Code Reordering Obfuscation Technique Detection by Means of Weak Bisimulation

As evidenced from current literature in software security, the current signature detection mechanisms can be easily evaded by attackers simply applying trivial obfuscation techniques, usually with software engines able to automatically inject junk code into malicious applications. In fact, the employment of obfuscation code techniques is adopted by attackers to generate several (undetected) variants of one malicious sample, making its signature obsolete. Considering that the signature definition is a laborious process manually performed by security analysts, in this paper we propose a method, exploiting weak bisimulation, to detect whether an Android application is modified by means of the code reordering obfuscation technique. We present an experimental analysis performed on a real-world data-set of Android applications (obfuscated and not obfuscated), reaching interesting results in the code reordering obfuscation technique detection.