research-article

Rage against the virtual machine: hindering dynamic analysis of Android malware

Authors:

Thanasis Petsas,

Giannis Voyatzis,

Elias Athanasopoulos,

Michalis Polychronakis,

Sotiris IoannidisAuthors Info & Claims

EuroSec '14: Proceedings of the Seventh European Workshop on System Security

Article No.: 5, Pages 1 - 6

https://doi.org/10.1145/2592791.2592796

Published: 13 April 2014 Publication History

Abstract

Antivirus companies, mobile application marketplaces, and the security research community, employ techniques based on dynamic code analysis to detect and analyze mobile malware. In this paper, we present a broad range of anti-analysis techniques that malware can employ to evade dynamic analysis in emulated Android environments. Our detection heuristics span three different categories based on (i) static properties, (ii) dynamic sensor information, and (iii) VM-related intricacies of the Android Emulator. To assess the effectiveness of our techniques, we incorporated them in real malware samples and submitted them to publicly available Android dynamic analysis systems, with alarming results. We found all tools and services to be vulnerable to most of our evasion techniques. Even trivial techniques, such as checking the value of the IMEI, are enough to evade some of the existing dynamic analysis frameworks. We propose possible countermeasures to improve the resistance of current dynamic analysis tools against evasion attempts.

References

[1]

http://googlemobile.blogspot.com/2012/02/android-and-security.html.

[2]

http://vrt-blog.snort.org/2013/04/changing-imei-provider-model-and-phone.html.

[3]

http://blog.sfgate.com/techchron/2013/10/10/stanford-researchers-discover-alarming-method-for-phone-tracking-fingerprinting-through-sensor-flaws/.

[4]

http://code.google.com/p/openintents/wiki/SensorSimulator.

[5]

http://developer.android.com/reference/android/hardware/SensorManager.html.

[6]

https://bluebox.com/corporate-blog/android-emulator-detection/.

[7]

http://code.google.com/p/smali/.

[8]

http://code.google.com/p/android-apktool/.

[9]

http://contagiominidump.blogspot.com/.

[10]

http://code.google.com/p/droidbox/.

[11]

https://www.duosecurity.com/blog/dissecting-androids-bouncer.

[12]

https://codepainters.wordpress.com/2009/12/11/android-imei-number-and-the-emulator/.

[13]

99% of all mobile threats target Android devices. http://www.kaspersky.com/about/news/virus/2013/99_of_all_mobile_threats_target_Android_devices.

[14]

Anubis/Andrubis: Analyzing Unknown Binaries. http://anubis.iseclab.org/.

[15]

Arm: Virtualization extensions. http://www.arm.com/products/processors/technologies/virtualization-extensions.php.

[16]

QEMU Internals. http://ellcc.org/ellcc/share/doc/qemu/qemu-tech.html.

[17]

T. Bläsing, A.-D. Schmidt, L. Batyuk, S. A. Camtepe, and S. Albayrak. An android application sandbox system for suspicious software detection. In MALWARE, 2010.

[18]

Bramley Jacob. Caches and Self-Modifying Code. http://community.arm.com/groups/processors/blog/2010/02/17/caches-and-self-modifying-code.

[19]

J. Calvet, J. M. Fernandez, and J.-Y. Marion. Aligot: cryptographic function identification in obfuscated binary programs. In CCS, 2012.

Digital Library

[20]

S. Dey, N. Roy, W. Xu, and S. Nelakuditi. Acm hotmobile 2013 poster: Leveraging imperfections of sensors for fingerprinting smartphones. SIGMOBILE Mob. Comput. Commun. Rev., 17(3), Nov. 2013.

Digital Library

[21]

W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth. Taintdroid: An information-flow tracking system for realtime privacy monitoring on smartphones. In OSDI, 2010.

Digital Library

[22]

W. Enck, D. Octeau, P. McDaniel, and S. Chaudhuri. A study of android application security. In USENIX Security, 2011.

Digital Library

[23]

L. Gomez, I. Neamtiu, T. Azim, and T. Millstein. Reran: Timing- and touch-sensitive record and replay for android. In ICSE, 2013.

