Anti Android Emulator Detection Solution

For Dynamic Malware Analysis

Detail

Intoduction

Until now, Android is still the most popular mobile framework. Concurrently, the history tells us Android is also a malware nest due to its high market occupation. In addition, the amount of malware is numerous. Therefore machine learning is probably the trend for malware detection. In fact, when we apply machine learning to classify the samples, apart from signature extraction and matching, dynamic analysis is sometimes an option for extracting more features from samples to improve the overall accuracy. Since dynamic analysis is using emulators to test the sample, if the samples can detect emulator properties, they will not do anything. As a result, the dynamic analysis fails to detect the malware behavior according to this kind of anti-analysis technique. In practice, dynamic analysis is hard to provide useful information for classifying the samples.

Objective

In order to increase the accuracy of dynamic analysis, this project aims to develop an anti-emulator detection solution for it. This solution attempted to forge a real Android device environment for Android Virtual Machine powered by Frida. Subsequently, samples will not be able to detect the Virtual Machine as an emulator. Afterward, the dynamic analysis will be successful. In practice, the solution has been implemented on Cuckoodroid, and evaluated by comparing with the original anti-emulator detection solution in Cuckoodroid.

Methodology

First Phase

1. Set up Cuckoo sandbox server in the host

2. Set up VM for running Android application.

unexpected features in emulator

Second Phase

Design emulator anti-detection solutions to forge the real device environment.

Final Phase

Generate a malware analysis report to show emulator detection activities in the tested sample.

Project Plan

Date To do item(s)
30th, Sep Deliverables of Phase 1: Inception (Completed)
- Complete the project plan
- Build a project website
1st, Oct to 22th, Oct Study the theory & related knowledge (Completed)
- Androld emulator
- CuckooDroid
- Malware detection
- Anti-sandbox techniques
23th, Oct to 7th, Jan Build a Android emulator which can return a log of every function call and variable change, then pass to analysis program to evalute (Completed)
- Use set of identified malware from AMD to define attacking features.
- Try to get the test application in web platform first (by simple uploading).
7-11th, Jan First Presentation (Completed)
20th, Jan Deliverables of Phase 2: Elaboration (Completed)
- Conduct preliminary implementation
- Complete detailed interim report
10th, Jan to 25th, Feb Collect the lists of APIs related to emulator detection, and sesign anti-detection solution for each of them. (Completed)
March to April Finalize & Improve the program: (Completed)
- Debugging
- Prepare for final presentation and final report
14th, Apr Deliverables of Phase 3: Construction (Completed)
- Conduct finalized tested implementation
- Complete the final report
15-19th, Apr Final presentation (Completed)
29th, Apr Project exhibition

Reports

Project Plan
Intermediate Report
Final Report

Supervisor

Dr K.P. Chow
chow@cs.hku.hk

Student

Felix Ho
u3524435@hku.hk