Skip to main content
SpringerLink
Log in
Book cover

International Symposium on Research in Attacks, Intrusions, and Defenses

RAID 2018: Research in Attacks, Intrusions, and Defenses pp 3–24Cite as

Proteus: Detecting Android Emulators from Instruction-Level Profiles

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11050))

Abstract

The popularity of Android and the personal information stored on these devices attract the attention of regular cyber-criminals as well as nation state adversaries who develop malware that targets this platform. To identify malicious Android apps at a scale (e.g., Google Play contains 3.7M Apps), state-of-the-art mobile malware analysis systems inspect the execution of apps in emulation-based sandboxes. An emerging class of evasive Android malware, however, can evade detection by such analysis systems through ceasing malicious activities if an emulation sandbox is detected. Thus, systematically uncovering potential methods to detect emulated environments is crucial to stay ahead of adversaries. This work uncovers the detection methods based on discrepancies in instruction-level behavior between software-based emulators and real ARM CPUs that power the vast majority of Android devices. To systematically discover such discrepancies at scale, we propose the Proteus system. Proteus performs large-scale collection of application execution traces (i.e., registers and memory) as they run on an emulator and on accurate software models of ARM CPUs. Proteus automatically identifies the instructions that cause divergent behavior between emulated and real CPUs and, on a set of 500K test programs, identified 28K divergent instances. By inspecting these instances, we reveal 3 major classes of root causes that are responsible for these discrepancies. We show that some of these root causes can be easily fixed without introducing observable performance degradation in the emulator. Thus, we have submitted patches to improve resilience of Android emulators against evasive malware.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   79.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   99.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    We have eliminated several root causes as part of our work and have already submitted a patch.

  2. 2.

    https://android.googlesource.com/platform/external/qemu-android/+/qemu-2.7.0.

References

  1. Analyzing Xavier: An Information-Stealing Ad Library on Android. https://blog.trendmicro.com/trendlabs-security-intelligence/analyzing-xavier-information-stealing-ad-library-android/

  2. Android Native Development Kit (NDK). https://developer.android.com/ndk/guides/index.html

  3. ARM Fast Models. https://developer.arm.com/products/system-design/fast-models

  4. ARMv7-A/R Architecture Reference Manual. http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.ddi0406c/index.html

  5. Exploration Tools, A-Profile Architectures. https://developer.arm.com/products/architecture/a-profile/exploration-tools

  6. Google has 2 billion users on Android. https://techcrunch.com/2017/05/17/google-has-2-billion-users-on-android-500m-on-google-photos/

  7. Grabos Malware. https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/grabos-malware/

  8. NetWinder Floating Point Notes. http://netwinder.osuosl.org/users/s/scottb/public_html/notes/FP-Notes-all.html

  9. Number of Android applications. https://www.appbrain.com/stats/number-of-android-apps

  10. QEMU emulation detection. https://wiki.koeln.ccc.de/images/d/d5/Openchaos_qemudetect.pdf

  11. Balzarotti, D., Cova, M., Karlberger, C., Kruegel, C., Kirda, E., Vigna, G.: Efficient detection of split personalities in malware. In: NDSS (2010). http://www.eurecom.fr/publication/3022

  12. Bordoni, L., Conti, M., Spolaor, R.: Mirage: toward a stealthier and modular malware analysis sandbox for android. In: Foley, S.N., Gollmann, D., Snekkenes, E. (eds.) ESORICS 2017. LNCS, vol. 10492, pp. 278–296. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66402-6_17

    Chapter  Google Scholar 

  13. Branco, R.R., Barbosa, G.N., Neto, P.D.: Scientific but not academical overview of malware anti-debugging, anti-disassembly and Anti-VM technologies. In: BlackHat (2012)

    Google Scholar 

  14. Egele, M., Scholte, T., Kirda, E., Kruegel, C.: A survey on automated dynamic malware-analysis techniques and tools. ACM Comput. Surv. (CSUR) 44(2), 6:1–6:42 (2008). https://doi.org/10.1145/2089125.2089126

    Article  Google Scholar 

  15. Fox, A.: Directions in ISA specification. In: Beringer, L., Felty, A. (eds.) ITP 2012. LNCS, vol. 7406, pp. 338–344. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32347-8_23

    Chapter  Google Scholar 

  16. Guthaus, M.R., Ringenberg, J.S., Ernst, D., Austin, T.M., Mudge, T., Brown, R.B.: MiBench: a free, commercially representative embedded benchmark suite. In: IEEE International Workshop on Workload Characterization (IISWC) (2001)

    Google Scholar 

  17. Jing, Y., Zhao, Z., Ahn, G.J., Hu, H.: Morpheus: automatically generating heuristics to detect android mulators. In: Proceedings of the 30th Annual Computer Security Applications Conference (ACSAC), pp. 216–225. ACM (2014). https://doi.org/10.1145/2664243.2664250

