Android is the dominant mobile platform with 85% market share, as of the first quarter of 2017. At the same time, the number and sophistication of malicious Android apps are increasin.
Many reasons contribute to this meteoric rise of malware apps including: (1) the relative ease of creating a piggybacked app, i.e., a mutated version of a legitimate app injected with either malicious code or embedded advertisements; and (2) the prevalence of alternative Android app stores (i.e., app stores other than the official Android app store, Google Play), on which malicious apps may be distributed to users.
To protect mobile devices, users often rely on anti-malware products, which scan apps to determine if they are benign or malicious. However, many malware apps have previously evaded detection by these products. Examples of such malicious apps include Brain Test, VikingHorde, FalseGuide, and DressCode. These apps have infected millions of users before they were detected. To evade detection, malware authors often rely on code obfuscation, i.e., transforming a code into a form that is more difficult for humans, and possibly machines, to read, understand, and reverse engineer. These transformations change the syntax of code but not their semantics.
To better protect the intellectual property of benign app developers and prevent cloning of their apps, several companies have developed obfuscation tools, or obfuscators for short, that implement different code transformations (e.g., identifier renaming, string encryption, reflection, etc.). Given the use of obfuscations by malware authors, the goal of this study is to assess the performance of commercial anti-malware products against various obfuscation tools and strategies. In addition, this study assesses to evaluate the ability of obfuscation tools to generate valid, installable, and runnable obfuscated Android apps.