Obfuscated Files or Information

An app could contain malicious code in obfuscated or encrypted form, then deobfuscate or decrypt the code at runtime to evade many app vetting techniques.[1] [2] [3] [4]

ID: T1406

Tactic Type:  Post-Adversary Device Access

Tactic: Defense Evasion

Platform:  Android, iOS

MTC ID:  APP-21

Version: 2.0

Mitigations

MitigationDescription
Application VettingApplication vetting techniques may be able to alert to the presence of obfuscated or encrypted code in applications, and such applications could have extra scrutiny applied. Unfortunately, this mitigation is likely impractical, as many legitimate applications apply code obfuscation or encryption to resist adversary techniques such as Repackaged Application. Dynamic analysis when used in application vetting may in some cases be able to identify malicious code in obfuscated or encrypted form by detecting the code at execution time (after it is deobfuscated or decrypted). Some application vetting techniques apply reputation analysis of the application developer and can alert to potentially suspicious applications without actual examination of application code.

Examples

NameDescription
BrainTest

BrainTest stores a secondary Android app package (APK) in its assets directory in encrypted form, and decrypts the payload at runtime.[5]

Charger

Charger encodes strings into binary arrays to make it difficult to inspect them. It also loads code from encrypted resources dynamically and includes meaningless commands that mask the actual commands passing through.[6]

OBAD

OBAD contains encrypted code along with an obfuscated decryption routine to make it difficult to analyze.[3]

RedDrop

RedDrop contains malicious embedded files, which are compiled to initiate the malicious functionality.[7]

WireLurker

WireLurker obfuscates its payload through complex code structure, multiple component versions, file hiding, code obfuscation and customized encryption to thwart anti-reversing.[8]

XLoader

XLoader loads an encrypted DEX code payload.[9]

References