Lumus: Dynamically Uncovering Evasive Android Applications
- 1 Citations
- 1k Downloads
Abstract
Dynamic analysis of Android malware suffers from techniques that identify the analysis environment and prevent the malicious behavior from being observed. While there are many analysis solutions that can thwart evasive malware on Windows, the application of similar techniques for Android has not been studied in-depth. In this paper, we present Lumus, a novel technique to uncover evasive malware on Android. Lumus compares the execution traces of malware on bare metal and emulated environments. We used Lumus to analyze 1,470 Android malware samples and were able to uncover 192 evasive samples. Comparing our approach with other solutions yields better results in terms of accuracy and false positives. We discuss which information are typically used by evasive malware for detecting emulated environments, and conclude on how analysis sandboxes can be strengthened in the future.
References
- 1.Arp, D., Spreitzenbarth, M., Hübner, M., Gascon, H., Rieck, K.: DREBIN: effective and explainable detection of Android malware in your pocket. In: NDSS (2014)Google Scholar
- 2.Balzarotti, D., Cova, M., Karlberger, C., Kirda, E., Kruegel, C., Vigna, G.: Efficient detection of split personalities in malware. In: NDSS (2010)Google Scholar
- 3.Busch, M., Protsenko, M., Müller, T.: A cloud-based compilation and hardening platform for Android apps. In: Proceedings of the 12th International Conference on Availability, Reliability and Security (ARES). SBA Research, Reggio Calabria (2017)Google Scholar
- 4.Dresel, L., Protsenko, M., Müller, T.: Artist: the Android runtime instrumentation toolkit. In: Proceedings of the 11th International Conference on Availability, Reliability and Security (ARES). SBA Research, Salzburg (2016)Google Scholar
- 5.Elish, K.O., Yao, D., Ryder, B.G.: User-centric dependence analysis for identifying malicious mobile apps. In: MOST (2012)Google Scholar
- 6.Grace, M., Zhou, Y., Zhang, Q., Zou, S., Jiang, X.: Riskranker: scalable and accurate zero-day Android malware detection. In: MOBISYS (2012)Google Scholar
- 7.Guan, L., Jia, S., Chen, B., Zhang, F., Luo, B., Lin, J., Liu, P., Xing, X., Xia, L.: Supporting transparent snapshot for bare-metal malware analysis on mobile devices. In: Proceedings of the 33rd ACSAC, pp. 339–349. ACM (2017)Google Scholar
- 8.Haupert, V., Müller, T.: On app-based matrix code authentication in online banking. In: Furnell, S., Mori, P., Camp, O. (eds.) Proceedings of the 4th International Conference on Information Systems Security and Privacy (ICISSP), pp. 149–160. SciTePress, Funchal (2018)Google Scholar
- 9.Jing, Y., Zhao, Z., Ahn, G.J., Hu, H.: Morpheus: automatically generating heuristics to detect Android emulators. In: ACSAC (2014)Google Scholar
- 10.Kalysch, A., Götzfried, J., Müller, T.: VMAttack: deobfuscating virtualization-based packed binaries. In: Proceedings of the 12th International Conference on Availability, Reliability and Security, p. 2. ACM (2017)Google Scholar
- 11.Kirat, D., Vigna, G.: MalGene: automatic extraction of malware analysis evasion signature. In: ACM CCS (2015)Google Scholar
- 12.Kirat, D., Vigna, G., Kruegel, C.: BareCloud: bare-metal analysis-based evasive malware detection. In: USENIX Security (2014)Google Scholar
- 13.Kolbitsch, C., Kirda, E., Kruegel, C.: The power of procrastination: detection and mitigation of execution-stalling malicious code. In: ACM CCS (2011)Google Scholar
- 14.Li, Y.: Droidbot (2012). http://honeynet.github.io/droidbot/
