ABSTRACT
The large amounts of malware, and its diversity, have made it necessary for the security community to use automated dynamic analysis systems. These systems often rely on virtualization or emulation, and have recently started to be available to process mobile malware. Conversely, malware authors seek to detect such systems and evade analysis. In this paper, we present techniques for detecting Android runtime analysis systems. Our techniques are classified into four broad classes showing the ability to detect systems based on differences in behavior, performance, hardware and software components, and those resulting from analysis system design choices. We also evaluate our techniques against current publicly accessible systems, all of which are easily identified and can therefore be hindered by a motivated adversary. Our results show some fundamental limitations in the viability of dynamic mobile malware analysis platforms purely based on virtualization.
- AMAT: Android Malware Analysis Toolkit. http://sourceforge.net/projects/amatlinux/.Google Scholar
- Andrubis. http://anubis.iseclab.org/.Google Scholar
- CopperDroid. http://copperdroid.isg.rhul.ac.uk/copperdroid/.Google Scholar
- DroidBox. https://code.google.com/p/droidbox/.Google Scholar
- Droidbox device identifier patch. https://code.google.com/p/droidbox/source/browse/trunk/droidbox23/framework_base.patch?r=82.Google Scholar
- Foresafe. http://www.foresafe.com/scan.Google Scholar
- mobile-sandbox. http://mobilesandbox.org/.Google Scholar
- Monitoring the Battery Level and Charging State | Android Developers. http://developer.android.com/training/monitoring-device-state/battery-monitoring.html.Google Scholar
- North American Numbering Plan Adminstration search. www.nanpa.com/enas/area_code_query.do.Google Scholar
- SandDroid. http://sanddroid.xjtu.edu.cn/.Google Scholar
- Using the Android Emulator | Android Developers. http://developer.android.com/tools/devices/emulator.html.Google Scholar
- U. Bayer, P. Comparetti, C. Hlauschek, C. Kruegel, and E. Kirda. Scalable, behavior-based malware clustering. In NDSS, 2009.Google Scholar
- T. Blasing, L. Batyuk, A. Schmidt, S. Camtepe, and S. Albayrak. An android application sandbox system for suspicious software detection. In MALWARE'10, 2010.Google ScholarCross Ref
- D. J. Chaboya, R. A. Raines, R. O. Baldwin, and B. E. Mullins. Network intrusion detection: automated and manual methods prone to attack and evasion. Security & Privacy, IEEE, 4(6):36--43, 2006. Google ScholarDigital Library
- X. Chen, J. Andersen, Z. M. Mao, M. Bailey, and J. Nazario. Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware. In Dependable Systems and Networks With FTCS and DCC, 2008. IEEE International Conference on, pages 177--186, 2008.Google ScholarCross Ref
- H. Dreger, A. Feldmann, V. Paxson, and R. Sommer. Operational experiences with high-volume network intrusion detection. In Proc. CCS, pages 2--11. ACM, 2004. Google ScholarDigital Library
- M. F. and P. Schulz. Detecting android sandboxes, Aug 2012. https://www.dexlabs.org/blog/btdetect.Google Scholar
- A. Felt, M. Finifter, E. Chin, S. Hanna, and D. Wagner. A survey of mobile malware in the wild. In Proc. SPSM, pages 3--14. ACM, 2011. Google ScholarDigital Library
- P. Ferrie. Attacks on more virtual machine emulators. Symantec Technology Exchange, 2007.Google Scholar
- P. Fogla and W. Lee. Evading network anomaly detection systems: formal reasoning and practical techniques. In Proc. CCS, pages 59--68. ACM, 2006. Google ScholarDigital Library
- M. Handley, V. Paxson, and C. Kreibich. Network intrusion detection: Evasion, traffic normalization, and end-to-end protocol semantics. In Proc. USENIX Security, 2001. Google ScholarDigital Library
- T. Holz and F. Raynal. Detecting honeypots and other suspicious environments. In Information Assurance Workshop, 2005. IAW'05. Proceedings from the Sixth Annual IEEE SMC, pages 29--36. IEEE, 2005.Google ScholarCross Ref
- P. G. Kelley, S. Consolvo, L. F. Cranor, J. Jung, N. Sadeh, and D. Wetherall. A conundrum of permissions: Installing applications on an android smartphone. In USEC'12, pages 68--79. Springer, 2012. Google ScholarDigital Library
