@inproceedings{	harvester_ndss2016,
	author = {Siegfried Rasthofer and Steven Arzt and Marc Miltenberger and Eric Bodden},
	title = {Harvesting Runtime Values in Android Applications That Feature Anti-Analysis Techniques},
	year = {2016},
	booktitle = {2016 Network and Distributed System Security Symposium (NDSS)},
	journal = {2016 Network and Distributed System Security Symposium (NDSS)},
	location = {San Diego},
	abstract = {It is generally challenging to tell apart malware from benign applications. To make this
decision, human analysts are frequently interested in runtime values: targets of reflective method
calls, URLs to which data is sent, target telephone numbers of SMS messages, and many more. However,
obfuscation and string encryption, used by malware as well as goodware, often not only render human
inspections, but also static analyses ineffective. In addition, malware frequently tricks dynamic
analyses by detecting the execution environment emulated by the analysis tool and then refraining
from malicious behavior. In this work we therefore present HARVESTER, an approach to fully
automatically extract runtime values from Android applications. HARVESTER is designed to extract
values even from highly obfuscated state-of-the-art malware samples that obfuscate method calls
using reflection, hide sensitive values in native code, load code dynamically and apply
anti-analysis techniques. The approach combines program slicing with code generation and dynamic
execution. Experiments on 16,799 current malware samples show that HARVESTER fully automatically
extracts many sensitive values, with perfect precision. The process usually takes less than three
minutes and does not require human interaction. In particular, it goes without simulating UI inputs.
Two case studies further show that by integrating the extracted values back into the app, HARVESTER
can increase the recall of existing static and dynamic analysis tools such as FlowDroid and
TaintDroid.}
}