In an ecosystem full of potentially malicious apps, you need to be careful about the tools you use to analyze them. Without a full understanding of how the Android Dalvik VM or dex file interpreters actually work, it's easy for things to slip through the cracks. Based on learnings from the evolution of PC-based malware, it's clear that someone, somewhere will someday attempt to break the most commonly used tools for static and dynamic analysis of mobile malware. So we set out to see who was already breaking them and how, then, how we could break them more.
We've taken a deep dive into Android's dex file format that has yielded interesting results related to detection of post-compilation file modification. After deconstructing some of the intricacies of the dex file format, we turned our attention to dex file analysis tools themselves, analyzing how they parse and manage the dex format. Along the way we observed a number of easily exploitable functionality, documenting specifically why they fail and how to fix them. From this output we've developed a proof of concept tool - APKfuscator - that shows how to exploit these flaws. It's our hope that it can be a tool that helps everyone practice safe dex.