research-article

Morpheus: automatically generating heuristics to detect Android emulators

Authors:

Hongxin HuAuthors Info & Claims

ACSAC '14: Proceedings of the 30th Annual Computer Security Applications Conference

Pages 216 - 225

https://doi.org/10.1145/2664243.2664250

Published: 08 December 2014 Publication History

Abstract

Emulator-based dynamic analysis has been widely deployed in Android application stores. While it has been proven effective in vetting applications on a large scale, it can be detected and evaded by recent Android malware strains that carry detection heuristics. Using such heuristics, an application can check the presence or contents of certain artifacts and infer the presence of emulators. However, there exists little work that systematically discovers those heuristics that would be eventually helpful to prevent malicious applications from bypassing emulator-based analysis. To cope with this challenge, we propose a framework called Morpheus that automatically generates such heuristics. Morpheus leverages our insight that an effective detection heuristic must exploit discrepancies observable by an application. To this end, Morpheus analyzes the application sandbox and retrieves observable artifacts from both Android emulators and real devices. Afterwards, Morpheus further analyzes the retrieved artifacts to extract and rank detection heuristics. The evaluation of our proof-of-concept implementation of Morpheus reveals more than 10,000 novel detection heuristics that can be utilized to detect existing emulator-based malware analysis tools. We also discuss the discrepancies in Android emulators and potential countermeasures.

References

[1]

Android developers - using the emulator. http://developer.android.com/tools/devices/emulator.html. Accessed: May 2014.

[2]

Genymotion, the fastest android emulator for app testing and presentation. http://genymotion.com. Accessed: May 2014.

[3]

Sanddroid - an apk analysis sandbox. http://sanddroid.xjtu.edu.cn/. Accessed: May 2014.

[4]

Tracedroid - dynamic android app analysis (by vu amsterdam). http://tracedroid.few.vu.nl/. Accessed: May 2014.

[5]

Droidbox: An android application sandbox for dynamic analysis. https://code.google.com/p/droidbox/, 2011. Accessed: May 2014.

[6]

Andrubis: A tool for analyzing unknown android applications. http://blog.iseclab.org/2012/06/04/andrubis-a-tool-for-analyzing-unknown-androidapplications-2/, June 2012. Accessed: May 2014.

[7]

G. Association et al. Imei allocation and approval guidelines. volume 10, 2010.

[8]

D. Balzarotti, M. Cova, C. Karlberger, C. Kruegel, E. Kirda, and G. Vigna. Efficient detection of split personalities in malware. In Proceedings of Network and Distributed System Security Symposium, 2010.

[9]

H. Dharmdasani. Android.hehe: Malware now disconnects phone calls. http://www.fireeye.com/blog/technical/2014/01/android-hehe-malware-now-disconnects-phone-calls.html, January 2014. Accessed: May 2014.

[10]

W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth. Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In Proceedings of the USENIX conference on Operating systems design and implementation, pages 1--6. USENIX, 2010.

Digital Library

[11]

F-Secure. Trojan:android/pincer.a. http://www.f-secure.com/weblog/archives/00002538.html, April 2013. Accessed: May 2014.

[12]

T. Garfinkel, K. Adams, A. Warfield, and J. Franklin. Compatibility is not transparency: Vmm detection myths and realities. In Proceedings of USENIX Workshop on Hot Topics in Operating Systems, 2007.

Digital Library

[13]

S. Heuser, A. Nadkarni, W. Enck, and A.-R. Sadeghi. Asm: A programmable interface for extending android security. In Proceedings of the USENIX Security Symposium, 2014.

Digital Library

[14]

T. K. Ho. The random subspace method for constructing decision forests. IEEE Transactions on Pattern Analysis and Machine Intelligence, 20(8):832--844, 1998.

Digital Library

[15]

C. Ionescu. Obfuscating embedded malware on android. http://www.symantec.com/connect/blogs/obfuscating-embedded-malware-android, June 2012. Accessed: May 2014.

[16]

Z. Li, M. Sanghi, Y. Chen, M.-Y. Kao, and B. Chavez. Hamsa: Fast signature generation for zero-day polymorphic worms with provable attack resilience. In Proceedings of the IEEE Symposium on Security and Privacy, pages 15--pp. IEEE, 2006.

Digital Library

[17]

H. Lockheimer. Android and security. http://googlemobile.blogspot.com/2012/02/android-and-security.html, February 2012. Accessed: May 2014.

[18]

I. Lunden. Gartner: 102b app store downloads globally in 2013, 26b in sales, 17% from in-app purchases. http://techcrunch.com/2013/09/19/gartner-102b-app-store-downloads-globally-in-2013-26b-in-sales-17-from-in-app-purchases/, September 2013. Accessed: May 2014.

