Automated Execution Control and Dynamic Behavior Monitoring for Android (TM) Applications

Abstract

We explore techniques for eliciting a behavioral description from an Android smartphone app in a controlled manner. A description of app behavior is useful for performing subsequent analysis such as model checking, for example to verify the app satisfies a set of desirable security properties. Our solution is to dynamically execute the app in a customized version of the Android SDK emulator, which provides many of an app's inputs as responses to invoked API calls. A more focused set of input values computed offline are then injected to the app via hooks introduced into the Android API implementation. To dynamically monitor app behavior, we instrument the app bytecode to record control and data flows during execution. We also instrument the Android API to record all of the app's inputs and outputs. We have used this technique on the DARPA Automated Program Analysis for Cybersecurity (APAC) program to reveal hidden, triggerable attacks in independently developed challenge apps. Our framework for extracting app behavior is part of Droid Reasoning, Analysis, and Protection Engine (DRAPE), an integrated, semi-automated app behavior analysis system capable of discovering hidden malware in Android apps.