Glassbox: Dynamic Analysis Platform for Malware Android Applications on Real Devices

Paul Irolla, Eric Filiol

Abstract

Android is the most widely used smartphone OS with 82.8% market share in 2015 (IDC, 2015). It is therefore the most widely targeted system by malware authors. Researchers rely on dynamic analysis to extract malware behaviors and often use emulators to do so. However, using emulators lead to new issues. Malware may detect emulation and as a result it does not execute the payload to prevent the analysis. Dealing with virtual device evasion is a never-ending war and comes with a non-negligible computation cost (Lindorfer et al., 2014). To overcome this state of affairs, we propose a system that does not use virtual devices for analysing malware behavior. Glassbox is a functional prototype for the dynamic analysis of malware applications. It executes applications on real devices in a monitored and controlled environment. It is a fully automated system that installs, tests and extracts features from the application for further analysis. We present the architecture of the platform and we compare it with existing Android dynamic analysis platforms. Lastly, we evaluate the capacity of Glassbox to trigger application behaviors by measuring the average coverage of basic blocks on the AndroCoverage dataset (AndroCoverage, 2016). We show that it executes on average 13.52% more basic blocks than the Monkey program.

References

  1. Afonso, V. M., de Amorim, M. F., Grégio, A. R. A., Junquera, G. B., and de Geus, P. L. (2015). Identifying android malware using dynamically obtained features. Journal of Computer Virology and Hacking Techniques, 11(1):9-17.
  2. AndroCoverage (2016). Androcoverage dataset. [Online] https://github.com/androcoverage/androcoverage.
  3. Bläsing, T., Batyuk, L., Schmidt, A. D., Camtepe, S. A., and Albayrak, S. (2010). An android application sandbox system for suspicious software detection. In Malicious and Unwanted Software (MALWARE), 5th International Conference on, pages 55-62.
  4. Burguera, I., Zurutuza, U., and Nadjm-Tehrani, S. (2011). Crowdroid: behavior-based malware detection system for android. In Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices, pages 15-26. ACM.
  5. Canfora, G., Medvet, E., Mercaldo, F., and Visaggio, C. A. (2015). Detecting android malware using sequences of system calls. In Proceedings of the 3rd International Workshop on Software Development Lifecycle for Mobile, pages 13-20. ACM.
  6. Canfora, G., Medvet, E., Mercaldo, F., and Visaggio, C. A. (2016). Acquiring and analyzing app metrics for effective mobile malware detection. In Proceedings of the 2016 ACM on International Workshop on Security And Privacy Analytics, pages 50-57. ACM.
  7. Choudhary, S. R., Gorla, A., and Orso, A. (2015). Automated test input generation for android: Are we there yet?(e). In Automated Software Engineering (ASE), 2015 30th IEEE/ACM International Conference on, pages 429-440. IEEE.
  8. Cornett, S. (1999). What is wrong with statement coverage. [Online] http://www.bullseye.com/statementCoverage.html.
  9. Dharmdasani, H. (2014). Android.hehe: Malware now disconnects phone calls. [Online] https://www.fireeye.com/blog/threatresearch/2014/01/android-hehe-malware-nowdisconnects-phone-calls.html.
  10. Dierks, T. and Allen, C. (1999). The tls protocol version 1.0. [Online] http://www.ietf.org/rfc/rfc2246.txt.
  11. Dimjas?evic, M., Atzeni, S., Ugrina, I., and Rakamaric, Z. (2016). Evaluation of android malware detection based on system calls. In Proceedings of the 2016 ACM on International Workshop on Security And Privacy Analytics, pages 1-8. ACM.
  12. Filiol, E. and Irolla, P. (Black Hat Asia 2015). (in)security of mobile banking... and of other mobile apps.
  13. Hungenberg, T. and Eckert, M. (2013). Inetsim: Internet services simulation suite.
