Skip to main content
SpringerLink
Log in

STDNeut: Neutralizing Sensor, Telephony System and Device State Information on Emulated Android Environments

  • Conference paper
  • First Online:
Cryptology and Network Security (CANS 2020)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12579))

Included in the following conference series:

Abstract

Sophisticated malware employs various emulation-detection techniques to bypass the dynamic analysis systems that are running on top of virtualized environments. Hence, a defense mechanism needs to be incorporated in emulation based analysis platforms to mitigate the emulation-detection strategies opted by malware. In this paper, first we design an emulation-detection library that has configurable capabilities ranging from basic to advanced detection techniques like distributed detection and GPS information. We use this library to arm several existing malware with different levels of emulation-detection capabilities and study the efficacy of anti-emulation-detection measures of well known emulator driven dynamic analysis frameworks. Furthermore, we propose STDNeut (Sensor, Telephony system, and Device state information Neutralizer) – a configurable anti-emulation-detection mechanism that defends against the basic as well as advanced emulation-detection techniques regardless of which layer of Android OS the attack is performed on. Finally, we perform various experiments to show the effectiveness of STDNeut. Experimental results show that STDNeut can effectively execute a malware without being detected as an emulated platform.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. AT Commands - 3GPP TS 27.007 (2020). https://doc.qt.io/archives/qtextended4.4/atcommands.html

  2. AeonLucid: Snapchat detection on Android - Aeonlucid (2019). https://aeonlucid.com/Snapchat-detection-on-Android/

  3. AG, G.S.: A new malware every 7 seconds (2019). https://www.gdatasoftware.com/news/2018/07/30950-a-new-malware-every-7-seconds

  4. Allix, K. et al.: Androzoo: collecting millions of android apps for the research community. In: MSR, pp. 468–471 (2016)

    Google Scholar 

  5. Android Developers: Run apps on the android emulator — android developers (2019). https://developer.android.com/studio/run/emulator

  6. Android Developers: Send emulator console commands — Android developers (2019). https://developer.android.com/studio/run/emulator-console

  7. Arakawa, Y.: Emulatordetector: Android emulator detector unity compatible (2019). https://github.com/mofneko/EmulatorDetector

  8. Arzt et al.: Droidbench 3.0 (2019). https://github.com/secure-software-engineering/DroidBench/tree/develop

  9. Bellard, F.: Qemu, a fast and portable dynamic translator. In: ATEC, p. 41 (2005)

    Google Scholar 

  10. Costamagna, V. et al.: Identifying and evading android sandbox through usage-profile based fingerprints. In: RESEC (2018)

    Google Scholar 

  11. Desnos et al.: Welcome to Androguard’s documentation! - androguard 3.3.5 documentation (2019). https://androguard.readthedocs.io/en/latest/

  12. Diao, W. et al.: Evading android runtime analysis through detecting programmed interactions. In: WiSec, pp. 159–164 (2016)

    Google Scholar 

  13. Fenton, C.: Android emulator detect — calebfento (2019). https://github.com/CalebFenton/AndroidEmulatorDetect

  14. Gingo: Android-emulator-detector: Small utility for detecting if your app is running on emulator, or real device (2019). https://github.com/gingo/android-emulator-detector

  15. Gonzalez, H.: Sim card info - apps on google play (2019). https://play.google.com/store/apps/details?id=me.harrygonzalez.simcardinfo&hl=en_IN

  16. IDC: IDC-smartphone market share - OS (2019). https://www.idc.com/promo/smartphone-market-share/os

  17. Inc., F.: Android emulator detector: Easy to detect android emulator (2019). https://github.com/framgia/android-emulator-detector

  18. Jing, Y. et al.: Morpheus: Automatically generating heuristics to detect android emulators. In: ACSAC, pp. 216–225 (2014)

    Google Scholar 

  19. Kudrenko, D.: Emulator-detector: Detect emulators like genymotion and Nox player by accelerometer (2019). https://github.com/dmitrikudrenko/Emulator-Detector

  20. Lab, A.: Argus SAF - argus-pag (2019). http://pag.arguslab.org/argus-saf

  21. Lantz, P.: An Android Application Sandbox for Dynamic Analysis. Master’s thesis (November 2011) https://www.eit.lth.se/sprapport.php?uid=595

  22. Lockheimer, H.: Android and security - official google mobile blog (2012). http://googlemobile.blogspot.com/2012/02/android-and-security.html

