Research On Reversing The Packed Android Malware Plugin Based On Visual Exploration

Most of the traditional anti-virus engines use signature killing technology, the packed application decrypt the encrypted malicious code to memory at run time, then it can bypass static signature scanning technology to escape from detection. Latest trojan APP delayes extcuting malicious code, open a timer, and using dynamic loading technology reflectes the execution of malicious code. Packed application service is flagship product for many security companies. While protecting the copyright of the developer, it also gives criminals a lot of convenience. At present, many Trojans use free security packed service provided by the security companies. Security companies generally need to extract the malicious application's source code for sample analysis of the malicious application. The few systems can reverse the malicious packed applications, and reversing the dynamic load packed malicious applications to extract dex file is less.By comprehensive understanding the current packed technology and dynamic load technology, the paper proposes and implementes a reversing system named PluginExtractDroid. PluginExtractDroid system multiplexes reversing function of Dexhunter system, according to the structural characteristics of the application's executable file dex, and different part of the dex file draws different colors, Then using visual exploration technique classifies the packed malicious applications. The paper analyzes the critical path perform when the application uses dynamic load technology. By modifying the source code of Dalvik virtual machine, record the location information in memory of plugin when the host application dynamically loades plugin. When the plugin is triggered downloading to mobile phone, plugin need to be interpreted by Dalvik virtual machine. the whole java classes of plugin will be active class loading and initializing, recording information in memory in order to generate a new dex file.PluginExtractDroid system is based on Android 4.4.4 prototyping system, and experiment include in reversing packed malicious applications, obtaining dynamically loading plugins and system performance overhead. Experimental results show that, PluginExtractDroid system can effectively reverse packed malicious plugin, Overall system performance with respect to the native Android system decreases by about 24%.