Until now, Android is still the most popular mobile framework. Concurrently, the history tells us Android is also a malware nest due to its high market occupation. In addition, the amount of malware is numerous. Therefore machine learning is probably the trend for malware detection. In fact, when we apply machine learning to classify the samples, apart from signature extraction and matching, dynamic analysis is sometimes an option for extracting more features from samples to improve the overall accuracy. Since dynamic analysis is using emulators to test the sample, if the samples can detect emulator properties, they will not do anything. As a result, the dynamic analysis fails to detect the malware behavior according to this kind of anti-analysis technique. In practice, dynamic analysis is hard to provide useful information for classifying the samples.
In order to increase the accuracy of dynamic analysis, this project aims to develop an anti-emulator detection solution for it. This solution attempted to forge a real Android device environment for Android Virtual Machine powered by Frida. Subsequently, samples will not be able to detect the Virtual Machine as an emulator. Afterward, the dynamic analysis will be successful. In practice, the solution has been implemented on Cuckoodroid, and evaluated by comparing with the original anti-emulator detection solution in Cuckoodroid.
1. Set up Cuckoo sandbox server in the host
2. Set up VM for running Android application.
Design emulator anti-detection solutions to forge the real device environment.
Generate a malware analysis report to show emulator detection activities in the tested sample.
|Date||To do item(s)|
|30th, Sep||Deliverables of Phase 1: Inception (Completed)
- Complete the project plan
- Build a project website
|1st, Oct to 22th, Oct||Study the theory & related knowledge (Completed)
- Androld emulator
- Malware detection
- Anti-sandbox techniques
|23th, Oct to 7th, Jan||Build a Android emulator which can return a log of every function call and variable change, then pass to analysis program to evalute (Completed)
- Use set of identified malware from AMD to define attacking features.
- Try to get the test application in web platform first (by simple uploading).
|7-11th, Jan||First Presentation (Completed)|
|20th, Jan||Deliverables of Phase 2: Elaboration (Completed)
- Conduct preliminary implementation
- Complete detailed interim report
|10th, Jan to 25th, Feb||Collect the lists of APIs related to emulator detection, and sesign anti-detection solution for each of them. (Completed)|
|March to April||Finalize & Improve the program: (Completed)
- Prepare for final presentation and final report
|14th, Apr||Deliverables of Phase 3: Construction (Completed)
- Conduct finalized tested implementation
- Complete the final report
|15-19th, Apr||Final presentation (Completed)|
|29th, Apr||Project exhibition|