Digital Library

[24]

M. Lindorfer, C. Kolbitsch, and P. Milani Comparetti. Detecting environment-sensitive malware. In RAID, 2011.

Digital Library

[25]

L. Lu, Z. Li, Z. Wu, W. Lee, and G. Jiang. CHEX: Statically Vetting Android apps for Component Hijacking Vulnerabilities. In CCS, 2012.

Digital Library

[26]

F. Matenaar and P. Schulz. Detecting Android Sandboxes. http://www.dexlabs.org/blog/btdetect.

[27]

R. Paleari, L. Martignoni, G. F. Roglia, and D. Bruschi. A fistful of red-pills: how to automatically generate procedures to detect cpu emulators. In WOOT, 2009.

Digital Library

[28]

T. H. Project. Android Reverse Engineering (A.R.E.) Virtual Machine. http://www.honeynet.org/node/783.

[29]

T. Raffetseder, C. Kruegel, and E. Kirda. Detecting system emulators. In ISC, 2007.

Digital Library

[30]

V. Rastogi, Y. Chen, and X. Jiang. Droidchameleon: evaluating android anti-malware against transformation attacks. In ASIA CCS, 2013.

Digital Library

[31]

A. Reina, A. Fattori, and L. Cavallaro. A system call-centric analysis and stimulation technique to automatically reconstruct android malware behaviors. In EUROSEC, 2013.

[32]

G. Sarwar, O. Mehani, R. Boreli, and D. Kaafar. On the effectiveness of dynamic taint analysis for protecting against private information leaks on android-based devices. In SECRYPT, 2013.

[33]

M. Spreitzenbarth, F. Freiling, F. Echtler, T. Schreck, and J. Hoffmann. Mobile-sandbox: Having a deeper look into android applications. In SAC, 2013.

Digital Library

[34]

C. Willems, R. Hund, A. Fobian, D. Felsch, T. Holz, and A. Vasudevan. Down to the bare metal: Using processor features for binary analysis. In ACSAC '12, 2012.

Digital Library

[35]

L. K. Yan and H. Yin. DroidScope: Seamlessly reconstructing the OS and Dalvik semantic views for dynamic Android malware analysis. In USENIX Security, 2012.

Digital Library

Cited By

Arrowsmith JSusnjak TJang-Jaccard J(2025)Multimodal Deep Learning for Android Malware ClassificationMachine Learning and Knowledge Extraction10.3390/make70100237:1(23)Online publication date: 28-Feb-2025
https://doi.org/10.3390/make7010023
Samhi JZeller Ad'Amorim M(2024)AndroLog: Android Instrumentation and Code Coverage AnalysisCompanion Proceedings of the 32nd ACM International Conference on the Foundations of Software Engineering10.1145/3663529.3663806(597-601)Online publication date: 10-Jul-2024
https://dl.acm.org/doi/10.1145/3663529.3663806
Ruggia ANisi DDambra SMerlo ABalzarotti DAonzo SQuek TGao DZhou JCardenas A(2024)Unmasking the Veiled: A Comprehensive Analysis of Android Evasive MalwareProceedings of the 19th ACM Asia Conference on Computer and Communications Security10.1145/3634737.3637658(383-398)Online publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1145/3634737.3637658
Show More Cited By

Index Terms

Rage against the virtual machine: hindering dynamic analysis of Android malware

Recommendations

Virtual machine monitor-based lightweight intrusion detection

As virtualization technology gains in popularity, so do attempts to compromise the security and integrity of virtualized computing resources. Anti-virus software and firewall programs are typically deployed in the guest virtual machine to detect ...
Virtual honeypots: from botnet tracking to intrusion detection
Designing and Evaluating the honeypots using virtual machine: to enhance the accountability of a system and modernize to be more shielded

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

EuroSec '14: Proceedings of the Seventh European Workshop on System Security

April 2014

41 pages

ISBN:9781450327152

DOI:10.1145/2592791

Program Chairs:
Davide Balzarotti
EURECOM
,
Juan Caballero
IMDEA Software Institute

Copyright © 2014 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGOPS: ACM Special Interest Group on Operating Systems

