Abstract
Sophisticated malware employs various emulation-detection techniques to bypass the dynamic analysis systems that are running on top of virtualized environments. Hence, a defense mechanism needs to be incorporated in emulation based analysis platforms to mitigate the emulation-detection strategies opted by malware. In this paper, first we design an emulation-detection library that has configurable capabilities ranging from basic to advanced detection techniques like distributed detection and GPS information. We use this library to arm several existing malware with different levels of emulation-detection capabilities and study the efficacy of anti-emulation-detection measures of well known emulator driven dynamic analysis frameworks. Furthermore, we propose STDNeut (Sensor, Telephony system, and Device state information Neutralizer) – a configurable anti-emulation-detection mechanism that defends against the basic as well as advanced emulation-detection techniques regardless of which layer of Android OS the attack is performed on. Finally, we perform various experiments to show the effectiveness of STDNeut. Experimental results show that STDNeut can effectively execute a malware without being detected as an emulated platform.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
AT Commands - 3GPP TS 27.007 (2020). https://doc.qt.io/archives/qtextended4.4/atcommands.html
AeonLucid: Snapchat detection on Android - Aeonlucid (2019). https://aeonlucid.com/Snapchat-detection-on-Android/
AG, G.S.: A new malware every 7 seconds (2019). https://www.gdatasoftware.com/news/2018/07/30950-a-new-malware-every-7-seconds
Allix, K. et al.: Androzoo: collecting millions of android apps for the research community. In: MSR, pp. 468–471 (2016)
Android Developers: Run apps on the android emulator — android developers (2019). https://developer.android.com/studio/run/emulator
Android Developers: Send emulator console commands — Android developers (2019). https://developer.android.com/studio/run/emulator-console
Arakawa, Y.: Emulatordetector: Android emulator detector unity compatible (2019). https://github.com/mofneko/EmulatorDetector
Arzt et al.: Droidbench 3.0 (2019). https://github.com/secure-software-engineering/DroidBench/tree/develop
Bellard, F.: Qemu, a fast and portable dynamic translator. In: ATEC, p. 41 (2005)
Costamagna, V. et al.: Identifying and evading android sandbox through usage-profile based fingerprints. In: RESEC (2018)
Desnos et al.: Welcome to Androguard’s documentation! - androguard 3.3.5 documentation (2019). https://androguard.readthedocs.io/en/latest/
Diao, W. et al.: Evading android runtime analysis through detecting programmed interactions. In: WiSec, pp. 159–164 (2016)
Fenton, C.: Android emulator detect — calebfento (2019). https://github.com/CalebFenton/AndroidEmulatorDetect
Gingo: Android-emulator-detector: Small utility for detecting if your app is running on emulator, or real device (2019). https://github.com/gingo/android-emulator-detector
Gonzalez, H.: Sim card info - apps on google play (2019). https://play.google.com/store/apps/details?id=me.harrygonzalez.simcardinfo&hl=en_IN
IDC: IDC-smartphone market share - OS (2019). https://www.idc.com/promo/smartphone-market-share/os
Inc., F.: Android emulator detector: Easy to detect android emulator (2019). https://github.com/framgia/android-emulator-detector
Jing, Y. et al.: Morpheus: Automatically generating heuristics to detect android emulators. In: ACSAC, pp. 216–225 (2014)
Kudrenko, D.: Emulator-detector: Detect emulators like genymotion and Nox player by accelerometer (2019). https://github.com/dmitrikudrenko/Emulator-Detector
Lab, A.: Argus SAF - argus-pag (2019). http://pag.arguslab.org/argus-saf
Lantz, P.: An Android Application Sandbox for Dynamic Analysis. Master’s thesis (November 2011) https://www.eit.lth.se/sprapport.php?uid=595
Lockheimer, H.: Android and security - official google mobile blog (2012). http://googlemobile.blogspot.com/2012/02/android-and-security.html
Maruyama, S., et al.: Base transceiver station for w-cdma system. Fujitsu Sci. Tech. J. 38, 167–173 (2002)
MobSF Team: 1. documentation. MobSF/mobile-security-framework-MobSF wiki (2019). https://github.com/MobSF/Mobile-Security-Framework-MobSF/wiki/1.-Documentation
Oberheide, J., Miller, C.: Dissecting the android bouncer (2012). https://jon.oberheide.org/files/summercon12-bouncer.pdf
Orlowski, A.: Google play store spews malware onto 9 million ’Droids. the register (2019). https://www.theregister.co.uk/2019/01/09/google_play_store_malware_onto_9m_droids/
Percoco, N.J., Schulte, S.: Adventures in BouncerLand (2012). https://media.blackhat.com/bh-us-12/Briefings/Percoco/BH_US_12_Percoco_Adventures_in_Bouncerland_WP.pdf
Qqshow: Github - qqshow/dendroid: Dendroid source code. contains panel and Apk. (2019). https://github.com/qqshow/dendroid
Rasthofer, S. et al.: Harvesting runtime values in android applications that feature anti-analysis techniques. In: NDSS (2016)
Sadeghi, A., et al.: A taxonomy and qualitative comparison of program analysis techniques for security assessment of android software. IEEE Trans. Softw. Eng. 43(6), 492–530 (2017)
Sun, M. et al.: TaintART: a practical multi-level information-flow tracking system for android runtime. In: ACM SIGSAC CCS, pp. 331–342 (2016)
Tam, K. et al.: Copperdroid: automatic reconstruction of android malware behaviors. In: NDSS (2015)
Tam, K., et al.: The evolution of android malware and android analysis techniques. ACM Comput. Surv. 49(4), 76:1–76:41 (2017)
Technologies, C.S.: CuckooDroid book (2014). https://cuckoo-droid.readthedocs.io/en/latest/
thehackernews.com: New android malware apps use motion sensor to evade detection (2019). https://thehackernews.com/2019/01/android-malware-play-store.html
Vidas, T., Christin, N.: Evading Android runtime analysis via sandbox detection. In: ASIA CCS (2014)
Wang, X. et al.: Droid-AntiRM: taming control flow anti-analysis to support automated dynamic analysis of android malware. In: ACSAC (2017)
Wei, F. et al.: Amandroid: a precise and general inter-component data flow analysis framework for security vetting of android apps. In: ACM SIGSAC CCS (2014)
XDA Developers: Xposed framework hub (2019). https://www.xda-developers.com/xposed-framework-hub/
Yan, L.K., Yin, H.: Droidscope: seamlessly reconstructing the OS and dalvik semantic views for dynamic android malware analysis. In: USENIX Security (2012)
Acknowledgements
We thank our shepherd Matthias Wählisch and all the anonymous reviewers for their helpful comments and suggestions. This work is supported by Visvesvaraya Ph.D. Fellowship grant MEITY-PHD-999.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Kumar, S., Mishra, D., Panda, B., Shukla, S.K. (2020). STDNeut: Neutralizing Sensor, Telephony System and Device State Information on Emulated Android Environments. In: Krenn, S., Shulman, H., Vaudenay, S. (eds) Cryptology and Network Security. CANS 2020. Lecture Notes in Computer Science(), vol 12579. Springer, Cham. https://doi.org/10.1007/978-3-030-65411-5_5
Download citation
DOI: https://doi.org/10.1007/978-3-030-65411-5_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-65410-8
Online ISBN: 978-3-030-65411-5
eBook Packages: Computer ScienceComputer Science (R0)