  23. Maruyama, S., et al.: Base transceiver station for w-cdma system. Fujitsu Sci. Tech. J. 38, 167–173 (2002)

    Google Scholar 

  24. MobSF Team: 1. documentation. MobSF/mobile-security-framework-MobSF wiki (2019). https://github.com/MobSF/Mobile-Security-Framework-MobSF/wiki/1.-Documentation

  25. Oberheide, J., Miller, C.: Dissecting the android bouncer (2012). https://jon.oberheide.org/files/summercon12-bouncer.pdf

  26. Orlowski, A.: Google play store spews malware onto 9 million ’Droids. the register (2019). https://www.theregister.co.uk/2019/01/09/google_play_store_malware_onto_9m_droids/

  27. Percoco, N.J., Schulte, S.: Adventures in BouncerLand (2012). https://media.blackhat.com/bh-us-12/Briefings/Percoco/BH_US_12_Percoco_Adventures_in_Bouncerland_WP.pdf

  28. Qqshow: Github - qqshow/dendroid: Dendroid source code. contains panel and Apk. (2019). https://github.com/qqshow/dendroid

  29. Rasthofer, S. et al.: Harvesting runtime values in android applications that feature anti-analysis techniques. In: NDSS (2016)

    Google Scholar 

  30. Sadeghi, A., et al.: A taxonomy and qualitative comparison of program analysis techniques for security assessment of android software. IEEE Trans. Softw. Eng. 43(6), 492–530 (2017)

    Article  Google Scholar 

  31. Sun, M. et al.: TaintART: a practical multi-level information-flow tracking system for android runtime. In: ACM SIGSAC CCS, pp. 331–342 (2016)

    Google Scholar 

  32. Tam, K. et al.: Copperdroid: automatic reconstruction of android malware behaviors. In: NDSS (2015)

    Google Scholar 

  33. Tam, K., et al.: The evolution of android malware and android analysis techniques. ACM Comput. Surv. 49(4), 76:1–76:41 (2017)

    Article  Google Scholar 

  34. Technologies, C.S.: CuckooDroid book (2014). https://cuckoo-droid.readthedocs.io/en/latest/

  35. thehackernews.com: New android malware apps use motion sensor to evade detection (2019). https://thehackernews.com/2019/01/android-malware-play-store.html

  36. Vidas, T., Christin, N.: Evading Android runtime analysis via sandbox detection. In: ASIA CCS (2014)

    Google Scholar 

  37. Wang, X. et al.: Droid-AntiRM: taming control flow anti-analysis to support automated dynamic analysis of android malware. In: ACSAC (2017)

    Google Scholar 

  38. Wei, F. et al.: Amandroid: a precise and general inter-component data flow analysis framework for security vetting of android apps. In: ACM SIGSAC CCS (2014)

    Google Scholar 

  39. XDA Developers: Xposed framework hub (2019). https://www.xda-developers.com/xposed-framework-hub/

  40. Yan, L.K., Yin, H.: Droidscope: seamlessly reconstructing the OS and dalvik semantic views for dynamic android malware analysis. In: USENIX Security (2012)

    Google Scholar 

Download references

Acknowledgements

We thank our shepherd Matthias Wählisch and all the anonymous reviewers for their helpful comments and suggestions. This work is supported by Visvesvaraya Ph.D. Fellowship grant MEITY-PHD-999.

Author information

Authors and Affiliations

  1. Indian Institute of Technology, Kanpur, India

    Saurabh Kumar, Debadatta Mishra, Biswabandan Panda & Sandeep K. Shukla

Authors
  1. Saurabh Kumar
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Debadatta Mishra
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Biswabandan Panda
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Sandeep K. Shukla
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Saurabh Kumar .

Editor information

Editors and Affiliations

  1. AIT Austrian Institute of Technology GmbH, Vienna, Austria

    Stephan Krenn

  2. Fraunhofer SIT, Darmstadt, Germany

    Haya Shulman

  3. IC LASEC, EPFL, Lausanne, Switzerland

    Serge Vaudenay

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Kumar, S., Mishra, D., Panda, B., Shukla, S.K. (2020). STDNeut: Neutralizing Sensor, Telephony System and Device State Information on Emulated Android Environments. In: Krenn, S., Shulman, H., Vaudenay, S. (eds) Cryptology and Network Security. CANS 2020. Lecture Notes in Computer Science(), vol 12579. Springer, Cham. https://doi.org/10.1007/978-3-030-65411-5_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-65411-5_5

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-65410-8

  • Online ISBN: 978-3-030-65411-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation