InviSeal: A Stealthy Dynamic Analysis Framework for Android Systems

Abstract

With wide adaptation of open-source Android into mobile devices by different device vendors, sophisticated malware are developed to exploit security vulnerabilities. As comprehensive security analysis on physical devices are impractical and costly, emulator-driven security analysis has gained popularity in recent times. Existing dynamic analysis frameworks suffer from two major issues: (i) they do not provide foolproof anti-emulation-detection measures even for fingerprint-based attacks, and (ii) they lack efficient cross-layer profiling capabilities. In this work, we present InviSeal, a comprehensive and scalable dynamic analysis framework that includes low-overhead cross-layer profiling techniques and detailed anti-emulation-detection measures along with the basic emulation features. While providing an emulator-based comprehensive analysis platform, InviSeal strives to remain behind-the-scene to avoid emulation-detection. We empirically demonstrate that the proposed OS layer profiling utility to achieve cross-layer profiling is ∼1.26× faster than existing strace-based approaches. Overall, on average, InviSeal incurs ∼1.04× profiling overhead in terms of the number of operations performed by the various workloads of the CaffeineMark-3.0 benchmark, which is better than the contemporary techniques. Furthermore, we measure the anti-emulation-detection strategies of InviSeal against the fingerprint-based emulation-detection attacks. Experimental results show that the emulation-detection attacks carried out by the malware samples do not find InviSeal as an emulated platform.