Dynamic Analysis of Android Apps written with PhoneGap Cross-Platform Framework

In this paper, we propose an effective technique that can perform dynamic analysis for Android app
written with PhoneGap cross-platform framework. For a systematic study, we have written a malicious
Android app using PhoneGap framework. We compare the structural differences between a
basic Android app (a native app) and the other malicious Android app built in release mode on Phone-
Gap framework, and also analyze the malicious app dynamically. The proposed technique first copies
the web root directory of the target malicious app into a writable directory inside the smartphone.
When the app is executed, its web pages and Javascript files are loaded from the copied directory
using a dynamic instrumentation. Finally, we dynamically change the flag for WebView debugging
so that a remote debugger can successfully be attached to the app built in release mode. Using our
proposed technique, a malware analyst can debug a malicious PhoneGap app built in release mode
without repackaging, which cannot be debugged as it is by Chrome remote debugger. She/he can
also utilize the debugging features supported by the remote debugger. The technique allows the analyst
to bypass the repackaging detection method that malicious apps use to avoid antivirus detection.