these-android-re/thesis
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages 1 Wiki Activity Actions
thesis/4_class_loader/6_conclusion.typ
Jean-Marie 'Histausse' Mineau f23390279c
Some checks failed
/ test_checkout (push) Failing after 22s
Details
pass chap 4
2025-09-29 03:10:59 +02:00

26 lines
2 KiB
Typst
Raw Permalink Blame History

#import "../lib.typ": SDK, pb2, pb2-text, highlight-block, ie, todo
#import "X_var.typ": *
== Conclusion <sec:cl-conclusion>
#todo[Ca serait bien de faire un PR ou deux a Jadx/Androguard/Soot quand même]
This chapter has presented three shadow attacks that allow malware developers to fool static analysis tools when reversing an Android application.
By including multiple classes with the same name or by using the same name as a class of the #Asdk, the developer can mislead a reverse engineer or impact the result of a flow analysis, such as those of Androguard or Flowdroid.
We explored whether such shadow attacks are present in a dataset of #nbapk applications.
We found that on average, #shadowsdk of applications are shadowing the #SDK, mainly for retro-compatibility purposes and library embedding.
More suspiciously, #shadowhidden of applications are shadowing a hidden class, which could lead to unexpected execution as these classes can appear/disappear with the evolution of Android internals.
Investigations for applications that defined classes multiple times suggest that the compilation process or the inclusion of different versions of the same library is the main explanation.
Finally, when investigating malware samples, we found a specific sample containing a shadow attack that would hide a part of the critical code from a reverse engineer studying the application.
#v(2em)
#align(center, highlight-block(inset: 15pt, width: 75%, breakable: false, block(align(left)[
#pb2: #pb2-text
#v(0.75em)
@lst:cl-loading-alg model the class loading algorithm: platform classes have priority over classes stored in `classes.dex` which have priority over `classes<n>.dex` (where $n in [| 2, +infinity [| $ and $forall i in [| 2, n [|, exists $ `classes<i>.dex`) which has priority over `classes<n+1>.dex`.
Failing to implement this model (#ie by ignoring some platform classes or by sorting the `classes<n>.dex` alphabetically instead of numerically) can cause static analysis tools to compute an incorrect representation of the analysed application.
])))
Reference in a new issue View git blame Copy permalink