Lumus: Dynamically Uncovering Evasive Android Applications

  • Vitor Afonso
  • Anatoli Kalysch
  • Tilo Müller
  • Daniela Oliveira
  • André GrégioEmail author
  • Paulo Lício de Geus
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11060)


Dynamic analysis of Android malware suffers from techniques that identify the analysis environment and prevent the malicious behavior from being observed. While there are many analysis solutions that can thwart evasive malware on Windows, the application of similar techniques for Android has not been studied in-depth. In this paper, we present Lumus, a novel technique to uncover evasive malware on Android. Lumus compares the execution traces of malware on bare metal and emulated environments. We used Lumus to analyze 1,470 Android malware samples and were able to uncover 192 evasive samples. Comparing our approach with other solutions yields better results in terms of accuracy and false positives. We discuss which information are typically used by evasive malware for detecting emulated environments, and conclude on how analysis sandboxes can be strengthened in the future.


  1. 1.
    Arp, D., Spreitzenbarth, M., Hübner, M., Gascon, H., Rieck, K.: DREBIN: effective and explainable detection of Android malware in your pocket. In: NDSS (2014)Google Scholar
  2. 2.
    Balzarotti, D., Cova, M., Karlberger, C., Kirda, E., Kruegel, C., Vigna, G.: Efficient detection of split personalities in malware. In: NDSS (2010)Google Scholar
  3. 3.
    Busch, M., Protsenko, M., Müller, T.: A cloud-based compilation and hardening platform for Android apps. In: Proceedings of the 12th International Conference on Availability, Reliability and Security (ARES). SBA Research, Reggio Calabria (2017)Google Scholar
  4. 4.
    Dresel, L., Protsenko, M., Müller, T.: Artist: the Android runtime instrumentation toolkit. In: Proceedings of the 11th International Conference on Availability, Reliability and Security (ARES). SBA Research, Salzburg (2016)Google Scholar
  5. 5.
    Elish, K.O., Yao, D., Ryder, B.G.: User-centric dependence analysis for identifying malicious mobile apps. In: MOST (2012)Google Scholar
  6. 6.
    Grace, M., Zhou, Y., Zhang, Q., Zou, S., Jiang, X.: Riskranker: scalable and accurate zero-day Android malware detection. In: MOBISYS (2012)Google Scholar
  7. 7.
    Guan, L., Jia, S., Chen, B., Zhang, F., Luo, B., Lin, J., Liu, P., Xing, X., Xia, L.: Supporting transparent snapshot for bare-metal malware analysis on mobile devices. In: Proceedings of the 33rd ACSAC, pp. 339–349. ACM (2017)Google Scholar
  8. 8.
    Haupert, V., Müller, T.: On app-based matrix code authentication in online banking. In: Furnell, S., Mori, P., Camp, O. (eds.) Proceedings of the 4th International Conference on Information Systems Security and Privacy (ICISSP), pp. 149–160. SciTePress, Funchal (2018)Google Scholar
  9. 9.
    Jing, Y., Zhao, Z., Ahn, G.J., Hu, H.: Morpheus: automatically generating heuristics to detect Android emulators. In: ACSAC (2014)Google Scholar
  10. 10.
    Kalysch, A., Götzfried, J., Müller, T.: VMAttack: deobfuscating virtualization-based packed binaries. In: Proceedings of the 12th International Conference on Availability, Reliability and Security, p. 2. ACM (2017)Google Scholar
  11. 11.
    Kirat, D., Vigna, G.: MalGene: automatic extraction of malware analysis evasion signature. In: ACM CCS (2015)Google Scholar
  12. 12.
    Kirat, D., Vigna, G., Kruegel, C.: BareCloud: bare-metal analysis-based evasive malware detection. In: USENIX Security (2014)Google Scholar
  13. 13.
    Kolbitsch, C., Kirda, E., Kruegel, C.: The power of procrastination: detection and mitigation of execution-stalling malicious code. In: ACM CCS (2011)Google Scholar
  14. 14.
    Li, Y.: Droidbot (2012).
  15. 15.
    Lindorfer, M., Kolbitsch, C., Milani Comparetti, P.: Detecting environment-sensitive malware. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 338–357. Springer, Heidelberg (2011). Scholar
  16. 16.
