Mirage: Toward a Stealthier and Modular Malware Analysis Sandbox for Android

  • Lorenzo Bordoni
  • Mauro Conti
  • Riccardo Spolaor
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10492)


Nowadays, malware is affecting not only PCs but also mobile devices, which became pervasive in everyday life. Mobile devices can access and store personal information (e.g., location, photos, and messages) and thus are appealing to malware authors. One of the most promising approach to analyze malware is by monitoring its execution in a sandbox (i.e., via dynamic analysis). In particular, most malware sandboxing solutions for Android rely on an emulator, rather than a real device. This motivates malware authors to include runtime checks in order to detect whether the malware is running in a virtualized environment. In that case, the malicious app does not trigger the malicious payload. The presence of differences between real devices and Android emulators started an arms race between security researchers and malware authors, where the former want to hide these differences and the latter try to seek them out.

In this paper we present Mirage, a malware sandbox architecture for Android focused on dynamic analysis evasion attacks. We designed the components of Mirage to be extensible via software modules, in order to build specific countermeasures against such attacks. To the best of our knowledge, Mirage is the first modular sandbox architecture that is robust against sandbox detection techniques. As a representative case study, we present a proof of concept implementation of Mirage with a module that tackles evasion attacks based on sensors API return values.



Mauro Conti is supported by a Marie Curie Fellowship funded by the European Commission (agreement PCIG11-GA-2012-321980). This work is also partially supported by the EU TagItSmart! Project (agreement H2020-ICT30-2015-688061), the EU-India REACH Project (agreement ICI+/2014/342-896), and by the projects “Physical-Layer Security for Wireless Communication”, and “Content Centric Networking: Security and Privacy Issues” funded by the University of Padua. This work is partially supported by the grant n. 2017-166478 (3696) from Cisco University Research Program Fund and Silicon Valley Community Foundation. This work is also partially funded by the project CNR-MOST/Taiwan 2016-17 “Verifiable Data Structure Streaming”.


