Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware (EUROSEC '14)
-
Upload
thanasis-petsas -
Category
Software
-
view
264 -
download
2
description
Transcript of Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware (EUROSEC '14)
![Page 1: Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware (EUROSEC '14)](https://reader033.fdocuments.in/reader033/viewer/2022042713/54825b8eb07959520c8b4790/html5/thumbnails/1.jpg)
Rage Against The Virtual Machine: Hindering Dynamic Analysis of Android
Malware
Thanasis Petsas, Giannis Voyatzis,
Elias Athanasopoulos, Sotiris Ioannidis,
Michalis Polychronakis
![Page 2: Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware (EUROSEC '14)](https://reader033.fdocuments.in/reader033/viewer/2022042713/54825b8eb07959520c8b4790/html5/thumbnails/2.jpg)
Android Dominates Market Share
• Smartphones have overtaken client PCs
• Android accounted for 79% of global smartphone market in 2013
Thanasis Petsas 2
Android 79.0%
iOS 14.2%
Other 3.6%
Q2 2013 Smartphone Market Share
Microsoft 3.3%
Source:
![Page 3: Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware (EUROSEC '14)](https://reader033.fdocuments.in/reader033/viewer/2022042713/54825b8eb07959520c8b4790/html5/thumbnails/3.jpg)
Android Malware
• 98% of all mobile threats target Android devices
Thanasis Petsas 3
Source:
Distribution of mobile malware detected by platform – 2013
![Page 4: Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware (EUROSEC '14)](https://reader033.fdocuments.in/reader033/viewer/2022042713/54825b8eb07959520c8b4790/html5/thumbnails/4.jpg)
Android specific anti-malware tools
• Static analysis tools (AV apps)
• Dynamic analysis services
Thanasis Petsas 4
![Page 5: Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware (EUROSEC '14)](https://reader033.fdocuments.in/reader033/viewer/2022042713/54825b8eb07959520c8b4790/html5/thumbnails/5.jpg)
Android specific anti-malware tools
• Static analysis tools (AV apps)
– Identify malware through signatures
• Dynamic analysis services
Thanasis Petsas 4
![Page 6: Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware (EUROSEC '14)](https://reader033.fdocuments.in/reader033/viewer/2022042713/54825b8eb07959520c8b4790/html5/thumbnails/6.jpg)
Android specific anti-malware tools
• Static analysis tools (AV apps)
– Identify malware through signatures – Usually installed by users
• Dynamic analysis services
Thanasis Petsas 4
![Page 7: Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware (EUROSEC '14)](https://reader033.fdocuments.in/reader033/viewer/2022042713/54825b8eb07959520c8b4790/html5/thumbnails/7.jpg)
Android specific anti-malware tools
• Static analysis tools (AV apps)
– Identify malware through signatures – Usually installed by users – Real time protection
• Dynamic analysis services
Thanasis Petsas 4
![Page 8: Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware (EUROSEC '14)](https://reader033.fdocuments.in/reader033/viewer/2022042713/54825b8eb07959520c8b4790/html5/thumbnails/8.jpg)
Android specific anti-malware tools
• Static analysis tools (AV apps)
– Identify malware through signatures – Usually installed by users – Real time protection – How to evade static analysis?
• Dynamic analysis services
Thanasis Petsas 4
![Page 9: Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware (EUROSEC '14)](https://reader033.fdocuments.in/reader033/viewer/2022042713/54825b8eb07959520c8b4790/html5/thumbnails/9.jpg)
Android specific anti-malware tools
• Static analysis tools (AV apps)
– Identify malware through signatures – Usually installed by users – Real time protection – How to evade static analysis?
• Dynamic analysis services
Thanasis Petsas 4
DroidChameleon ASIA CCS’13
![Page 10: Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware (EUROSEC '14)](https://reader033.fdocuments.in/reader033/viewer/2022042713/54825b8eb07959520c8b4790/html5/thumbnails/10.jpg)
Android specific anti-malware tools
• Static analysis tools (AV apps)
– Identify malware through signatures – Usually installed by users – Real time protection – How to evade static analysis?
• Dynamic analysis services – Used by security companies
Thanasis Petsas 4
DroidChameleon ASIA CCS’13
![Page 11: Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware (EUROSEC '14)](https://reader033.fdocuments.in/reader033/viewer/2022042713/54825b8eb07959520c8b4790/html5/thumbnails/11.jpg)
Android specific anti-malware tools
• Static analysis tools (AV apps)
– Identify malware through signatures – Usually installed by users – Real time protection – How to evade static analysis?
