Revealing malicious remote engineering attempts on Android apps with magic numbers

Malicious reverse engineering is a prominent activity conducted by attackers to plan their code tampering attacks. Android apps are particularly exposed to malicious reverse engineering, because their code can be easily analyzed and decompiled, or monitored using debugging tools, that were originally meant to be used by developers. In this paper, we propose a solution to identify attempts of malicious reverse engineering on Android apps. Our approach is based on a series of periodic checks on the execution environment (i.e., Android components) and on the app itself. The check outcome is encoded into a Magic Number and send to a sever for validation. The owner of the app is then supposed to take countermeasures and react, by disconnecting or banning the apps under attack. Our empirical validation suggests that the execution overhead caused by our periodic checks is acceptable, because its resource consumption is compatible with the resources commonly available in smartphones.