- 15.Lindorfer, M., Kolbitsch, C., Milani Comparetti, P.: Detecting environment-sensitive malware. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 338–357. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-23644-0_18CrossRefGoogle Scholar
- 16.Lindorfer, M., Neugschwandtner, M., Weichselbaum, L., Fratantonio, Y., van der Veen, V., Platzer, C.: Andrubis - 1,000,000 apps later: a view on current Android malware behaviors. In: BADGERS (2014)Google Scholar
- 17.Maier, D., Müller, T., Protsenko, M.: Divide-and-conquer: why Android malware cannot be stopped. In: Proceedings of the 9th International Conference on Availability, Reliability and Security (ARES). SBA Research, Fribourg (2014)Google Scholar
- 18.Matenaar, F., Schulz, P.: Detecting Android sandboxes. http://www.dexlabs.org/blog/btdetect
- 19.Miramirkhani, N., Appini, M.P., Nikiforakis, N., Polychronakis, M.: Spotless sandboxes: evading malware analysis systems using wear-and-tear artifacts. In: IEEE Symposium on Security and Privacy (SP), pp. 1009–1024. IEEE (2017)Google Scholar
- 20.Moser, A., Kruegel, C., Kirda, E.: Limits of static analysis for malware detection. In: ACSAC, pp. 421–430. IEEE (2007)Google Scholar
- 21.Mutti, S., Fratantonio, Y., Bianchi, A., Invernizzi, L., Corbetta, J., Kirat, D., Kruegel, C., Vigna, G.: Baredroid: large-scale analysis of Android apps on real devices. In: ACSAC (2015)Google Scholar
- 22.Petsas, T., Voyatzis, G., Athanasopoulos, E., Polychronakis, M., Ioannidis, S.: Rage against the virtual machine: hindering dynamic analysis of Android malware. In: EUROSEC (2014)Google Scholar
- 23.Poeplau, S., Fratantonio, Y., Bianchi, A., Kruegel, C., Vigna, G.: Analyzing unsafe and malicious dynamic code loading in Android applications. In: NDSS (2014)Google Scholar
- 24.Reina, A., Fattori, A., Cavallaro, L.: A system call-centric analysis and stimulation technique to automatically reconstruct Android malware behaviors. In: EUROSEC (2013)Google Scholar
- 25.Sanz, B., Santos, I., Laorden, C., Ugarte-Pedrero, X., Bringas, P.G., Alvarez, G.: PUMA: permission usage to detect malware in Android. In: Herrero, Á., et al. (eds.) CISIS/ICEUTE/SOCO 2012 Special Sessions. AISC, vol. 189, pp. 289–298. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-33018-6_30CrossRefGoogle Scholar
- 26.Spreitzenbarth, M.: The evil inside a droid - Android malware: past, present and future. In: Baltic Conference on Network Security & Forensics (2012)Google Scholar
- 27.Spreitzenbarth, M., Freiling, F., Echtler, F., Schreck, T., Hoffmann, J.: Mobile-sandbox: having a deeper look into Android applications. In: ACM SAC (2013)Google Scholar
- 28.Su, X., Chuah, M., Tan, G.: Smartphone dual defense protection framework: detecting malicious applications in Android markets. In: International Conference on Mobile Ad-Hoc and Sensor Networks (2012)Google Scholar
- 29.Vidas, T., Christin, N.: Evading Android runtime analysis via sandbox detection. In: AsiaCCS (2014)Google Scholar
- 30.Wu, D.J., Mao, C.H., Wei, T.E., Lee, H.M., Wu, K.P.: DroidMat: Android malware detection through manifest and API calls tracing. In: Asia JCIS (2012)Google Scholar
- 31.Zheng, M., Sun, M., Lui, J.C.: Droid analytics: a signature based analytic system to collect, extract, analyze and associate Android malware. In: TrustCom (2013)Google Scholar
- 32.Zhou, Y., Jiang, X.: Dissecting Android malware: characterization and evolution. In: IEEE Symposium on Security & Privacy (2012)Google Scholar
- 33.Zhou, Y., Wang, Z., Zhou, W., Jiang, X.: Hey, you, get off of my market: detecting malicious apps in official and alternative Android markets. In: NDSS (2012)Google Scholar