Abstract
From a little research experiment to an essential component of military
arsenals, malicious software has constantly been growing and evolving
for more than three decades. On the other hand, from a negligible market
share, the Android operating system is nowadays the most widely used
mobile operating system, becoming a desirable target for large-scale
malware distribution. While scientific literature has followed this
trend, one aspect has been understudied: the role of native code in
malicious Android apps. Android apps are written in high-level
languages, but thanks to the Java Native Interface (JNI), Android also
supports calling native (C/C++) library functions. While allowing native
code in Android apps has a strong positive impact from a performance
perspective, it dramatically complicates its analysis because bytecode
and native code need different abstractions and analysis algorithms, and
they thus pose different challenges and limitations. Consequently, these
difficulties are often (ab)used to hide malicious payloads. In this
work, we propose a novel methodology to reverse engineering Android apps
focusing on suspicious patterns related to native components, i.e.,
surreptitious code that requires further inspection. We implemented a
static analysis tool based on such methodology, which can bridge the
“Java” and the native worlds and perform an in-depth analysis of tag
code blocks responsible for suspicious behavior. These tags benefit the
human facing the reverse engineering task: they clearly indicate which
part of the code to focus on to find malicious code. Then, we performed
a longitudinal analysis of Android malware over the past ten years and
compared the recent malicious samples with actual top apps on the Google
Play Store. Our work depicts typical behaviors of modern malware, its
evolution, and how it abuses the native layer to complicate the
analysis, especially with dynamic code loading and novel anti-analysis
techniques. Finally, we show a use case for our suspicious tags: we
trained and tested a machine learning algorithm for a binary
classification task. Even if suspicious does not imply malicious, our
classifier obtained a remarkable F1-score of 0.97, showing that our
methodology can be helpful to both humans and machines.