DexLego: Reassembleable Bytecode Extraction for Aiding Static Analysis

TL;DR

DexLego is a system that extracts and reconstructs Android bytecode at runtime to improve static analysis accuracy against obfuscation and code hiding techniques.

Contribution

It introduces a reassembleable bytecode extraction method using just-in-time collection to aid static analysis of Android apps.

Findings

Successfully reconstructs application behavior in reassembled DEX files

Significantly enhances static analysis results on DroidBench and real-world apps

Outperforms existing static analysis tools in detecting malicious behaviors

Abstract

The scale of Android applications in the market is growing rapidly. To efficiently detect the malicious behavior in these applications, an array of static analysis tools are proposed. However, static analysis tools suffer from code hiding techniques like packing, dynamic loading, self modifying, and reflection. In this paper, we thus present DexLego, a novel system that performs a reassembleable bytecode extraction for aiding static analysis tools to reveal the malicious behavior of Android applications. DexLego leverages just-in-time collection to extract data and bytecode from an application at runtime, and reassembles them to a new Dalvik Executable (DEX) file offline. The experiments on DroidBench and real-world applications show that DexLego correctly reconstructs the behavior of an application in the reassembled DEX file, and significantly improves analysis result of the existing static analysis systems.