A robust dynamic analysis system preventing SandBox detection by Android malware

Abstract

Due to an increase in the number of Android malware applications and their diversity, it has become necessary for the security community to develop automated dynamic analysis systems. Static analysis has its limitations that can be overcome by dynamic analysis. Many tools based on dynamic analysis approach have been developed which employ emulated/virtualized environment for analysis. While it has been an effective technique for analysis, it can be espied and evaded by recent sophisticated malware. Malware families such as Pincer, AnserverBot, BgServ, Wroba have incorporated methods to check the presence of emulated or virtualized environment. Once the presence of the sandbox is detected, they do not execute any malicious behavior. In this paper, a robust emulated environment has been proposed and developed that is resilient against most of the detection techniques. We have compared our malware analysis tool DroidAnalyst against 12 publicly available dynamic analysis services and shown that our service is best when considering resilience against anti-emulation techniques. Incorporation of anti anti-detection techniques in the dynamic analysis that are purely based on emulation hinders the detection and evasion of emulated environment by malware.