Tencent’s security Cohen lab Apkpecker recently launched an automated de-hulling service to help security personnel better conduct security audits. Large-scale tests have shown that Apkpecker has a success rate of more than 85%.

Mobile application unshell is the most basic operation of mobile application reverse and malicious application analysis, mainly to help security personnel remove the application shell code in the process of mobile application security audit and virus analysis, so as to analyze the key code. Mobile application de-hulking can help developers find security issues in the application development code in a timely manner and examine and detect malicious behaviors. Enterprises, especially large enterprises, often need to adopt the application security development and reinforcement services provided by the third party supply chain, and security personnel need to verify their security. Mobile application unhulling is a necessary step.

Generally speaking, security personnel generally use manual way to unshell, one is subject to the level of security researchers themselves, the other is that there is a lot of repetitive work, the cost of enterprise security manpower. However, the existing automatic shelling tools on the market cannot solve the strengthening scheme of DEX virtualization, and the interpreter customized by the manufacturer will regularly change the OPCODE mapping table, leading to the failure of many automatic shelling services to restore the DEX code completely and effectively.

Based on this insight, Tencent Security Cohen Lab, based on years of experience in security attack and defense research, launched an advanced automated stripping scheme to support the recovery of common DEX encryption and instruction extraction and other types of reinforcement. Apkpecker also provides de-hulling and recovery for vendor’s Dex Virtualization Protection (DEX-VMP).

On the basis of determining the bytecode format of the vendor, Apkpecker learns the runtime behavior of the Opcode Handler in the binary of the vendor interpreter through AI, so as to automatically recover the Opcode semantics of the vendor interpreter, restore the original Dalvik bytecode, and rewrite the DEX file. ApkpekCer unshell solution solves the difficulty of recognition of Opcode handler, and automatically restores the code protected by DEX-VMP, which improves the integrity and automation of unshell. Large-scale tests have shown that Apkpecker has a success rate of more than 85%.

Apkpecker’s effect on instruction extraction and dex-vmp

Apkpecker is a fully automatic Android application vulnerability scanning tool developed by Tencent Security Cohen Lab. The system uses Android application life cycle modeling and application attack surface modeling, static data flow analysis and stain analysis technology to improve the accuracy of vulnerability detection. Apkpecker can output high-quality vulnerability scan reports, provide high-quality vulnerability information and complete path of vulnerability trigger, accurately locate vulnerabilities and provide repair suggestions, so as to help mobile security personnel solve existing pain points and improve application security.

The online automatic APK hulling service is also an upgrade of its overall capability. Apkpecke is committed to becoming a digital assistant for security researchers. With the help of Apkpecker, mobile application developers can effectively defend various mobile application risks, establish product life-cycle security management from APP development to user interaction, and carry out security risk detection and control. For the user’s mobile phone information, property security escort.