• Dynamic analysis services – Used by security companies – Run applications on an Emulator
Thanasis Petsas 4
DroidChameleon ASIA CCS’13
![Page 12: Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware (EUROSEC '14)](https://reader033.fdocuments.in/reader033/viewer/2022042713/54825b8eb07959520c8b4790/html5/thumbnails/12.jpg)
Android specific anti-malware tools
• Static analysis tools (AV apps)
– Identify malware through signatures – Usually installed by users – Real time protection – How to evade static analysis?
• Dynamic analysis services – Used by security companies – Run applications on an Emulator – Detect suspicious behavior
Thanasis Petsas 4
DroidChameleon ASIA CCS’13
![Page 13: Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware (EUROSEC '14)](https://reader033.fdocuments.in/reader033/viewer/2022042713/54825b8eb07959520c8b4790/html5/thumbnails/13.jpg)
Android specific anti-malware tools
• Static analysis tools (AV apps)
– Identify malware through signatures – Usually installed by users – Real time protection – How to evade static analysis?
• Dynamic analysis services – Used by security companies – Run applications on an Emulator – Detect suspicious behavior – How to evade dynamic analysis?
Thanasis Petsas 4
DroidChameleon ASIA CCS’13
![Page 14: Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware (EUROSEC '14)](https://reader033.fdocuments.in/reader033/viewer/2022042713/54825b8eb07959520c8b4790/html5/thumbnails/14.jpg)
Android specific anti-malware tools
• Static analysis tools (AV apps)
– Identify malware through signatures – Usually installed by users – Real time protection – How to evade static analysis?
• Dynamic analysis services – Used by security companies – Run applications on an Emulator – Detect suspicious behavior – How to evade dynamic analysis?
Thanasis Petsas 4
DroidChameleon ASIA CCS’13
This work
![Page 15: Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware (EUROSEC '14)](https://reader033.fdocuments.in/reader033/viewer/2022042713/54825b8eb07959520c8b4790/html5/thumbnails/15.jpg)
Our Study
• A taxonomy of emulation evasion heuristics
• Evaluation of our heuristics on popular dynamic
analysis services for Android
• Countermeasures
Thanasis Petsas 5
Objective: Can we effectively detect Android emulated analysis environment?
![Page 16: Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware (EUROSEC '14)](https://reader033.fdocuments.in/reader033/viewer/2022042713/54825b8eb07959520c8b4790/html5/thumbnails/16.jpg)
VM Evasion Heuristics
Thanasis Petsas 6
Category Type Examples
Static
Pre-installed static information
IMEI has a fixed value
Dynamic
Dynamic information does not change
Sensors produce always the same value
Hypervisor
VM instruction emulation
Native code runs differently
![Page 17: Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware (EUROSEC '14)](https://reader033.fdocuments.in/reader033/viewer/2022042713/54825b8eb07959520c8b4790/html5/thumbnails/17.jpg)
Static Heuristics
• Device ID (IdH) – IMEI, IMSI
• Current build (buildH) – Fields: PRODUCT, MODEL, HARDWARE
• Routing table (netH) – virtual router
address space: 10.0.2/24 – Emulated network
IP address: 10.0.2.15
Thanasis Petsas 7
![Page 18: Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware (EUROSEC '14)](https://reader033.fdocuments.in/reader033/viewer/2022042713/54825b8eb07959520c8b4790/html5/thumbnails/18.jpg)
Static Heuristics
• Device ID (IdH) – IMEI, IMSI
• Current build (buildH) – Fields: PRODUCT, MODEL, HARDWARE
• Routing table (netH) – virtual router
address space: 10.0.2/24 – Emulated network
IP address: 10.0.2.15
Thanasis Petsas 7
![Page 19: Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware (EUROSEC '14)](https://reader033.fdocuments.in/reader033/viewer/2022042713/54825b8eb07959520c8b4790/html5/thumbnails/19.jpg)
Static Heuristics
• Device ID (IdH) – IMEI, IMSI
• Current build (buildH) – Fields: PRODUCT, MODEL, HARDWARE
• Routing table (netH) – virtual router
address space: 10.0.2/24 – Emulated network