  14. IDC (2015). Smartphone os market share, 2015 q2. [Online] http://www.idc.com/prodserv/smartphoneos-market-share.jsp.
  15. JesusFreke (2009). Github - smali readme. [Online] https://github.com/JesusFreke/smali.
  16. Jing, Y., Zhao, Z., Ahn, G.-J., and Hu, H. (2014). Morpheus: automatically generating heuristics to detect android emulators. In Proceedings of the 30th Annual Computer Security Applications Conference, pages 216-225. ACM.
  17. Kojm, T. (2004). Clamav.
  18. Lindorfer, M., Neugschwandtner, M., Weichselbaum, L., Fratantonio, Y., v. d. Veen, V., and Platzer, C. (2014). Andrubis - 1,000,000 apps later: A view on current android malware behaviors. In 2014 Third International Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS), pages 3-17.
  19. Lockheimer, H. (2012). Android and security. [Online] http://googlemobile.blogspot.fr/2012/02/androidand-security.html.
  20. Mutti, S., Fratantonio, Y., Bianchi, A., Invernizzi, L., Corbetta, J., Kirat, D., Kruegel, C., and Vigna, G. (2015). Baredroid: Large-scale analysis of android apps on real devices. In Proceedings of the 31st Annual Computer Security Applications Conference, pages 71-80. ACM.
  21. Percoco and Nicholas, J. (2012). Adventures in bouncerland.
  22. pjlantz (2012). Droidbox - apimonitor.wiki. [Online] https://code.google.com/archive/p/droidbox/wikis/ APIMonitor.wiki.
  23. Rastogi, V., Chen, Y., and Enck, W. (2013). Appsplayground: automatic security analysis of smartphone applications. In Proceedings of the third ACM conference on Data and application security and privacy, pages 209-220. ACM.
  24. Sabanal, P. (2015). Hiding behind art.
  25. Schreiber, T. (2011). Android binder - android interprocess communication.
  26. Tam, K., Khan, S. J., Fattori, A., and Cavallaro, L. (2015). Copperdroid: Automatic reconstruction of android malware behaviors. In NDSS.
  27. Wong, M. Y. and Lie, D. (2016). Intellidroid: A targeted input generator for the dynamic analysis of android malware.
  28. Xia, M., Gong, L., Lyu, Y., Qi, Z., and Liu, X. (2015). Effective real-time android application auditing. In Security and Privacy (SP), 2015 IEEE Symposium on, pages 899-914. IEEE.
  29. Yan, L. K. and Yin, H. (2012). Droidscope: seamlessly reconstructing the os and dalvik semantic views for dynamic android malware analysis. In Presented as part of the 21st USENIX Security Symposium (USENIX Security 12), pages 569-584.
  30. Zhauniarovich, Y., Philippov, A., Gadyatskaya, O., Crispo, B., and Massacci, F. (2015). Towards black box testing of android apps. In 2015 Tenth International
  31. Zheng, C., Zhu, S., Dai, S., Gu, G., Gong, X., Han, X., and Zou, W. (2012). Smartdroid: an automatic system for revealing ui-based trigger conditions in android applications. In Proceedings of the second ACM workshop on Security and privacy in smartphones and mobile devices, pages 93-104. ACM.
Download


Paper Citation


in Harvard Style

Irolla P. and Filiol E. (2017). Glassbox: Dynamic Analysis Platform for Malware Android Applications on Real Devices . In Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ForSE, (ICISSP 2017) ISBN 978-989-758-209-7, pages 610-621. DOI: 10.5220/0006094006100621


in Bibtex Style

@conference{forse17,
author={Paul Irolla and Eric Filiol},
title={Glassbox: Dynamic Analysis Platform for Malware Android Applications on Real Devices},
booktitle={Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ForSE, (ICISSP 2017)},
year={2017},
pages={610-621},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0006094006100621},
isbn={978-989-758-209-7},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ForSE, (ICISSP 2017)
TI - Glassbox: Dynamic Analysis Platform for Malware Android Applications on Real Devices
SN - 978-989-758-209-7
AU - Irolla P.
AU - Filiol E.
PY - 2017
SP - 610
EP - 621
DO - 10.5220/0006094006100621