Rage Against the Virtual Machine:
Hindering Dynamic Analysis of Android Malware
1
1
1
2
Thanasis Petsas, Giannis Voyatzis, Elias Athanasopoulos, Michalis Polychronakis, and Sotiris Ioannidis
1
1
Institute of Computer Science, Foundation for Research and Technology—Hellas, Greece
2
Columbia University, USA
{petsas,jvoyatz,elathan,sotiris}@ics.forth.gr, [email protected]
xFlowH
I
I
Self-modifying
Static Heuristics
I
3
D-Cache and I-Cache: Not
synchronized ⇒ I-Cache may
contain stale instructions
Checking pre-initialized static
information
I Device ID (idH)
I Current build (buildH)
I routing table (netH)
I
f1
Fixed Build attributes
f1
f2
f1
f2
Emulator
Emulator: consistent call
sequence
code_func = ( code_func_t ) code ;
write_code (& swap , & code , & patch , & f2 );
f1(),
f2()
f1(),
f2()
1
2
Call Sequence example:
f1
f1
f1
f2
f2
f1
for ( i =0; i < N ; i ++) {
patch_code (& swap , & patch , & f1 );
code_func ();
patch_code (& swap , & patch , & f2 );
code_func ();
}
Device
Heuristics implementation: Use of Android SDK and NDK
I Android app that reports the effectiveness of the heuristics
I Incorporation of the heuristics in known Android malware samples
I
PRODUCT=google sdk
I HARDWARE=goldfish
Android Emulator behind a virtual
router
I
f2
Implementation
I
I
uint32_t * code = mmap (
NULL , 16 * 4 ,
PROT_READ | PROT_WRITE | PROT_EXEC ,
MAP_PRIVATE | MAP_ANONYMOUS ,
-1 , 0);
Call Sequence example:
QEMU does not emulate the
ARM cache
I code in cache always matches the
code in memory
By default IMEI=null in Android
Emulator
code_func_t code_func ;
uint32_t * patch ;
uint32_t * swap ;
f2()
I
Examples
I IMEI, GSMI, etc
2
)
Anti-analysis Techniques
typedef void (* code_func_t ) ( void );
1
Device: random call
sequence
I
I
f1()
(
f1
Android anti-virus products that offer real-time protection to mobile users
can be evaded through transformation techniques[2]
I There exist many tools and web services that dynamically analyze Android
apps in order to detect zero-day malware and enhance anti-virus capabilities
I Can these dynamic analysis tools also be evaded?
I How can we protect these tools from evasion techniques?
I
f2
()
Motivation
Patch the Dalvik bytecode with the bytecode of the heuristics
I Use of Smali/Baksmali and Apktool for disassembling and reassembling
I
addresss space: 10.0.2/24
Evaluation Methodology
Dynamic Heuristics
1
0.8
CDF
Sensors produce always the
same values at equal intervals
I accelerometer (accelH)
I magnetic field (magnFH)
I rotation vector (rotVecH)
I proximity (proximH)
I gyroscope (gyrosH)
APK execution
APK Submission
2
1
0.6
Heuristics APK
0.4
3
0
0.7
0.75
0.8
0.85
Samples
Submission
1
2
Dynamic Analysis
Service
IdH ✔
buildH ✔
netH ✔
accelH ✘
xFlow ✔
...
Web Server
0.9
Heuristics
Incorporation
Dynamic Analysis
Service
HTTP Request
0.2
Original Sample
Heuristics Results
Reports
Comparison
Repackaged Sample
Accelerometer’s events interval (sec)
3
DroidBox
DroidScope
TaintDroid
Andrubis
SandDroid
ApkScan
VisualThreat
Tracedroid
CopperDroid
ApkAnalyzer
ForeSafe
M. Sandbox
BTdetectH Heuristic Effectiveness
bu
ild
7
7
7
7
7
7
7
JNI NS
7
7
7
7
7
7
7
7
7
7
7
7
7
7
7
JNI NS
7
7
7
7
7
7
7
7
7
7
7
7
7
7
7
7
7
7
7
7
7
7
7
JNI NS
7
7
7
7
7
7
7
7
7
7
7
7
7
7
7
7
7
7
7
7
7
7
7
7
3
3
7
7
7
7
7
JNI NS
7
7
7
7
7
7
7
7
7
7
7
7
7
7
7
JNI NS
3: resilient, 7: vulnerable, JNI NS : lack of support for JNI
JNI NS
7
JNI NS
7
7
JNI NS
7
7
7
JNI NS
7
JNI NS
Countermeasures
1
Device
Emulator
0.4
Emulator Modifications
I Realistic Sensor Event Simulation
I Accurate Binary Translation
I Hardware-Assisted Virtualization
I Hybrid Application Execution
0.2
References
0.8
CDF
3
7
7
3
3
3
7
7
7
3
7
3
ne
tH
ac
ce
lH
m
ag
nF
H
ro
tV
ec
H
pr
ox
im
H
gy
ro
sH
B
T
de
te
ct
H
xF
lo
w
H
Cases where native code runs
differently
I Identifying QEMU
scheduling (BTdetectH)
I Identifying QEMU caching
behavior (xFlowH)
BTdetectH [1]
I QEMU optimization: Virtual PC is
updated only after branch
I Device: Various scheduling points
I Emulator: A unique scheduling point
xFlowH
I QEMU does not emulate the ARM
split cache
id
H
Hypervisor Heuristics
H
Evasion Results
I
0.6
0
0
5
10
15
20
25
30
35
Scheduling point (basic block offset)
Due to optimizations many of the scheduling events that can take place are
not exhibited on an emulated environment.
This work was supported in part by the FP7 projects NECOMA, OPTET, SysSec and by the
FP7-PEOPLE-2010-IOF project XHUNTER, funded by the European Commission under
Grant Agreements No. 608533, No. 317631, No. 254116 and No. 273765.
[1] Felix Matenaar and Patrick Schulz.
Detecting Android Sandboxes.
http://www.dexlabs.org/blog/btdetect.
[2] Vaibhav Rastogi, Yan Chen, and Xuxian Jiang.
Droidchameleon: evaluating android anti-malware against transformation attacks.
In Proceedings of the 8th ACM SIGSAC symposium on Information, computer and
communications security, ASIA CCS, 2013.