A robust dynamic analysis system preventing SandBox detection by Android malware

Gajrani, Jyoti; Sarswat, Jitendra; Tripathi, Meenakshi; Laxmi, Vijay; Gaur, Manoj Singh; Conti, Mauro

doi:10.1145/2799979.2800004

Cited by 25 publications

(9 citation statements)

References 7 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“… – Anti-emulation Detection Anti-emulation evasions consist of VMA and PID evasion techniques; the following is the insight of detection framework analysis: – VMA Evasion Detection: As a countermeasure for the VMA evasion technique, researchers ( David & Netanyahu, 2015 ; Mutti et al, 2015 ) equip an emulator sandbox with physical devices to dynamically run the application analyzes. Dietzel (2014) , Gajrani et al (2015) , and Hu & Xiao (2014) propose a fake response agent, which feeds the in the dynamic analysis based testing and a masquerade emulator as a physical device. In late 2015 and the beginning of 2016, several studies analyze the nature of anti-emulation malware with false values about the environment request.…”

Section: Evaluation Of Evasion Detection Frameworkmentioning

confidence: 99%

The rise of obfuscated Android malware and impacts on detection methods

Elsersy¹,

Feizollah²,

Anuar³

2022

PeerJ Computer Science

View full text Add to dashboard Cite

The various application markets are facing an exponential growth of Android malware. Every day, thousands of new Android malware applications emerge. Android malware hackers adopt reverse engineering and repackage benign applications with their malicious code. Therefore, Android applications developers tend to use state-of-the-art obfuscation techniques to mitigate the risk of application plagiarism. The malware authors adopt the obfuscation and transformation techniques to defeat the anti-malware detections, which this paper refers to as evasions. Malware authors use obfuscation techniques to generate new malware variants from the same malicious code. The concern of encountering difficulties in malware reverse engineering motivates researchers to secure the source code of benign Android applications using evasion techniques. This study reviews the state-of-the-art evasion tools and techniques. The study criticizes the existing research gap of detection in the latest Android malware detection frameworks and challenges the classification performance against various evasion techniques. The study concludes the research gaps in evaluating the current Android malware detection framework robustness against state-of-the-art evasion techniques. The study concludes the recent Android malware detection-related issues and lessons learned which require researchers’ attention in the future.

show abstract

Section: Evaluation Of Evasion Detection Frameworkmentioning

confidence: 99%

The rise of obfuscated Android malware and impacts on detection methods

Elsersy¹,

Feizollah²,

Anuar³

2022

PeerJ Computer Science

View full text Add to dashboard Cite

show abstract

“…Hardened sandboxes are ones that are not so easily bypassed. Gajrani et al [11] took this threat into account, and set out to develop techniques that help malware analysts build a hardened sandbox analysis environment by identifying commonly used sandbox detecting techniques and patching them by applying emulator modifications, system image modifications, and by applying runtime hooks. Another sandbox hardening approach involves the use of bare-metal devices which drops the need of emulation altogether.…”

Section: Sandbox Hardeningmentioning

confidence: 99%

“…Sandbox hardening can be applied to different components of a sandbox. One approach involves the modification of emulator properties [11]. Certain properties are easy to modify, however others are not modifiable out of the box and require hardware emulation tweaking.…”

Section: Sandbox Hardeningmentioning

confidence: 99%

AndroNeo: Hardening Android Malware Sandboxes by Predicting Evasion Heuristics

Leguesse

Vella

Ellul

2018

Information Security Theory and Practice

View full text Add to dashboard Cite

Sophisticated Android malware families often implement techniques aimed at avoiding detection. Split personality malware for example, behaves benignly when it detects that it is running on an analysis environment such as a malware sandbox, and maliciously when running on a real user's device. These kind of techniques are problematic for malware analysts, often rendering them unable to detect or understand the malicious behaviour. This is where sandbox hardening comes into play. In our work, we exploit sandbox detecting heuristic prediction to predict and automatically generate bytecode patches, in order to disable the malware's ability to detect a malware sandbox. Through the development of AndroNeo, we demonstrate the feasibility of our approach by showing that the heuristic prediction basis is a solid starting point to build upon, and demonstrating that when heuristic prediction is followed by bytecode patch generation, split personality can be defeated.

show abstract

“…This enables the possibility of hooking method calls and injecting custom code to manipulate the application's behaviors. For instance, Gajrani et al [18] use this framework to hide their emulator from being detected by advanced malware. ARTDroid [19] is another work targeting ART Runtime that enables sandbox to analyze apps without being evaded.…”

Section: Android Hookingmentioning

confidence: 99%

Android Rooting: An Arms Race between Evasion and Detection

Nguyen-Vu

Chau

Kang

et al. 2017

Security and Communication Networks

View full text Add to dashboard Cite

We present an arms race between rooting detection and rooting evasion. We investigate different methods to detect rooted device at both Java and native level and evaluate the counterattack from major hooking tools. To this end, an extensive study of Android rooting has been conducted, which includes the techniques to root the device and make it invisible to the detection of mobile antimalware product. We then analyze the evasion loopholes and in turn enhance our rooting detection tool. We also apply evasion techniques on rooted device and compare our work with 92 popular root checking applications and 18 banking and finance applications. Results show that most of them do not suffice and can be evaded through API hooking or static file renaming. Furthermore, over 28000 Android applications have been analyzed and evaluated in order to diagnose the characteristics of rooting in recent years. Our study shows that rooting has become more and more prevalent as an inevitable trend, and it raises big security concerns regarding detection and evasion. As a proof of concept, we have published our rooting detection application to Google Play Store to demonstrate the work presented in this paper.

show abstract

A robust dynamic analysis system preventing SandBox detection by Android malware

Cited by 25 publications

References 7 publications

The rise of obfuscated Android malware and impacts on detection methods

The rise of obfuscated Android malware and impacts on detection methods

AndroNeo: Hardening Android Malware Sandboxes by Predicting Evasion Heuristics

Android Rooting: An Arms Race between Evasion and Detection

Contact Info

Product

Resources

About