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 13 April 2014

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article

Funding Sources

Seventh Framework Programme

Conference

EuroSys 2014

Sponsor:

SIGOPS

EuroSys 2014: Ninth Eurosys Conference 2014

April 13, 2014

Amsterdam, The Netherlands

Acceptance Rates

EuroSec '14 Paper Acceptance Rate 6 of 14 submissions, 43%;

Overall Acceptance Rate 47 of 113 submissions, 42%

Upcoming Conference

EuroSys '25

Sponsor:
sigops

Twentieth European Conference on Computer Systems

March 30 - April 3, 2025

Rotterdam , Netherlands

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

155
Total Citations
View Citations
1,380
Total Downloads

Downloads (Last 12 months)30
Downloads (Last 6 weeks)1

Reflects downloads up to 01 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Arrowsmith JSusnjak TJang-Jaccard J(2025)Multimodal Deep Learning for Android Malware ClassificationMachine Learning and Knowledge Extraction10.3390/make70100237:1(23)Online publication date: 28-Feb-2025
https://doi.org/10.3390/make7010023
Samhi JZeller Ad'Amorim M(2024)AndroLog: Android Instrumentation and Code Coverage AnalysisCompanion Proceedings of the 32nd ACM International Conference on the Foundations of Software Engineering10.1145/3663529.3663806(597-601)Online publication date: 10-Jul-2024
https://dl.acm.org/doi/10.1145/3663529.3663806
Ruggia ANisi DDambra SMerlo ABalzarotti DAonzo SQuek TGao DZhou JCardenas A(2024)Unmasking the Veiled: A Comprehensive Analysis of Android Evasive MalwareProceedings of the 19th ACM Asia Conference on Computer and Communications Security10.1145/3634737.3637658(383-398)Online publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1145/3634737.3637658
Tileria MBlasco JDash SRoychoudhury APaiva AAbreu RStorey M(2024)DocFlow: Extracting Taint Specifications from Software DocumentationProceedings of the IEEE/ACM 46th International Conference on Software Engineering10.1145/3597503.3623312(1-12)Online publication date: 20-May-2024
https://dl.acm.org/doi/10.1145/3597503.3623312
Alecci MSamhi JLi LBissyandé TKlein J(2024)Improving Logic Bomb Identification in Android Apps via Context-Aware Anomaly DetectionIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2024.3358979(1-18)Online publication date: 2024
https://doi.org/10.1109/TDSC.2024.3358979
Li SLi RYang SDiao W(2024)Android’s Cat-and-Mouse Game: Understanding Evasion Techniques against Dynamic Analysis2024 IEEE 35th International Symposium on Software Reliability Engineering (ISSRE)10.1109/ISSRE62328.2024.00028(192-203)Online publication date: 28-Oct-2024
https://doi.org/10.1109/ISSRE62328.2024.00028
K.A. AP. VK.A. RRaveendran NConti M(2024)Android malware defense through a hybrid multi-modal approachJournal of Network and Computer Applications10.1016/j.jnca.2024.104035(104035)Online publication date: Sep-2024
https://doi.org/10.1016/j.jnca.2024.104035
John TThomas TEmmanuel S(2024)Detection of Evasive Android Malware Using EigenGCNJournal of Information Security and Applications10.1016/j.jisa.2024.10388086:COnline publication date: 1-Nov-2024
https://dl.acm.org/doi/10.1016/j.jisa.2024.103880
Niu WZhang XYan RGong JNiu WZhang XYan RGong J(2024)Dynamic Adversarial Method in Android MalwareAndroid Malware Detection and Adversarial Methods10.1007/978-981-97-1459-9_6(129-150)Online publication date: 4-Mar-2024
https://doi.org/10.1007/978-981-97-1459-9_6
Sun TDaoudi NAllix KSamhi JKim KZhou XKabore AKim DLo DBissyandé TKlein J(2024)Android Malware Detection Based on Novel Representations of AppsMalware10.1007/978-3-031-66245-4_8(197-212)Online publication date: 5-Jul-2024
https://doi.org/10.1007/978-3-031-66245-4_8
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten