Abstract
With the popularity of Android devices, mobile apps are prevalent in our daily life, making them a target for attackers to steal private data and push advertisements. Dynamic analysis is an effective approach to detect runtime behavior of Android malware and can reduce the impact of code obfuscation. However, some dynamic sandboxes commonly used by researchers are usually based on emulators with older versions of Android, for example, the state-of-the-art sandbox, DroidBox. These sandboxes are vulnerable to evasion attacks and may not work with the latest apps. In this paper, we propose a prototype framework, DroidHook, as a novel automated sandbox for Android malware dynamic analysis. Unlike most existing tools, DroidHook has two obvious advantages. Firstly, the set of APIs to be monitored by DroidHook can be easily modified, so that DroidHook is ideally suitable for diverse situations, including the detection of a specific family of malware and unknown malware. Secondly, DroidHook does not depend on a specific Android OS but only on Xposed, so it can work with multiple Android versions and can perform normally on both emulators and real devices. Experiments show that DroidHook can provide more fine-grained and precise results than DroidBox. Moreover, with the support for real devices and new versions of Android, DroidHook can run most samples properly and acquire stronger detection results, compared to emulator-based tools.
Similar content being viewed by others
References
Aafer, Y., Du, W., Yin, H.: Droidapiminer: mining API-level features for robust malware detection in android. In: International Conference on Security and Privacy in Communication Systems. pp. 86–103. Springer, Cham (2013)
Alzaylaee, M.K., Yerima, S.Y., Sezer, S.: Dynalog: an automated dynamic analysis framework for characterizing android applications. In: 2016 International Conference on Cyber Security and Protection Of Digital Services (Cyber Security), IEEE, pp. 1–8 (2016)
Alzaylaee, M.K., Yerima, S.Y., Sezer, S.: Emulator vs real phone: android malware detection using machine learning. In: Proceedings of the 3rd ACM on International Workshop on Security and Privacy Analytics, pp. 65–72 (2017)
Arp, D., Spreitzenbarth, M., Hubner, M., et al.: Drebin: effective and explainable detection of android malware in your pocket. In: NDSS, pp. 23–26 (2014)
Arshad, S., Shah, M.A., Wahid, A., et al.: Samadroid: a novel 3-level hybrid malware detection model for android operating system. IEEE Access 6, 4321–4339 (2018)
AV-TEST: Malware statistics and trends report. https://www.av-test.org/en/statistics/malware/ (2020). Accessed 06 Oct 2020
Cai, H., Meng, N., Ryder, B., et al.: Droidcat: effective android malware detection and categorization via app-level profiling. IEEE Trans. Inf. Forensics Secur. 14(6), 1455–1470 (2018)
Cai, H., Meng, N., Ryder, B., et al.: Droidcat: effective android malware detection and categorization via app-level profiling. IEEE Trans. Inf. Forensics Secur. 14(6), 1455–1470 (2019)
Chang, W.L., Sun, H.M., Wu, W.: An android behavior-based malware detection method using machine learning. In: 2016 IEEE International Conference on Signal Processing, Communications and Computing (ICSPCC), IEEE, pp. 1–4 (2016)
Chen, X., Li, C., Wang, D., et al.: Android HIV: a study of repackaging malware for evading machine-learning detection. IEEE Trans. Inf. Forensics Secur. 15, 987–1001 (2019)
Cho, H., Yi, J.H., Ahn, G.J.: Dexmonitor: dynamically analyzing and monitoring obfuscated android applications. IEEE Access 6, 71229–71240 (2018)
DroidBox. Droidbox: Dynamic analysis of android apps. https://github.com/pjlantz/droidbox (2020). Accessed 07 Oct 2020
Enck, W., Gilbert, P., Han, S., et al.: Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. ACM Trans. Comput. Syst. (TOCS) 32(2), 1–29 (2014)
Fan, M., Liu, J., Wang, W., et al.: Dapasa: detecting android piggybacked apps through sensitive subgraph analysis. IEEE Trans. Inf. Forensics Secur. 12(8), 1772–1785 (2017)
Fan, M., Liu, J., Luo, X., et al.: Android malware familial classification and representative sample selection via frequent subgraph analysis. IEEE Trans. Inf. Forensics Secur. 13(8), 1890–1905 (2018)
Feng, P., Ma, J., Sun, C., et al.: A novel dynamic android malware detection system with ensemble learning. IEEE Access 6, 30996–31011 (2018)
Gajrani, J., Agarwal, U., Laxmi, V., et al.: Espydroid+: precise reflection analysis of android apps. Comput. Secur. 90(101), 688 (2020)
Gao, H., Cheng, S., Zhang, W.: Gdroid: android malware detection and classification with graph convolutional network. Comput. Secur. 106(102), 264 (2021)
