Skip to main content

Mobile-Sandbox: combining static and dynamic analysis with machine-learning techniques


Smartphones in general and Android in particular are increasingly shifting into the focus of cyber criminals. For understanding the threat to security and privacy, it is important for security researchers to analyze malicious software written for these systems. The exploding number of Android malware calls for automation in the analysis. In this paper, we present Mobile-Sandbox, a system designed to automatically analyze Android applications in novel ways: First, it combines static and dynamic analysis, i.e., results of static analysis are used to guide dynamic analysis and extend coverage of executed code. Additionally, it uses specific techniques to log calls to native (i.e., “non-Java”) APIs, and last but not least it combines these results with machine-learning techniques to cluster the analyzed samples into benign and malicious ones. We evaluated the system on more than 69,000 applications from Asian third-party mobile markets and found that about 21 % of them actually use native calls in their code.

This is a preview of subscription content, access via your institution.

Fig. 1
Fig. 2
Fig. 3
Fig. 4


  1. Aafer, Y., Du, W., Yin, H.: DroidAPIMiner: Mining API-level features for robust malware detection in android. In: Proc. of International Conference on Security and Privacy in Communication Networks (SecureComm) (2013)

  2. Android Developers.: Using the Android emulator. Jan 2012

  3. Android Developers.: Android platform versions. Jan 2014

  4. Arp, D., Spreitzenbarth, M., Hübner, M., Gascon, H., Rieck, K.: Drebin: Efficient and explainable detection of android malware in your pocket. In: Proc. of Network and Distributed System Security Symposium (NDSS) (2014)

  5. Bläsing, T., Batyuk, L., Schmidt, A.-D., Camtepe, S., Albayrak, S.: An android application sandbox system for suspicious software detection. In: Proc. of the 5th International Conference on Malicious and Unwanted Software (MALWARE) (2010)

  6. Burguera, I., Zurutuza, U., Nadjm-Tehrani, S.: Crowdroid: behavior-based malware detection system for android. In: Proc. of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices (2011)

  7. Cristianini, N., Shawe-Taylor, J.: An Introduction to Support Vector Machines. Cambridge University Press, Cambridge (2000)

    Google Scholar 

  8. Department of Computer Science Friedrich-Alexander-University Erlangen-Nuremberg. Mobile-Sandbox. Jan 2012

  9. Desnos, A.: Androguard. Jan 2011

  10. Desnos, A., Gueguen, G.: Android: From reversing to decompilation. In: Proc. of Black Hat Abu Dhabi (2011)

  11. Echtler, F.: ltrace for Android.

  12. Enck, W., Gilbert, P., gon Chun, B., Cox, L. P., Jung, J., McDaniel, P., Sheth, A.N.: TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In: Proc. of the USENIX Symposium on Operating Systems Design and Implementation (OSDI), October 2010

  13. Felt, A., Finifter, M., Chin, E., Hanna, S., Wagner, D.: A survey of mobile malware in the wild. In: Proceedings of the 1st ACM wWorkshop on Security and Privacy in Smartphones and Mobile Devices, pp. 3–14. ACM (2011)

  14. Felt, A.P., Chin, E., Hanna, S., Song, D., Wagner, D.: Android permissions demystified. In: Proc. of the 18th ACM Conference on Computer and Communications Security (2011)

  15. Freke, J.: Smali—an disassembler for android’s dex format. Sept 2009

  16. Google Inc., Android SDK. Oct 2009

  17. Groves, R.M.: Research on survey data quality. Public Opin. Q. 51(2), 157–172 (1987)

    Google Scholar 

  18. Groves, R.M.: Survey Errors and Survey Costs. Wiley, New York (1989)

    Book  Google Scholar 

  19. Hispasec Sistemas S.L.: Virustotal malware intelligence services.

  20. Hispasec Sistemas S.L.: Virustotal public API.

  21. Lantz, P.: Droidbox—android application sandbox. Feb 2011

  22. Moser, A., Kruegel, C., Kirda, E.: Limits of static analysis for malware detection. In: Proc. of the 23rd Annual Computer Security Applications Conference (2007)

