Harvesting Runtime Values in Android Applications That Feature Anti-Analysis Techniques.

It is generally challenging to tell apart malwarefrom benign applications. To make this decision, human analystsare frequently interested in runtime values: targets of reflectivemethod calls, URLs to which data is sent, target telephonenumbers of SMS messages, and many more. However, obfuscationand string encryption, used by malware as well as goodware, oftennot only render human inspections, but also static analyses ineffective. In addition, malware frequently tricks dynamic analysesby detecting the execution environment emulated by the analysistool and then refraining from malicious behavior.In this work we therefore present HARVESTER, an approachto fully automatically extract runtime values from Androidapplications. HARVESTER is designed to extract values even fromhighly obfuscated state-of-the-art malware samples that obfuscatemethod calls using reflection, hide sensitive values in native code,load code dynamically and apply anti-analysis techniques. Theapproach combines program slicing with code generation anddynamic execution.Experiments on 16,799 current malware samples show thatHARVESTER fully automatically extracts many sensitive values,with perfect precision. The process usually takes less than threeminutes and does not require human interaction. In particular,it goes without simulating UI inputs. Two case studies furthershow that by integrating the extracted values back into the app,HARVESTER can increase the recall of existing static and dynamicanalysis tools such as FlowDroid and TaintDroid.