IP address: 10.0.2.15
Thanasis Petsas 7
123456789012347 null IMEI
![Page 20: Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware (EUROSEC '14)](https://reader033.fdocuments.in/reader033/viewer/2022042713/54825b8eb07959520c8b4790/html5/thumbnails/20.jpg)
Static Heuristics
• Device ID (IdH) – IMEI, IMSI
• Current build (buildH) – Fields: PRODUCT, MODEL, HARDWARE
• Routing table (netH) – virtual router
address space: 10.0.2/24 – Emulated network
IP address: 10.0.2.15
Thanasis Petsas 7
123456789012347 null IMEI
Android Pincer malware family
![Page 21: Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware (EUROSEC '14)](https://reader033.fdocuments.in/reader033/viewer/2022042713/54825b8eb07959520c8b4790/html5/thumbnails/21.jpg)
Static Heuristics
• Device ID (IdH) – IMEI, IMSI
• Current build (buildH) – Fields: PRODUCT, MODEL, HARDWARE
• Routing table (netH) – virtual router
address space: 10.0.2/24 – Emulated network
IP address: 10.0.2.15
Thanasis Petsas 7
123456789012347 null IMEI
Android Pincer malware family
![Page 22: Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware (EUROSEC '14)](https://reader033.fdocuments.in/reader033/viewer/2022042713/54825b8eb07959520c8b4790/html5/thumbnails/22.jpg)
Static Heuristics
• Device ID (IdH) – IMEI, IMSI
• Current build (buildH) – Fields: PRODUCT, MODEL, HARDWARE
• Routing table (netH) – virtual router
address space: 10.0.2/24 – Emulated network
IP address: 10.0.2.15
Thanasis Petsas 7
123456789012347 null IMEI
MODEL Nexus 5 google_sdk
Android Pincer malware family
![Page 23: Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware (EUROSEC '14)](https://reader033.fdocuments.in/reader033/viewer/2022042713/54825b8eb07959520c8b4790/html5/thumbnails/23.jpg)
Static Heuristics
• Device ID (IdH) – IMEI, IMSI
• Current build (buildH) – Fields: PRODUCT, MODEL, HARDWARE
• Routing table (netH) – virtual router
address space: 10.0.2/24 – Emulated network
IP address: 10.0.2.15
Thanasis Petsas 7
123456789012347 null IMEI
MODEL Nexus 5 google_sdk
Android Pincer malware family
![Page 24: Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware (EUROSEC '14)](https://reader033.fdocuments.in/reader033/viewer/2022042713/54825b8eb07959520c8b4790/html5/thumbnails/24.jpg)
Static Heuristics
• Device ID (IdH) – IMEI, IMSI
• Current build (buildH) – Fields: PRODUCT, MODEL, HARDWARE
• Routing table (netH) – virtual router
address space: 10.0.2/24 – Emulated network
IP address: 10.0.2.15
Thanasis Petsas 7
123456789012347 null IMEI
MODEL Nexus 5 google_sdk
/proc/
net/tcp
Ordinary
network
Emulated
network
Android Pincer malware family
![Page 25: Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware (EUROSEC '14)](https://reader033.fdocuments.in/reader033/viewer/2022042713/54825b8eb07959520c8b4790/html5/thumbnails/25.jpg)
Static Heuristics
• Device ID (IdH) – IMEI, IMSI
• Current build (buildH) – Fields: PRODUCT, MODEL, HARDWARE
• Routing table (netH) – virtual router
address space: 10.0.2/24 – Emulated network
IP address: 10.0.2.15
Thanasis Petsas 7
123456789012347 null IMEI
MODEL Nexus 5 google_sdk
/proc/
net/tcp
Ordinary
network
Emulated
network
Android Pincer malware family
![Page 26: Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware (EUROSEC '14)](https://reader033.fdocuments.in/reader033/viewer/2022042713/54825b8eb07959520c8b4790/html5/thumbnails/26.jpg)
Sensors:
– A key difference between mobile & conventional systems
– new opportunities for mobile devices identification
– Can emulators realistically simulate device sensors?
Dynamic Heuristics (1/3)
Thanasis Petsas 8
Accelerometer Gyroscope
GPS
Gravity Sensor Proximity Sensor
Rotation Vector Magnetic Field
![Page 27: Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware (EUROSEC '14)](https://reader033.fdocuments.in/reader033/viewer/2022042713/54825b8eb07959520c8b4790/html5/thumbnails/27.jpg)
Sensors:
– A key difference between mobile & conventional systems
– new opportunities for mobile devices identification
– Can emulators realistically simulate device sensors?
