Proteus: Detecting Android Emulators from Instruction-Level Profiles

The popularity of Android and the personal information stored on these devices attract the attention of regular cyber-criminals as well as nation state adversaries who develop malware that targets this platform. To identify malicious Android apps at a scale (e.g., Google Play contains 3.7M Apps), state-of-the-art mobile malware analysis systems inspect the execution of apps in emulation-based sandboxes. An emerging class of evasive Android malware, however, can evade detection by such analysis systems through ceasing malicious activities if an emulation sandbox is detected. Thus, systematically uncovering potential methods to detect emulated environments is crucial to stay ahead of adversaries. This work uncovers the detection methods based on discrepancies in instruction-level behavior between software-based emulators and real ARM CPUs that power the vast majority of Android devices. To systematically discover such discrepancies at scale, we propose the Proteus system. Proteus performs large-scale collection of application execution traces (i.e., registers and memory) as they run on an emulator and on accurate software models of ARM CPUs. Proteus automatically identifies the instructions that cause divergent behavior between emulated and real CPUs and, on a set of 500K test programs, identified 28K divergent instances. By inspecting these instances, we reveal 3 major classes of root causes that are responsible for these discrepancies. We show that some of these root causes can be easily fixed without introducing observable performance degradation in the emulator. Thus, we have submitted patches to improve resilience of Android emulators against evasive malware.

[1]  Christopher Krügel,et al.  A survey on automated dynamic malware-analysis techniques and tools , 2012, CSUR.

[2]  Qi Li,et al.  RealDroid: Large-Scale Evasive Malware Detection on "Real Devices" , 2017, 2017 26th International Conference on Computer Communication and Networks (ICCCN).

[3]  Mauro Conti,et al.  Mirage: Toward a Stealthier and Modular Malware Analysis Sandbox for Android , 2017, ESORICS.

[4]  Heng Yin,et al.  DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis , 2012, USENIX Security Symposium.

[5]  Trevor Mudge,et al.  MiBench: A free, commercially representative embedded benchmark suite , 2001 .

[6]  Christopher Krügel,et al.  Execute This! Analyzing Unsafe and Malicious Dynamic Code Loading in Android Applications , 2014, NDSS.

[7]  Gabriel Negreira Barbosa,et al.  Scientific but Not Academical Overview of Malware Anti-Debugging , Anti-Disassembly and Anti-VM Technologies , 2012 .

[8]  Martina Lindorfer,et al.  Detecting Environment-Sensitive Malware , 2011, RAID.

[9]  Robert Chin The Android Native Development Kit (NDK) , 2014 .

[10]  Lorenzo Martignoni,et al.  A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators , 2009, WOOT.

[11]  Sotiris Ioannidis,et al.  Rage against the virtual machine: hindering dynamic analysis of Android malware , 2014, EuroSec '14.

[12]  Nicolas Christin,et al.  Evading android runtime analysis via sandbox detection , 2014, AsiaCCS.

[13]  Stephen McCamant,et al.  Path-exploration lifting: hi-fi tests for lo-fi emulators , 2012, ASPLOS XVII.

[14]  Anthony C. J. Fox Directions in ISA Specification , 2012, ITP.

[15]  Christopher Krügel,et al.  BareDroid: Large-Scale Analysis of Android Apps on Real Devices , 2015, ACSAC 2015.

[16]  Aristide Fattori,et al.  CopperDroid: Automatic Reconstruction of Android Malware Behaviors , 2015, NDSS.

[17]  Lorenzo Martignoni,et al.  Testing CPU emulators , 2009, ISSTA.

[18]  Ziming Zhao,et al.  Morpheus: automatically generating heuristics to detect Android emulators , 2014, ACSAC '14.

[19]  Jelena Mirkovic,et al.  Cardinal Pill Testing of System Virtual Machines , 2014, USENIX Security Symposium.

[20]  Christopher Krügel,et al.  Efficient Detection of Split Personalities in Malware , 2010, NDSS.