Deoptfuscator: Defeating Advanced Control-Flow Obfuscation Using Android Runtime (ART)

Code obfuscation is a technique that makes it difficult for code analyzers to understand a program by transforming its structures or operations while maintaining its original functionality. Android app developers often employ obfuscation techniques to protect business logic and core algorithm inside their app against reverse engineering attacks. On the other hand, malicious app writers also use obfuscation techniques to avoid being detected by anti-malware software. If malware analysts can mitigate the code obfuscation applied to malicious apps, they can analyze and detect the malicious apps more efficiently. This paper proposes a new tool, <italic>Deoptfuscator</italic>, to detect obfuscated an Android app and to restore the original source codes. <italic>Deoptfuscator</italic> detects an app control-flow obfuscated by <italic>DexGuard</italic> and tries to restore the original control-flows. <italic>Deoptfuscator</italic> deobfuscates in two steps: it determines whether an control-flow obfuscation technique is applied and then deobfuscates the obfuscated codes. Through experiments, we analyze how similar a deobfuscated app is to the original one and show that the obfuscated app can be effectively restored to the one similar to the original. We also show that the deobfuscated apps run normally.