Recent years have seen the development of a multitude of tools for the security analysis of Android applications. A major deficit of current fully automated security analyses, however, is their inability to drive execution to interesting parts, such as where code is dynamically loaded or certain data is decrypted. In fact, security-critical or downright offensive code may not be reached at all by such analyses when dynamically checked conditions are not met by the analysis environment. To tackle this unsolved problem, we propose a tool combining static call path analysis with byte code instrumentation and a heuristic partial symbolic execution, which aims at executing interesting calls paths.
It can systematically locate potentially security-critical code sections and instrument applications such that execution of these sections can be observed in a dynamic analysis. Among other use cases, this can be leveraged to force applications into revealing dynamically loaded code, a simple yet effective way to circumvent detection by security analysis software such as the Google Play Store’s Bouncer. We illustrate the functionality of our tool by means of a simple logic bomb example and a real-life security vulnerability which is present in hunderd of apps and can still be actively exploited at this time.