Research Centre

Playing Hide and Seek with Dalvik Executables

Android's Dalvik Executables (DEX) are full of sneaky corners, and this is just perfect for a game of Hide and Seek.
The first round of the game begins by hiding an entire method within a DEX file. The method hides so well that all common disassemblers (baksmali, apktool, Androguard, IDA Pro...) are unable to see it. Nevertheless, we show the method is still there as we can call it and execute it! The mechanism exploits a lack of verification of methods' layout and it is particulary convenient to hide a behaviour. Possible implications are the bypassing of market places' screening or anti-reversing of malware.
Then, like in the Hide and Seek game, the second round focuses on finding the hidden parts. The paper explains where to look for hidden data, and we provide a script to un-cloak the DEX file. The method shows back again. The paper also discusses the PoC code and script that demo hiding and unhiding
Updated Presentation Slides at Insomni'Hack (Switzerland, Geneva) in March 2014
Presentation Slides at Hacktivity (Budapest, Hungary) and Hack.Lu (Luxemburg) in October 2013
Demo Video 1 : How to hide or reveal a method in DEX executables
Demo Video 2 : Invoking a hidden method in DEX executables
Demo Video 3 : Disassembling hidden methods
Demo Video 4 : Detecting hidden methods


Android's Dalvik Executables (DEX) are full of sneaky corners, and this is just perfect for a game of Hide and Seek.
The first round of the game begins by hiding an entire method within a DEX file. The method hides so well that all common disassemblers (baksmali, apktool, Androguard, IDA Pro...) are unable to see it. Nevertheless, we show the method is still there as we can call it and execute it! The mechanism exploits a lack of verification of methods' layout and it is particulary convenient to hide a behaviour. Possible implications are the bypassing of market places' screening or anti-reversing of malware.
Then, like in the Hide and Seek game, the second round focuses on finding the hidden parts. The paper explains where to look for hidden data, and we provide a script to un-cloak the DEX file. The method shows back again. The paper also discusses the PoC code and script that demo hiding and unhiding

References