Dynamic code update techniques, such as dynamic class loading and reflection, enable Android apps to extend their functionality at runtime. At the same time, these techniques are misused by malware developers to transform a seemingly benign app into a malware, once installed on a real device. Among the corpus of evasive techniques used in modern real-world malware, evasive usage of dynamic code updates plays a key role.
First, we demonstrate the ineffectiveness of existing tools to analyze apps in the presence of dynamic code updates using our test apps, i.e., Reflection-Bench and InboxArchiver. Second, we present StaDART, combining static and dynamic analysis of Android apps to reveal the concealed behavior of malware. StaDART performs dynamic code interposition using a vtable tampering technique for API hooking to avoid modifications to the Android framework. Furthermore, we integrate it with a triggering solution, DroidBot, to make it more scalable and fully automated. We present our evaluation results with a dataset of 2,000 real world apps; containing 1,000 legitimate apps and 1,000 malware samples. The evaluation results with this dataset and Reflection-Bench show that StaDART reveals suspicious behavior that is otherwise hidden to static analysis tools.