    Lindorfer, M., Neugschwandtner, M., Weichselbaum, L., Fratantonio, Y., van der Veen, V., Platzer, C.: Andrubis - 1,000,000 apps later: a view on current Android malware behaviors. In: BADGERS (2014)Google Scholar
  17. 17.
    Maier, D., Müller, T., Protsenko, M.: Divide-and-conquer: why Android malware cannot be stopped. In: Proceedings of the 9th International Conference on Availability, Reliability and Security (ARES). SBA Research, Fribourg (2014)Google Scholar
  18. 18.
    Matenaar, F., Schulz, P.: Detecting Android sandboxes.
  19. 19.
    Miramirkhani, N., Appini, M.P., Nikiforakis, N., Polychronakis, M.: Spotless sandboxes: evading malware analysis systems using wear-and-tear artifacts. In: IEEE Symposium on Security and Privacy (SP), pp. 1009–1024. IEEE (2017)Google Scholar
  20. 20.
    Moser, A., Kruegel, C., Kirda, E.: Limits of static analysis for malware detection. In: ACSAC, pp. 421–430. IEEE (2007)Google Scholar
  21. 21.
    Mutti, S., Fratantonio, Y., Bianchi, A., Invernizzi, L., Corbetta, J., Kirat, D., Kruegel, C., Vigna, G.: Baredroid: large-scale analysis of Android apps on real devices. In: ACSAC (2015)Google Scholar
  22. 22.
    Petsas, T., Voyatzis, G., Athanasopoulos, E., Polychronakis, M., Ioannidis, S.: Rage against the virtual machine: hindering dynamic analysis of Android malware. In: EUROSEC (2014)Google Scholar
  23. 23.
    Poeplau, S., Fratantonio, Y., Bianchi, A., Kruegel, C., Vigna, G.: Analyzing unsafe and malicious dynamic code loading in Android applications. In: NDSS (2014)Google Scholar
  24. 24.
    Reina, A., Fattori, A., Cavallaro, L.: A system call-centric analysis and stimulation technique to automatically reconstruct Android malware behaviors. In: EUROSEC (2013)Google Scholar
  25. 25.
    Sanz, B., Santos, I., Laorden, C., Ugarte-Pedrero, X., Bringas, P.G., Alvarez, G.: PUMA: permission usage to detect malware in Android. In: Herrero, Á., et al. (eds.) CISIS/ICEUTE/SOCO 2012 Special Sessions. AISC, vol. 189, pp. 289–298. Springer, Heidelberg (2012). Scholar
  26. 26.
    Spreitzenbarth, M.: The evil inside a droid - Android malware: past, present and future. In: Baltic Conference on Network Security & Forensics (2012)Google Scholar
  27. 27.
    Spreitzenbarth, M., Freiling, F., Echtler, F., Schreck, T., Hoffmann, J.: Mobile-sandbox: having a deeper look into Android applications. In: ACM SAC (2013)Google Scholar
  28. 28.
    Su, X., Chuah, M., Tan, G.: Smartphone dual defense protection framework: detecting malicious applications in Android markets. In: International Conference on Mobile Ad-Hoc and Sensor Networks (2012)Google Scholar
  29. 29.
    Vidas, T., Christin, N.: Evading Android runtime analysis via sandbox detection. In: AsiaCCS (2014)Google Scholar
  30. 30.
    Wu, D.J., Mao, C.H., Wei, T.E., Lee, H.M., Wu, K.P.: DroidMat: Android malware detection through manifest and API calls tracing. In: Asia JCIS (2012)Google Scholar
  31. 31.
    Zheng, M., Sun, M., Lui, J.C.: Droid analytics: a signature based analytic system to collect, extract, analyze and associate Android malware. In: TrustCom (2013)Google Scholar
  32. 32.
    Zhou, Y., Jiang, X.: Dissecting Android malware: characterization and evolution. In: IEEE Symposium on Security & Privacy (2012)Google Scholar
  33. 33.
    Zhou, Y., Wang, Z., Zhou, W., Jiang, X.: Hey, you, get off of my market: detecting malicious apps in official and alternative Android markets. In: NDSS (2012)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  • Vitor Afonso
    • 1
    • 5
  • Anatoli Kalysch
    • 4
  • Tilo Müller
    • 4
  • Daniela Oliveira
    • 3
  • André Grégio
    • 2
    Email author
  • Paulo Lício de Geus
    • 1
  1. 1.Institute of ComputingUniversity of CampinasCampinasBrazil
  2. 2.Department of InformaticsFederal University of ParanáCuritibaBrazil
  3. 3.Florida Institute for Cybersecurity ResearchUniversity of FloridaGainesvilleUSA
  4. 4.Friedrich-Alexander-Universität Erlangen-Nürnberg (FAU)ErlangenGermany
  5. 5.Content KeeperSydneyAustralia

Personalised recommendations