MimeoDroid: Large Scale Dynamic App Analysis on Cloned Devices via Machine Learning Classifiers

The exponential adoption of Android applications (apps) among the users has attracted malware authors to evade the default emulator based dynamic analysis systems. The evolving Android malware behaves benign once it identifies Goldfish emulator, often used for app development and malware analysis. Once a malware identifies the Goldfish virtual device, it behaves benign or prevents malicious code execution. The exponential increase of such stealth malware necessitates a detection approach which coerces the malicious apps to reveal the hidden behavior. To detect malicious apps and characterize their association we propose MimeoDroid (enriched replica of real Android device), a modified virtual clone to coerce the malware to believe being executed on an actual device. We automate relevant feature extraction and classification of Processor, memory usage, Binder IPC transfers, network interaction, battery charging status and manifest permission(s) to detect malicious behavior using Tree based machine learning classifiers. MimeoDroid is a lightweight machine learning based malware analysis and characterization to detect malicious apps that would evade the existing analyzers.