[19]

F. Matenaar and P. Schulz. Detecting android sandboxes. http://dexlabs.org/blog/btdetect, August 2012. Accessed: May 2014.

[20]

J. Oberheide and C. Miller. Dissecting the android bouncer. Summer Con2012, New York, 2012.

[21]

T. Petsas, G. Voyatzis, E. Athanasopoulos, M. Polychronakis, and S. Ioannidis. Rage against the virtual machine: hindering dynamic analysis of android malware. In Proceedings of the European Workshop on System Security, page 5. ACM, 2014.

Digital Library

[22]

S. Rasthofer, S. Arzt, and E. Bodden. A machine-learning approach for classifying and categorizing android sources and sinks. In Proceedings of the Network and Distributed System Security Symposium, 2014.

[23]

A. Reina, A. Fattori, and L. Cavallaro. A system call-centric analysis and stimulation technique to automatically reconstruct android malware behaviors. In Proceedings of the European Workshop on System Security, April 2013.

[24]

P. Schulz. Android emulator detection by observing low-level caching behavior. https://bluebox.com/technical/android-emulator-detection-by-observing-low-level-caching-behavior/, December 2013. Accessed: May 2014.

[25]

T. Vidas and N. Christin. Evading android runtime analysis via sandbox detection. In Proceedings of the ACM Symposium on Information, Computer and Communications Security. ACM, 2014.

Digital Library

[26]

C. Wu, Y. Zhou, K. Patel, Z. Liang, and X. Jiang. Airbag: Boosting smartphone resistance to malware infection. In Proceedings of the Network and Distributed System Security Symposium, 2014.

[27]

Z. Yang, M. Yang, Y. Zhang, G. Gu, P. Ning, and X. S. Wang. Appintent: Analyzing sensitive data transmission in android for privacy leakage detection. In Proceedings of the ACM conference on Computer and communications security, pages 1043--1054. ACM.

Digital Library

[28]

Y. Zhang, M. Yang, B. Xu, Z. Yang, G. Gu, P. Ning, X. S. Wang, and B. Zang. Vetting undesirable behaviors in android apps with permission use analysis. In Proceedings of the ACM conference on Computer and communications security, pages 611--622. ACM, 2013.

Digital Library

[29]

Y. Zhou and X. Jiang. Dissecting android malware: Characterization and evolution. In Proceedings of the 2012 IEEE Symposium on Security and Privacy, pages 95--109. IEEE, 2012.

Digital Library

[30]

Y. Zhou, Z. Wang, W. Zhou, and X. Jiang. Hey, you, get off of my market: Detecting malicious apps in official and alternative android markets. In Proceedings of the Network and Distributed System Security Symposium, pages 5--8, 2012.

Cited By

Ho J(2025)Game Theoretic Approach Toward Detection of Input‐Driven Evasive Malware in the IoTSecurity and Privacy10.1002/spy2.4678:1Online publication date: 12-Jan-2025
https://dl.acm.org/doi/10.1002/spy2.467
Dong ZLiu TDeng JWang HLi LYang MWang MXu GXu GBalzarotti DXu W(2024)Exploring covert third-party identifiers through external storage in the android new eraProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3699154(4535-4552)Online publication date: 14-Aug-2024
https://dl.acm.org/doi/10.5555/3698900.3699154
Ruggia ANisi DDambra SMerlo ABalzarotti DAonzo SQuek TGao DZhou JCardenas A(2024)Unmasking the Veiled: A Comprehensive Analysis of Android Evasive MalwareProceedings of the 19th ACM Asia Conference on Computer and Communications Security10.1145/3634737.3637658(383-398)Online publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1145/3634737.3637658
Show More Cited By

Index Terms

Morpheus: automatically generating heuristics to detect Android emulators
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
  2. Systems security
    1. Operating systems security
2. Software and its engineering
  1. Software creation and management
    1. Software verification and validation
      1. Software defect analysis
        Software testing and debugging

Recommendations

Effectiveness of Android Obfuscation on Evading Anti-malware
CODASPY '18: Proceedings of the Eighth ACM Conference on Data and Application Security and Privacy

Obfuscation techniques have been conventionally used for legitimate applications, including preventing application reverse engineering, tampering and protecting intellectual property. A malware author could also leverage these benign techniques to hide ...
Stealth attacks: An extended insight into the obfuscation effects on Android malware