  18. Lindorfer, M., Kolbitsch, C., Milani Comparetti, P.: Detecting environment-sensitive malware. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 338–357. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-23644-0_18

    Chapter  Google Scholar 

  19. Liu, L., Gu, Y., Li, Q., Su, P.: RealDroid: large-scale evasive malware detection on “real devices”. In: 26th International Conference on Computer Communication and Networks (ICCCN), pp. 1–8, July 2017. https://doi.org/10.1109/ICCCN.2017.8038419

  20. Martignoni, L., McCamant, S., Poosankam, P., Song, D., Maniatis, P.: Path-exploration lifting: hi-fi tests for lo-fi emulators. In: International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS), pp. 337–348. ACM, New York (2012). https://doi.org/10.1145/2150976.2151012

  21. Martignoni, L., Paleari, R., Roglia, G.F., Bruschi, D.: Testing CPU emulators. In: International Symposium on Software Testing and Analysis (ISSTA) (2009). https://doi.org/10.1145/1572272.1572303

  22. Mutti, S., et al.: Baredroid: large-scale analysis of android apps on real devices. In: Annual Computer Security Applications Conference, ACSAC (2015). https://doi.org/10.1145/2818000.2818036

  23. Oberheide, J., Miller, C.: Dissecting the android bouncer. In: SummerCon (2012)

    Google Scholar 

  24. Paleari, R., Martignoni, L., Roglia, G.F., Bruschi, D.: A fistful of red-pills: how to automatically generate procedures to detect CPU emulators. In: Proceedings of the 3rd USENIX Conference on Offensive Technologies (WOOT) (2009)

    Google Scholar 

  25. Petsas, T., Voyatzis, G., Athanasopoulos, E., Polychronakis, M., Ioannidis, S.: Rage against the virtual machine: hindering dynamic analysis of android malware. In: European Workshop on System Security (EuroSec), pp. 5:1–5:6 (2014). https://doi.org/10.1145/2592791.2592796

  26. Poeplau, S., Fratantonio, Y., Bianchi, A., Kruegel, C., Vigna, G.: Execute this! Analyzing Unsafe and Malicious Dynamic Code Loading in Android Applications. In: Network and Distributed System Security Symposium (NDSS) (2014)

    Google Scholar 

  27. Shi, H., Alwabel, A., Mirkovic, J.: Cardinal pill testing of system virtual machines. In: 23rd USENIX Conference on Security Symposium (2014)

    Google Scholar 

  28. Tam, K., Khan, S.J., Fattori, A., Cavallaro, L.: Copperdroid: Automatic reconstruction of android malware behaviors. In: NDSS (2015)

    Google Scholar 

  29. Vidas, T., Christin, N.: Evading android runtime analysis via sandbox detection. In: Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security (ASIA CCS), pp. 447–458. ACM (2014). https://doi.org/10.1145/2590296.2590325

  30. Yan, L.K., Yin, H.: DroidScope: seamlessly reconstructing the OS and Dalvik semantic views for dynamic android malware analysis. In: 21st USENIX Security Symposium, Bellevue, WA, pp. 569–584. USENIX (2012). https://www.usenix.org/conference/usenixsecurity12/technical-sessions/presentation/yan

Download references

Acknowledgement

This work was supported by the Office of Naval Research under grants N00014-15-1-2948 and N00014-17-1-2011. We would also like to thank Arm for providing us access to the Fast Models used in this work. Any opinions, findings, conclusions, or recommendations expressed in this material are those of the authors and do not necessarily reflect those of the sponsor.

Author information

Authors and Affiliations

  1. Boston University, Boston, MA, 02215, USA

    Onur Sahin, Ayse K. Coskun & Manuel Egele

Authors
  1. Onur Sahin
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Ayse K. Coskun
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Manuel Egele
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Onur Sahin .

Editor information

Editors and Affiliations

  1. University of Illinois at Urbana-Champaign, Urbana, IL, USA

    Michael Bailey

  2. Ruhr-Universität Bochum, Bochum, Germany

    Thorsten Holz

  3. Vrije Universiteit Amsterdam, Amsterdam, The Netherlands

    Manolis Stamatogiannakis

  4. Foundation for Research & Technology – Hellas, Heraklion, Crete, Greece

    Sotiris Ioannidis

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Sahin, O., Coskun, A.K., Egele, M. (2018). Proteus: Detecting Android Emulators from Instruction-Level Profiles. In: Bailey, M., Holz, T., Stamatogiannakis, M., Ioannidis, S. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2018. Lecture Notes in Computer Science(), vol 11050. Springer, Cham. https://doi.org/10.1007/978-3-030-00470-5_1

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-00470-5_1

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-00469-9

  • Online ISBN: 978-3-030-00470-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation