AndroNeo: Hardening Android Malware Sandboxes by Predicting Evasion Heuristics

Sophisticated Android malware families often implement techniques aimed at avoiding detection. Split personality malware for example, behaves benignly when it detects that it is running on an analysis environment such as a malware sandbox, and maliciously when running on a real user’s device. These kind of techniques are problematic for malware analysts, often rendering them unable to detect or understand the malicious behaviour. This is where sandbox hardening comes into play. In our work, we exploit sandbox detecting heuristic prediction to predict and automatically generate bytecode patches, in order to disable the malware’s ability to detect a malware sandbox. Through the development of AndroNeo, we demonstrate the feasibility of our approach by showing that the heuristic prediction basis is a solid starting point to build upon, and demonstrating that when heuristic prediction is followed by bytecode patch generation, split personality can be defeated.

[1]  Tilo Müller,et al.  Divide-and-Conquer: Why Android Malware Cannot Be Stopped , 2014, 2014 Ninth International Conference on Availability, Reliability and Security.

[2]  Edgar R. Weippl,et al.  Enter Sandbox: Android Sandbox Comparison , 2014, ArXiv.

[3]  Christopher Krügel,et al.  BareDroid: Large-Scale Analysis of Android Apps on Real Devices , 2015, ACSAC 2015.

[4]  Tilo Müller,et al.  A game of Droid and Mouse: The threat of split-personality malware on Android , 2015, Comput. Secur..

[5]  Lorenzo Martignoni,et al.  Testing CPU emulators , 2009, ISSTA.

[6]  Lorenzo Martignoni,et al.  A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators , 2009, WOOT.

[7]  Sotiris Ioannidis,et al.  Rage against the virtual machine: hindering dynamic analysis of Android malware , 2014, EuroSec '14.

[8]  Vijay Laxmi,et al.  A robust dynamic analysis system preventing SandBox detection by Android malware , 2015, SIN.

[9]  Markus Zeilinger,et al.  ANANAS - A Framework for Analyzing Android Applications , 2013, 2013 International Conference on Availability, Reliability and Security.

[10]  Ziming Zhao,et al.  Morpheus: automatically generating heuristics to detect Android emulators , 2014, ACSAC '14.

[11]  Christopher Krügel,et al.  BareBox: efficient malware analysis on bare-metal , 2011, ACSAC '11.

[12]  Morteza Amini,et al.  Enhancing Accuracy of Android Malware Detection using Intent Instrumentation , 2017, ICISSP.

[13]  Thomas Schreck,et al.  Mobile-sandbox: having a deeper look into android applications , 2013, SAC '13.

[14]  Nicolas Christin,et al.  Evading android runtime analysis via sandbox detection , 2014, AsiaCCS.