  23. Peng, H., Gates, C.S., Sarma, B.P., Li, N., Qi, Y., Potharaju, R., Nita-Rotaru, C., Molloy, I.: Using probabilistic generative models for ranking risks of android apps. pp. 241–252 (2012)

  24. Raffetseder, T., Kruegel, C., Kirda, E.: Detecting system emulators. In: ISC, pp. 1–18 (2007)

  25. Rieck, K.: Derrick—a simple network stream recorder. Jan 2012

  26. Salton, G., Wong, A., Yang, C.S.: A vector space model for automatic indexing. Commun. ACM 18(11), 613–620 (1975)

    Article  MATH  Google Scholar 

  27. Sarma, B.P., Li, N., Gates, C., Potharaju, R., Nita-Rotaru, C., Molloy, I.: Android permissions: a perspective combining risks and benefits. In: Proc. of ACM Symposium on Access Control Models and Technologies (SACMAT), pp. 13–22 (2012)

  28. Schmidt, A.-D., Bye, R., Schmidt, H.-G., Clausen, J., Kiraz, O., Yüksel, K., Camtepe, S., Sahin, A.: Static analysis of executables for collaborative malware detection on android. In: Proc. of the ICC Communication and Information Systems Security Symposium (2009)

  29. Six, J.: Application Security for the Android Platform: Processes, Permissions, and Other Safeguards. Oreilly & Assoc Inc, Sebastopol (2011)

    Google Scholar 

  30. Spreitzenbarth, M.: Current Android malware. Aug 2013

  31. Spreitzenbarth, M., Freiling, F.C.: Android Malware on the Rise. Technical Report CS-2012-04, Dept. of Computer Science, University of Erlangen-Nuremberg, April 2012

  32. The Debian Project. ltrace.;a=summary. Jan 2012

  33. Vienna University of Technology.: Andrubis—analysis of android apks. May 2012

  34. Willems, C., Freiling, F.C.: Reverse code engineering—state of the art and countermeasures. it-Information Technology, pp. 53–63 (2011)

  35. Willems, C., Holz, T., Freiling, F.C.: Toward automated dynamic malware analysis using CWSandbox. IEEE Secur. Priv. 5(2), 32–39 (2007)

    Article  Google Scholar 

  36. Xie, L., Zhang, X., Seifert, J.-P., Zhu, S.: pbmds: a behavior-based malware detection system for cellphone devices. In: Proc. of the Third ACM Conference on Wireless Network Security (2010)

  37. Zhou, Y., Jiang, X.: Dissecting android malware: characterization and evolution. In: Proc. of the 33rd IEEE Symposium on Security and Privacy (Oakland 2012), May 2012

  38. Zhou, Y., Wang, Z., Zhou, W., Jiang, X.: Hey, you, get off of my market: detecting malicious Apps in official and alternative Android markets. In: Proc. of the 19th Annual Symposium on Network and Distributed System Security (2012)

Download references


This work has been supported by the Federal Ministry of Education and Research (Grant 01BY1021 – MobWorm). We would also like to thank Felix Freiling, Konrad Rieck and Thorsten Holz for their valuable input and comments. Last but not least, we would like to thank the anonymous reviewers for proofreading our paper and for giving us helpful comments to improve this work.

Author information

Authors and Affiliations


Corresponding author

Correspondence to Michael Spreitzenbarth.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Spreitzenbarth, M., Schreck, T., Echtler, F. et al. Mobile-Sandbox: combining static and dynamic analysis with machine-learning techniques. Int. J. Inf. Secur. 14, 141–153 (2015).

Download citation

  • Published:

  • Issue Date:

  • DOI:


  • Android
  • Malware
  • Automated analysis
  • Machine learning