these-android-re/thesis
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages 1 Wiki Activity Actions

pass chap 4
Some checks failed
/ test_checkout (push) Failing after 22s
Details

Browse source
This commit is contained in:
Jean-Marie 'Histausse' Mineau 2025-09-29 03:10:59 +02:00
parent c9752714db
commit f23390279c
Signed by: histausse
GPG key ID: B66AEEDA9B645AD2
7 changed files with 177 additions and 182 deletions
Download patch file Download diff file Expand all files Collapse all files

8
4_class_loader/6_conclusion.typ
View file

@ -6,13 +6,13 @@
#todo[Ca serait bien de faire un PR ou deux a Jadx/Androguard/Soot quand même]
This chapter has presented three shadow attacks that allow malware developers to fool static analysis tools when reversing an Android application.
By including multiple classes with the same name or by using the same name as a class of the #Asdk, the developer can mislead a reverse engineer or impact the result of a flow analysis, such as the ones of Androguard or Flowdroid.
By including multiple classes with the same name or by using the same name as a class of the #Asdk, the developer can mislead a reverse engineer or impact the result of a flow analysis, such as those of Androguard or Flowdroid.
We explored if such shadow attacks are present in as dataset of #nbapk applications .
We explored whether such shadow attacks are present in a dataset of #nbapk applications.
We found that on average, #shadowsdk of applications are shadowing the #SDK, mainly for retro-compatibility purposes and library embedding.
More suspiciously, #shadowhidden of applications are shadowing a hidden class, which could lead to unexpected execution as these classes can appear/disappear with the evolution of Android internals.
Investigations for applications that defined classes multiple times suggest that the compilation process or the inclusion of different versions of the same library is the main explanation.
Finally, when investigating malware samples, we found a specific sample containing a shadow attack that would hide a part of the critical code from a reverser studying the application.
Finally, when investigating malware samples, we found a specific sample containing a shadow attack that would hide a part of the critical code from a reverse engineer studying the application.
#v(2em)
@ -21,6 +21,6 @@ Finally, when investigating malware samples, we found a specific sample containi
#v(0.75em)
@lst:cl-loading-alg model the class loading algorithm: platform classes have priority over classes stored in `classes.dex` which have priority over `classes<n>.dex` (where $n in [| 2, +infinity [| $ and $forall i in [| 2, n [|, exists $ `classes<i>.dex`) which has priority over `classes<n+1>.dex`.
Failing to implement this model (#ie by ignoring some platform classes or by sorting the `classes<n>.dex` alphabetically instead of numerically) can cause static analysis tools to compute an incorrect representation of the analyzed application.
Failing to implement this model (#ie by ignoring some platform classes or by sorting the `classes<n>.dex` alphabetically instead of numerically) can cause static analysis tools to compute an incorrect representation of the analysed application.
])))