Glassbox: Dynamic Analysis Platform for Malware Android Applications on Real Devices

Irolla, Paul; Filiol, Éric

doi:10.5220/0006094006100621

Cited by 7 publications

(6 citation statements)

References 13 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…But it is easily evaded by malware that detects virtual environments. There are various strategies to circumvent dynamic analysis; the following strategies are used to determine the virtual environment [15]. It is noteworthy that using Google Bouncer, in 2015, more than 1 million users were harmed by malware using build.MODEL == "google_ sdk", the source code of the Brain Test malicious apps that bypassed Google Bouncer [16].…”

Section: A Problems With Android Malware Dynamic Analysismentioning

confidence: 99%

A-Pot: A Comprehensive Android Analysis Platform Based on Container Technology

et al. 2020

View full text Add to dashboard Cite

Recently, intelligent Android malware avoids being analyzed using anti-emulator, antidebugging, and rooting detection. Existing emulators have problems to be easily detected by malware that check with hardware or sensor information. This paper proposes an efficient analysis system A-Pot, to deal with intelligent Android malware. A-Pot applied the Android container technology. It's made to be similar to a real phone using ARM-based hardware. A-Pot is equipped with sensor modules such as USIM, Bluetooth, and Wi-Fi module. In order to respond to the environment analysis, the properties of the Android OS are made to be the same as the real mobile phone. In addition, A-Pot is designed to connect to a mini base station for supporting SMS and phone calls with the 3G network. Moreover, with the advantages provided by the container technology, A-Pot is able to support non-ADB, non-debuggers, and non-root environments. To prove the efficiency of our platform, we analyzed using intelligent Android malware, antivirus, Google Play apps, and general malware. This model had an operating rate of about 97.36% for 5000 malware. The proposed A-Pot can be efficiently applied to defend against intelligent Android malware analysis.

show abstract

Section: A Problems With Android Malware Dynamic Analysismentioning

confidence: 99%

A-Pot: A Comprehensive Android Analysis Platform Based on Container Technology

et al. 2020

View full text Add to dashboard Cite

show abstract

“…Several dynamic analysis tools for characterizing Android apps have been published in the literature. The majority of these rely on random-based test input generation using Monkey, for example, AASandbox [11], ANANAS [12], Mobile-Sandbox [13], vetDroid [14], TraceDroid [48], Andrubis [49], Dynalog [8], HADM [50], Maline [51], Glassbox [52], NetworkProfiler [53], Andlatis [54], Hu & Neamtiu [55], and Cai & Ryder [56]. Others such as AppsPlayground [38] used a more intelligent event generation technique, but unlike our paper, did not investigate code coverage capabilities in the context of on performance analysis of machine learning-based malware detection.…”

Section: Related Workmentioning

confidence: 99%

Machine learning-based dynamic analysis of Android apps with improved code coverage

Yerima

Alzaylaee

Sezer

2019

EURASIP J. on Info. Security

View full text Add to dashboard Cite

This paper investigates the impact of code coverage on machine learning-based dynamic analysis of Android malware. In order to maximize the code coverage, dynamic analysis on Android typically requires the generation of events to trigger the user interface and maximize the discovery of the run-time behavioral features. The commonly used event generation approach in most existing Android dynamic analysis systems is the random-based approach implemented with the Monkey tool that comes with the Android SDK. Monkey is utilized in popular dynamic analysis platforms like AASandbox, vetDroid, MobileSandbox, TraceDroid, Andrubis, ANANAS, DynaLog, and HADM. In this paper, we propose and investigate approaches based on stateful event generation and compare their code coverage capabilities with the state-of-the-practice random-based Monkey approach. The two proposed approaches are the state-based method (implemented with DroidBot) and a hybrid approach that combines the state-based and random-based methods. We compare the three different input generation methods on real devices, in terms of their ability to log dynamic behavior features and the impact on various machine learning algorithms that utilize the behavioral features for malware detection. Experiments performed using 17,444 applications show that overall, the proposed methods provide much better code coverage which in turn leads to more accurate machine learning-based malware detection compared to the state-of-the-art approach.

show abstract

“…Their work highlighted the anti-emulator capabilities of malware which can be solved by using real devices. Glassbox [21] also presented a dynamic analysis platform for analysing Android malware on real devices. However, unlike the work presented in this paper, these studies have not addressed machine learning based detection on real devices.…”

Section: Related Workmentioning

confidence: 99%

“…Dynamic analysis tools that rely on emulators (or virtual devices) such as Dynalog [14] attempt to address the problem by changing properties of the environment to emulate a real phone as much as possible and to incorporate several behaviours to mimic a real phone. However, these methods whilst useful, have been shown to be insufficient to completely tackle anti-emulation [21], [22], [31] .…”

Section: Introductionmentioning

confidence: 99%

EMULATOR vs REAL PHONE: Android Malware Detection Using Machine Learning

Alzaylaee,

Yerima,

Sezer

2017

Preprint

View full text Add to dashboard Cite

The Android operating system has become the most popular operating system for smartphones and tablets leading to a rapid rise in malware. Sophisticated Android malware employ detection avoidance techniques in order to hide their malicious activities from analysis tools. These include a wide range of anti-emulator techniques, where the malware programs attempt to hide their malicious activities by detecting the emulator. For this reason, countermeasures against antiemulation are becoming increasingly important in Android malware detection. Analysis and detection based on real devices can alleviate the problems of anti-emulation as well as improve the effectiveness of dynamic analysis. Hence, in this paper we present an investigation of machine learning based malware detection using dynamic analysis on real devices. A tool is implemented to automatically extract dynamic features from Android phones and through several experiments, a comparative analysis of emulator based vs. device based detection by means of several machine learning algorithms is undertaken. Our study shows that several features could be extracted more effectively from the on-device dynamic analysis compared to emulators. It was also found that approximately 24% more apps were successfully analysed on the phone. Furthermore, all of the studied machine learning based detection performed better when applied to features extracted from the on-device dynamic analysis.

show abstract

Glassbox: Dynamic Analysis Platform for Malware Android Applications on Real Devices

Cited by 7 publications

References 13 publications

A-Pot: A Comprehensive Android Analysis Platform Based on Container Technology

A-Pot: A Comprehensive Android Analysis Platform Based on Container Technology

Machine learning-based dynamic analysis of Android apps with improved code coverage

EMULATOR vs REAL PHONE: Android Malware Detection Using Machine Learning

Contact Info

Product

Resources

About