  1. 1.
    Android. Building requirements. (2016)
  2. 2.
    Android. Dashboards. (2016)
  3. 3.
    Android. Developer’s guide. (2016)
  4. 4.
    Bergman, N.: Android anti-hooking techniques in Java. (2015)
  5. 5.
    Bläsing, T., Batyuk, L., Schmidt, A.-D., Camtepe, S.A., Albayrak, S.: An Android application sandbox system for suspicious software detection. In: IEEE MALWARE (2010)Google Scholar
  6. 6.
    Check Point Software Technologies LTD. Automated Android malware analysis with Cuckoo Sandbox. (2016)
  7. 7.
    Conti, M., Santo, E.D., Spolaor, R.: DELTA: data extraction and logging tool for Android (2016). arXiv preprint: arXiv:1609.02769
  8. 8.
    Freeman, J.: Instrument Java methods using native code. (2016)
  9. 9.
    Fritz, C., Arzt, S., Rasthofer, S.: DroidBench. (2016)
  10. 10.
    Gajrani, J., Sarswat, J., Tripathi, M., Laxmi, V., Gaur, M., Conti, M.: A robust dynamic analysis system preventing sandbox detection by Android malware. In: ACM SIN (2015)Google Scholar
  11. 11.
    Ganti, R.K., Ye, F., Lei, H.: Mobile crowdsensing: current state and future challenges. IEEE Commun. Mag. 49, 32–39 (2011)CrossRefGoogle Scholar
  12. 12.
    Gartner. Gartner says five of top 10 worldwide mobile phone vendors increased sales in second quarter of 2016. (2016)
  13. 13.
    Genymotion. Using Genymotion Java API. (2016)
  14. 14.
    Gomez, L., Neamtiu, I., Azim, T., Millstein, T.: Reran: timing-and touch-sensitive record and replay for android. In: IEEE ICSE (2013)Google Scholar
  15. 15.
    Jing, Y., Zhao, Z., Ahn, G.-J., Hu, H.: Morpheus: automatically generating heuristics to detect Android emulators. In: ACM ACSAC (2014)Google Scholar
  16. 16.
    Lantz, P.: Dynamic analysis of Android apps. (2015)
  17. 17.
    Lindorfer, M., Neugschwandtner, M., Weichselbaum, L., Fratantonio, Y., Van Der Veen, V., Platzer, C.: Andrubis-1,000,000 apps later: a view on current Android malware behaviors. In: IEEE BADGERS (2014)Google Scholar
  18. 18.
    Lockheimer, H.: Android and security. (2012)
  19. 19.
    Maier, D., Protsenko, M., Müller, T.: A game of droid and mouse: the threat of split-personality malware on Android. Comput. Secur. 54, 2–15 (2015)CrossRefGoogle Scholar
  20. 20.
    Matenaar, F., Schulz, P.: Detecting Android sandboxes. (2012)
  21. 21.
    Mulliner, C.: The Android dynamic binary instrumentation toolkit. (2016)
  22. 22.
    Mutti, S., Fratantonio, Y., Bianchi, A., Invernizzi, L., Corbetta, J., Kirat, D., Kruegel, C., Vigna, G.: BareDroid: large-scale analysis of android apps on real devices. In: ACM ACSAC (2015)Google Scholar
  23. 23.
    Neuner, S., Van der Veen, V., Lindorfer, M., Huber, M., Merzdovnik, G., Mulazzani, M., Weippl, E.: Enter sandbox: Android sandbox comparison (2014). arXiv preprint: arXiv:1410.7749
  24. 24.
    Oberheide, J., Miller, C.: Dissecting the Android Bouncer. SummerCon (2012)Google Scholar
  25. 25.
    OpenIntents. Sensor Simulator. (2014)
  26. 26.
    Paleari, R., Martignoni, L., Roglia, G.F., Bruschi, D.: A fistful of red-pills: how to automatically generate procedures to detect CPU emulators. In: USENIX WOOT (2009)Google Scholar
  27. 27.
    Percoco, N.J., Schulte, S.: Adventures in BouncerLand. Black Hat USA (2012)Google Scholar
  28. 28.
    Petsas, T., Voyatzis, G., Athanasopoulos, E., Polychronakis, M., Ioannidis, S.: Rage against the virtual machine: hindering dynamic analysis of Android malware. In: ACM EUROSEC (2014)Google Scholar
  29. 29.
    Raffetseder, T., Kruegel, C., Kirda, E.: Detecting system emulators. In: Garay, J.A., Lenstra, A.K., Mambo, M., Peralta, R. (eds.) ISC 2007. LNCS, vol. 4779, pp. 1–18. Springer, Heidelberg (2007). doi: 10.1007/978-3-540-75496-1_1 CrossRefGoogle Scholar
  30. 30.
    SandDroid. An automatic Android application analysis system (2014).
  31. 31.
    Spreitzenbarth, M., Freiling, F., Echtler, F., Schreck, T., Hoffmann, J.: Mobile-sandbox: having a deeper look into Android applications. In: ACM SAC (2013)Google Scholar
  32. 32.
    Statista. Number of apps available in leading app stores as of June 2016.
  33. 33.
    Strazzere, T.: Dex education 201 - anti-emulation. (2013)
  34. 34.
    Tam, K., Khan, S.J., Fattori, A., Cavallaro, L.: CopperDroid: automatic reconstruction of Android malware behaviors. In: NDSS (2015)Google Scholar
  35. 35.
    Van Der Veen, V., Bos, H., Rossow, C.: Dynamic analysis of Android malware. Internet & Web Technology Master thesis, VU University Amsterdam (2013)Google Scholar
  36. 36.
    Vidas, T., Christin, N.: Evading Android runtime analysis via sandbox detection. In: ACM ASIACCS (2014)Google Scholar
  37. 37.
    Vidas, T., Tan, J., Nahata, J., Tan, C.L., Christin, N., Tague, P.: A5: automated analysis of adversarial Android applications. In: ACM SPSM (2014)Google Scholar
  38. 38.
    Vollmer, R.: XposedBridge development tutorial. (2016)
  39. 39.
    Wagner, D.T., Rice, A., Beresford, A.R.: Device analyzer. In: Proceedings of ACM HOTMOBILE (2011)Google Scholar
  40. 40.
    Wheatstone, R.: Pippa Middleton’s iCloud hacked. (2016)
  41. 41.
    Yan, L.K., Yin, H.: DroidScope: seamlessly reconstructing the OS and Dalvik semantic views for dynamic Android malware analysis. In: USENIX Security (2012)Google Scholar
  42. 42.
    Zhou, Y., Jiang, X.: Dissecting Android malware: characterization and evolution. In: IEEE SP (2012)Google Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Lorenzo Bordoni
    • 1
  • Mauro Conti
    • 1
  • Riccardo Spolaor
    • 1
  1. 1.University of PaduaPaduaItaly

Personalised recommendations