DABID: THE POWERFUL INTERACTIVE ANDROID DEBUGGER FOR ANDROID MALWARE ANALYSIS presented at BlackHatAsia 2015

by Jin-hyuk Jung, Jieun Lee,

Summary : Android malware are getting complicated with advanced code protection technologies such as obfuscation, packing, bytecode injection, and method hiding and so on. In order to defeat those, static and dynamic analysis tools have been used such as IDA, Smali, mobile sandboxes etc. However, malware are smart enough to differentiate their behavior at runtime or hide their intentions by detecting a running environment.
In this presentation, we are introducing the first interactive android binary debugger DABiD (Dynamic Android Binary Debugger) which reveals hidden claws of malware. DABiD is equipped with three key features. First of all, DABiD detects dynamic changes at runtime and reflects them on the fly. This feature enables analysts to confront with dynamic code modification technologies such as packing or bytecode injection. Secondly, DABiD monitors dynamically loaded classes and prepares them for debugging. Analysts do not need to dump or analyze newly loaded jars or dalvik executables manually. Thirdly, analysts are able to modify instructions to control execution flow or disable certain instructions. This feature helps analysts for effective debugging. As well as advanced features, DABiD provides basic functions such as automatic setup for debugging, decoding dalvik executable, setting breakpoints, getting data of register, and stack frame and so on. DABiD can run on a Smartphone and root permission is not required.