Java Reflection is a feature in the Java programming language, and is used to examine or modify the runtime behavior of applications running in the Java virtual machine. Java Reflection is a feature that changes the runtime behavior to go against the original code execution direction, making the normal use impossible.
With Java Reflection, it is possible to dynamically acquire class information or load classes at run time. In Java Reflection, classLoader is used to pass a file path with classes as the parameter and create an object, and dynamically invoke classes or methods loaded in classLoader. This technique is called dynamic loading mechanism.
Through this, malicious applications hide code with a malicious purpose. Analysts need to extract a file with the malicious code and perform static analysis.
Android reverse engineering technique is a technique that extracts the code by decompiling Android Application Package (APK). Android Debug Bridge (ADB) can easily extract APK. Besides, apktool can easily unzip APK because APK adopted a Zip format.
When a file is compressed using Apktool, it has classes.dex, res, lib, assets, META-INF, and resources.arsc. The classes.dex file inside the APK is actually a Dalvik executable file. This classes.dex file is decompiled into dex2jar. Subsequently, the code can be easily extracted using JD-GUI tool.
On the contrary, attackers extract the code through this method, and embed a malicious code to attack. Apktool has functionality to easily repackage the modified code. The repackaged APK file is distributed through a third-party. The APK file is easily vulnerable to reverse engineering attack mechanism, and through this, attack is carried out by embedding dynamic loading code in APK.
Thus, Android reverse engineering technique has the following problems: 1) difficulty in analysis of JavaReflection method used at run time, and 2) difficulty in analysis of the file used in dynamic loading mechanism using ClassLoader. These problems cause difficulty in analysis and results in increased analysis time due to the absence of an accurate call graph in analysis.