Empirical analysis on the use of dynamic code updates in android and its security implications

Dynamic code update techniques, such as reflection and dynamic class loading (DCL), enable an application (app) to change its behavior at runtime. These techniques are heavily used in Android apps for extensibility. However, malware developers misuse these techniques to conceal malicious functionality, bypass static analysis tools and expose the malicious functionality only when the app is installed and run on a user’s device. Although, the use of these techniques alone may not be sufficient to bypass analysis tools, it is the use of reflection/DCL APIs with obfuscated parameters that makes the state-of-art static analysis tools for Android unable to infer the correct behavior of the app. To understand the current trends in real apps, it is important to perform a study on the sources of the parameters used in reflection/DCL APIs. In this paper, we describe how malicious apps bypass analysis tools using reflection/DCL with parameters provided by sources, such as network, files, encrypte...