Kelly, G.: Report: 97% of mobile malware is on android. this is the easy way you stay safe. https://www.forbes.com/sites/gordonkelly/2014/03/24/report-97-of-mobile-malware-is-on-android-this-is-the-easy-way-you-stay-safe/ (2014). Accessed 06 Oct 2020
Lindorfer, M., Neugschwandtner, M., Weichselbaum, L., et al.: Andrubis—1,000,000 apps later: a view on current android malware behaviors. In: 2014 Third International Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS), pp. 3–17 (2014)
Martín, A., Lara-Cabrera, R., Camacho, D.: Android malware detection through hybrid features fusion and ensemble classifiers: the andropytool framework and the omnidroid dataset. Inform. Fusion 52, 128–142 (2019)
Nicheporuk, A., Savenko, O., Nicheporuk, A., et al.: An android malware detection method based on CNN mixed-data model. In: ICTERI Workshops, pp. 198–213 (2020)
Onwuzurike, L., Mariconti, E., Andriotis, P., et al.: Mamadroid: fetecting android malware by building Markov chains of behavioral models (extended version). ACM Trans. Privacy Secur. (TOPS) 22(2), 1–34 (2019)
Peiravian, N., Zhu, X.: Machine learning for android malware detection using permission and API calls. In: 2013 IEEE 25th International Conference on Tools with Artificial Intelligence, IEEE, pp. 300–305 (2013)
Samhi, J., Gao, J., Daoudi, N, et al.: Jucify: a step towards android code unification for enhanced static analysis. In: Proceedings of the 44th International Conference on Software Engineering, pp. 1232–1244 (2022)
Sihag, V., Vardhan, M., Singh, P., et al.: De-lady: deep learning based android malware detection using dynamic features. J. Internet Serv. Inf. Secur. 11(2), 34–45 (2021)
Statista.: Global mobile OS market share 2012-2022. https://www.statista.com/statistics/272698/global-market-share-held-by-mobile-operating-systems-since-2009/ (2022). Accessed 06 Oct 2022
Sugunan, K., Kumar, T.G., Dhanya, K.: Static and dynamic analysis for android malware detection. In: Advances in Big Data and Cloud Computing, pp. 147–155. Springer, Berlin (2018)
Sun, M., Wei, T., Lui, J.C.: Taintart: a practical multi-level information-flow tracking system for android runtime. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 331–342 (2016)
Sun, X., Li, L., Bissyandé, T.F., et al.: Taming reflection: an essential step toward whole-program analysis of android apps. ACM Trans. Softw. Eng. Methodol. (TOSEM) 30(3), 1–36 (2021)
Tam, K., Fattori, A., Khan, S., et al.: Copperdroid: automatic reconstruction of android malware behaviors. In: NDSS Symposium 2015, pp. 1–15 (2015)
Tian, K., Yao, D., Ryder, B.G., et al.: Detection of repackaged android malware with code-heterogeneity features. IEEE Trans. Dependable Secure Comput. 17(1), 64–77 (2017)
Wang, W., Zhao, M., Wang, J.: Effective android malware detection with a hybrid model based on deep autoencoder and convolutional neural network. J. Ambient. Intell. Humaniz. Comput. 10(8), 3035–3043 (2019)
Xiao, X., Zhang, S., Mercaldo, F., et al.: Android malware detection based on system call sequences and LSTM. Multimedia Tools Appl. 78(4), 3979–3999 (2019)
Xu, L., Zhang, D., Alvarez, M.A., et al.: Dynamic android malware classification using graph-based representations. In: 2016 IEEE 3rd International Conference on Cyber Security and Cloud Computing (CSCloud), IEEE, pp. 220–231 (2016)
Xue, L., Qian, C., Zhou, H., et al.: Ndroid: toward tracking information flows across multiple android contexts. IEEE Trans. Inf. Forensics Secur. 14(3), 814–828 (2018)
Zheng, M., Sun, M., Lui, J.C.: Droidtrace: a ptrace based android dynamic analysis system with forward execution capability. In: 2014 International Wireless Communications and Mobile Computing Conference (IWCMC), IEEE, pp. 128–133 (2014)
Zungur, O., Stringhini, G., Egele, M.: Libspector: Context-aware large-scale network traffic analysis of android applications. In: 2020 50th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), IEEE, pp. 318–330 (2020)
Acknowledgements
The authors would like to thank the anonymous reviewers for their insightful comments and suggestions.
Author information
Authors and Affiliations
Contributions
YC wrote the original manuscript text. YS and ZL reviewed and edited the final version of the manuscript. All authors prepared and conducted experiments.
Corresponding author
Ethics declarations
Conflict of interest
The authors declare no competing interests.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Cui, Y., Sun, Y. & Lin, Z. DroidHook: a novel API-hook based Android malware dynamic analysis sandbox. Autom Softw Eng 30, 10 (2023). https://doi.org/10.1007/s10515-023-00378-w
Received:
Accepted:
Published:
DOI: https://doi.org/10.1007/s10515-023-00378-w