- B. Lau and V. Svajcer. Measuring virtual machine detection in malware using dsd tracer. Journal in Computer Virology, 6(3):181--195, 2010.Google ScholarCross Ref
- H. Lockheimer. Android and Security, Feb 2012. http://googlemobile.blogspot.com/2012/02/android-and-security.html.Google Scholar
- A. Moser, C. Kruegel, and E. Kirda. Exploring multiple execution paths for malware analysis. In Security and Privacy, 2007. SP'07. IEEE Symposium on, 2007. Google ScholarDigital Library
- D. Mutz, G. Vigna, and R. Kemmerer. An experience developing an ids stimulator for the black-box testing of network intrusion detection systems. In Computer Security Applications Conference, 2003. Proceedings. 19th Annual, pages 374--383. IEEE, 2003. Google ScholarDigital Library
- J. Oberheide and C. Miller. Dissecting the android bouncer. SummerCon2012, New York, 2012.Google Scholar
- T. Ooura. Improvement of the pi calculation algorithm and implementation of fast multiple precision computation. Transactions-Japan Society for Industrial and Applied Mathematics, 9(4):165--172, 1999.Google Scholar
- R. Paleari, L. Martignoni, G. F. Roglia, and D. Bruschi. A fistful of red-pills: How to automatically generate procedures to detect cpu emulators. In Proc. WOOT, volume 41, page 86. USENIX, 2009. Google ScholarDigital Library
- N. J. Percoco and S. Schulte. Adventures in bouncerland. Black Hat USA, 2012.Google Scholar
- T. H. Ptacek and T. N. Newsham. Insertion, evasion, and denial of service: Eluding network intrusion detection. Technical report, DTIC Document, 1998.Google Scholar
- T. Raffetseder, C. Krügel, and E. Kirda. Detecting system emulators. In Information Security. Springer, 2007. Google ScholarDigital Library
- J. Rutkowska. Red pill... or how to detect vmm using (almost) one cpu instruction. Invisible Things, 2004.Google Scholar
- T. Strazzere. Dex education 201 anti-emulation, Sept 2013. http://hitcon.org/2013/download/TimStrazzere-DexEducation.pdf.Google Scholar
- T. Vidas and N. Christin. Sweetening android lemon markets: measuring and combating malware in application marketplaces. In Proc. 3rd CODASPY, pages 197--208. ACM, 2013. Google ScholarDigital Library
- T. Vidas, D. Votipka, and N. Christin. All your droid are belong to us: A survey of current android attacks. In Proc. WOOT. USENIX, 2011. Google ScholarDigital Library
- T. Vidas, C. Zhang, and N. Christin. Toward a general collection methodology for android devices. DFRWS'11, 2011. Google ScholarDigital Library
- C. Willems, T. Holz, and F. Freiling. Toward automated dynamic malware analysis using cwsandbox. Security & Privacy, IEEE, 5(2):32--39, 2007. Google ScholarDigital Library
- Y. Zhou and X. Jiang. Dissecting android malware: Characterization and evolution. In Proc. IEEE Symp. on Security and Privacy, 2012. Google ScholarDigital Library
- Y. Zhou, Z. Wang, W. Zhou, and X. Jiang. Hey, you, get off of my market: Detecting malicious apps in official and alternative android markets. In Proc. NDSS, 2012.Google Scholar
Index Terms
- Evading android runtime analysis via sandbox detection
Recommendations
A robust dynamic analysis system preventing SandBox detection by Android malware
SIN '15: Proceedings of the 8th International Conference on Security of Information and NetworksDue to an increase in the number of Android malware applications and their diversity, it has become necessary for the security community to develop automated dynamic analysis systems. Static analysis has its limitations that can be overcome by dynamic ...
Effectiveness of Android Obfuscation on Evading Anti-malware
CODASPY '18: Proceedings of the Eighth ACM Conference on Data and Application Security and PrivacyObfuscation techniques have been conventionally used for legitimate applications, including preventing application reverse engineering, tampering and protecting intellectual property. A malware author could also leverage these benign techniques to hide ...
Stealth attacks: An extended insight into the obfuscation effects on Android malware
In order to effectively evade anti-malware solutions, Android malware authors are progressively resorting to automatic obfuscation strategies. Recent works have shown, on small-scale experiments, the possibility of evading anti-malware engines by ...
Comments