Software Technology Group @ TU Darmstadt

Hidden in Plain Sight: Obfuscated Strings Threatening Your Privacy

by Leonid Glanz, Patrick Müller, Baumgärtner, Michael Reif, Sven Amann, Pauline Anthonysamy, and Mira Mezini

Abstract: String obfuscation is an established technique used by proprietary, closed-source applications to protect intellectual property. Furthermore, it is also frequently used to hide spyware or malware in applications. In both cases, the techniques range from bit-manipulation over XOR operations to AES encryption. However, string obfuscation techniques/tools suffer from one shared weakness: They generally have to embed the necessary logic to deobfuscate strings into the app code. In this paper, we show that most of the string obfuscation techniques found in malicious and benign applications for Android can easily be broken in an automated fashion. We developed StringHound, an open-source tool that uses novel techniques that identify obfuscated strings and reconstruct the originals using slicing. We evaluated StringHound on both benign and malicious Android apps. In summary, we deobfuscate almost 30 times more obfuscated strings than other string deobfuscation tools. Additionally, we analyzed 100,000 Google Play Store apps and found multiple obfuscated strings that hide vulnerable cryptographic usages, insecure internet accesses, API keys, hard-coded passwords, and exploitation of privileges without the awareness of the developer. Furthermore, our analysis reveals that not only malware uses string obfuscation but also benign apps make extensive use of string obfuscation.

Resources

BibTeX

@inproceedings {GMB+,
  title = {{Hidden in Plain Sight: Obfuscated Strings Threatening Your Privacy}},
  author = {Glanz, Leonid and Müller, Patrick and Baumgärtner,  and Reif, Michael and Amann, Sven and Anthonysamy, Pauline and Mezini, Mira},
  booktitle = {{Proceedings of the 15th ACM Asia Conference on Computer and Communications Security}},
  series = {Asia CCS},
  pages = {694–707},
  year = {2020},
  doi = {10.1145/3320269.3384745},
  url = {http://dx.doi.org/10.1145/3320269.3384745},
}