ARAP: Demystifying Anti Runtime Analysis Code in Android Apps

TL;DR

This paper presents a systematic study of anti-runtime analysis techniques in Android apps, revealing widespread adoption and introducing ARAP, a tool that effectively identifies these techniques through static and dynamic analysis.

Contribution

First comprehensive investigation of ARA techniques in Android apps, along with the development of ARAP, a tool for identifying ARA implementations.

Findings

Almost all apps have at least one ARA technique (99.6% benign, 97.0% malicious).

ARAP effectively detects ARA techniques in diverse Android apps.

The study covers a large dataset of over 117,000 apps from 2016 to 2023.

Abstract

With the continuous growth in the usage of Android apps, ensuring their security has become critically important. An increasing number of malicious apps adopt anti-analysis techniques to evade security measures. Although some research has started to consider anti-runtime analysis (ARA), it is unfortunate that they have not systematically examined ARA techniques. Furthermore, the rapid evolution of ARA technology exacerbates the issue, leading to increasingly inaccurate analysis results. To effectively analyze Android apps, understanding their adopted ARA techniques is necessary. However, no systematic investigation has been conducted thus far. In this paper, we conduct the first systematic study of the ARA implementations in a wide range of 117,171 Android apps (including both malicious and benign ones) collected between 2016 and 2023. Additionally, we propose a specific investigation tool named ARAP to assist this study by leveraging both static and dynamic analysis. According to the evaluation results, ARAP not only effectively identifies the ARA implementations in Android apps but also reveals many important findings. For instance, almost all apps have implemented at least one category of ARA technology (99.6% for benign apps and 97.0% for malicious apps).