applications shadow a class of the SDK and 3.11\% a hidden class of the system.},
journal = {Digital Threats},
month = jul,
month = sep,
articleno = {19},
numpages = {19},
keywords = {Android, static analysis, class loading, code obfuscation}
}