AppSpear: Automating the hidden-code extraction and reassembling of packed android malware

To address the unpacking challenge especially for Android packers with advanced code hiding strategies, in this paper we propose AppSpear, an automated unpacking system for both Dalvik and ART. AppSpear adopts a universal unpacking strategy that combines runtime instrumentation, interpreter-enforced execution, and executable reassembling to guarantee the hidden code is extracted and reconstructed as a complete executable. Our experimental evaluation with 530 packed samples shows that AppSpear is able to unpack protected code generated by latest versions of mainstream Android packers effectively.