In order to effectively evade anti-malware solutions, Android malware authors are progressively resorting to automatic obfuscation strategies. Recent works have shown, on small-scale experiments, the possibility of evading anti-malware engines by ...
Hartley's test ranked opcodes for Android malware analysis
SIN '15: Proceedings of the 8th International Conference on Security of Information and Networks

The popularity and openness of Android platform encourage malware authors to penetrate various market places with malicious applications. As a result, malware detection has become a critical topic in security. Currently signature-based system is able to ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ACSAC '14: Proceedings of the 30th Annual Computer Security Applications Conference

December 2014

492 pages

ISBN:9781450330053

DOI:10.1145/2664243

Conference Chairs:
Charles N. Payne
Adventium Labs
,
Adam Hahn
Washington State University
,
Program Chairs:
Kevin Butler
University of Florida
,
Micah Sherr
Georgetown University

Copyright © 2014 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

ACSA: Applied Computing Security Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 08 December 2014

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

ACSAC '14

Sponsor:

ACSA

ACSAC '14: Annual Computer Security Applications Conference

December 8 - 12, 2014

Louisiana, New Orleans, USA

Acceptance Rates

Overall Acceptance Rate 104 of 497 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

68
Total Citations
View Citations
716
Total Downloads

Downloads (Last 12 months)41
Downloads (Last 6 weeks)2

Reflects downloads up to 01 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Ho J(2025)Game Theoretic Approach Toward Detection of Input‐Driven Evasive Malware in the IoTSecurity and Privacy10.1002/spy2.4678:1Online publication date: 12-Jan-2025
https://dl.acm.org/doi/10.1002/spy2.467
Dong ZLiu TDeng JWang HLi LYang MWang MXu GXu GBalzarotti DXu W(2024)Exploring covert third-party identifiers through external storage in the android new eraProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3699154(4535-4552)Online publication date: 14-Aug-2024
https://dl.acm.org/doi/10.5555/3698900.3699154
Ruggia ANisi DDambra SMerlo ABalzarotti DAonzo SQuek TGao DZhou JCardenas A(2024)Unmasking the Veiled: A Comprehensive Analysis of Android Evasive MalwareProceedings of the 19th ACM Asia Conference on Computer and Communications Security10.1145/3634737.3637658(383-398)Online publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1145/3634737.3637658
Sandborn MStoebner ZWeimer WForrest SDougherty RWhite JLeach K(2024)Reducing Malware Analysis Overhead With CoveringsIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.334632821:4(4133-4146)Online publication date: Jul-2024
https://doi.org/10.1109/TDSC.2023.3346328
Geraeinejad VChen KLu ZEbrahimi M(2024)MCLB: Dynamic Load Balancing and Implications on GPU Memory Controllers2024 IEEE 37th International System-on-Chip Conference (SOCC)10.1109/SOCC62300.2024.10737822(1-6)Online publication date: 16-Sep-2024
https://doi.org/10.1109/SOCC62300.2024.10737822
Li SLi RYang SDiao W(2024)Android’s Cat-and-Mouse Game: Understanding Evasion Techniques against Dynamic Analysis2024 IEEE 35th International Symposium on Software Reliability Engineering (ISSRE)10.1109/ISSRE62328.2024.00028(192-203)Online publication date: 28-Oct-2024
https://doi.org/10.1109/ISSRE62328.2024.00028
Gucuyener EGuvensan M(2024)Towards Next-Generation Smart Sandboxes: Comprehensive Approach to Mobile Application Security2024 12th International Symposium on Digital Forensics and Security (ISDFS)10.1109/ISDFS60797.2024.10527282(1-6)Online publication date: 29-Apr-2024
https://doi.org/10.1109/ISDFS60797.2024.10527282
Niu WZhang XYan RGong JNiu WZhang XYan RGong J(2024)Dynamic Adversarial Method in Android MalwareAndroid Malware Detection and Adversarial Methods10.1007/978-981-97-1459-9_6(129-150)Online publication date: 4-Mar-2024
https://doi.org/10.1007/978-981-97-1459-9_6
Faruki PBhan RJain VBhatia SEl Madhoun NPamula R(2023)A Survey and Evaluation of Android-Based Malware Evasion Techniques and Detection FrameworksInformation10.3390/info1407037414:7(374)Online publication date: 30-Jun-2023
https://doi.org/10.3390/info14070374
Sun XChen XLi LCai HGrundy JSamhi JBissyandé TKlein J(2023)Demystifying Hidden Sensitive Operations in Android AppsACM Transactions on Software Engineering and Methodology10.1145/357415832:2(1-30)Online publication date: 29-Mar-2023
https://dl.acm.org/doi/10.1145/3574158
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten