Recently, Android's malicious applications have become more sophisticated to bypass the existing analyses. For example, there are malicious applications to which dynamic loading mechanism is applied to hide the malicious code. In the case that dynamic loading mechanism is applied to a malicious application, malicious activity is done through a dynamic generated file after the application runs. To this end, encryption of DEX file, jar file and APK file, or deletion of a dynamic generated file immediately after downloading from a C&C server is applied to the malicious application. When analyzing the malicious application to which dynamic loading mechanism is applied, extracting a file used in dynamic loading is an important factor.
However, if all the generated files of the application are extracted to extract a file used in dynamic loading, many files including unnecessary files for actual analysis such as cache file and data storage file are extracted, so mechanism for extracting only necessary file for actual analysis is needed. Moreover, in some instances, as described above, a certain file used in dynamic loading is deleted after the dynamic loading is processed, which impedes the analysis operation. Thus, an approach using network analysis was previously proposed, but it is difficult to acquire proper information, making it difficult to see what file has leaked.