• Partially: same value, equal time intervals
Dynamic Heuristics (1/3)
Thanasis Petsas 8
Accelerometer Gyroscope
GPS
Gravity Sensor Proximity Sensor
Rotation Vector Magnetic Field
![Page 28: Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware (EUROSEC '14)](https://reader033.fdocuments.in/reader033/viewer/2022042713/54825b8eb07959520c8b4790/html5/thumbnails/28.jpg)
Dynamic Heuristics (2/3)
Thanasis Petsas 9
![Page 29: Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware (EUROSEC '14)](https://reader033.fdocuments.in/reader033/viewer/2022042713/54825b8eb07959520c8b4790/html5/thumbnails/29.jpg)
Dynamic Heuristics (2/3)
Thanasis Petsas 9
Generation of the same value at equal time intervals
0.8 ± 0.003043
![Page 30: Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware (EUROSEC '14)](https://reader033.fdocuments.in/reader033/viewer/2022042713/54825b8eb07959520c8b4790/html5/thumbnails/30.jpg)
Dynamic Heuristics (3/3)
• Sensor-based heuristics
• Android Activity that monitors sensors’ output values
• We implemented this algorithm for a variety of sensors – Accelerometer (accelH) – magnetic field (magnFH) – rotation vector (rotVecH), – proximity (proximH) – gyroscope (gyrosH)
Thanasis Petsas 10
![Page 31: Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware (EUROSEC '14)](https://reader033.fdocuments.in/reader033/viewer/2022042713/54825b8eb07959520c8b4790/html5/thumbnails/31.jpg)
Hypervisor Heuristics
• Try to identify the hosted virtual machine
• Android Emulator is based on QEMU
• Our heuristics – Based on QEMU’s incomplete emulation of the actual
hardware
– Identify QEMU scheduling
– Identify QEMU execution using self-modifying code
Thanasis Petsas 11
![Page 32: Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware (EUROSEC '14)](https://reader033.fdocuments.in/reader033/viewer/2022042713/54825b8eb07959520c8b4790/html5/thumbnails/32.jpg)
Identify QEMU Scheduling (1/2)
• Virtual PC in QEMU – is updated only after the execution of a basic block
(branch)
– OS scheduling does not occur during a basic block
• QEMU Binary Translation (BT) Detection – Monitor scheduling addresses of a thread
• Real Device: Various scheduling points
• Emulator: A unique scheduling point
– BTdetectH
Thanasis Petsas 12
![Page 33: Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware (EUROSEC '14)](https://reader033.fdocuments.in/reader033/viewer/2022042713/54825b8eb07959520c8b4790/html5/thumbnails/33.jpg)
Identify QEMU Scheduling (2/2)
Thanasis Petsas 13
![Page 34: Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware (EUROSEC '14)](https://reader033.fdocuments.in/reader033/viewer/2022042713/54825b8eb07959520c8b4790/html5/thumbnails/34.jpg)
Identify QEMU Scheduling (2/2)
Thanasis Petsas 13
Emulator: A specific
scheduling point
![Page 35: Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware (EUROSEC '14)](https://reader033.fdocuments.in/reader033/viewer/2022042713/54825b8eb07959520c8b4790/html5/thumbnails/35.jpg)
ARM Architecture
Thanasis Petsas 14
Memory
I-Cache D-Cache
Memory
Cache
Device Emulator
![Page 36: Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware (EUROSEC '14)](https://reader033.fdocuments.in/reader033/viewer/2022042713/54825b8eb07959520c8b4790/html5/thumbnails/36.jpg)
ARM Architecture
Thanasis Petsas 14
Memory
I-Cache D-Cache
Memory
Cache
Device Emulator
old code
![Page 37: Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware (EUROSEC '14)](https://reader033.fdocuments.in/reader033/viewer/2022042713/54825b8eb07959520c8b4790/html5/thumbnails/37.jpg)
ARM Architecture
Thanasis Petsas 14
Memory
I-Cache D-Cache
Memory
Cache
Device Emulator
old code
new code
![Page 38: Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware (EUROSEC '14)](https://reader033.fdocuments.in/reader033/viewer/2022042713/54825b8eb07959520c8b4790/html5/thumbnails/38.jpg)
ARM Architecture
Thanasis Petsas 14
Memory
I-Cache D-Cache
Memory
Cache
Device Emulator
old code
new code
Caches are not coherent!
![Page 39: Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware (EUROSEC '14)](https://reader033.fdocuments.in/reader033/viewer/2022042713/54825b8eb07959520c8b4790/html5/thumbnails/39.jpg)
ARM Architecture
Thanasis Petsas 14
Memory
I-Cache D-Cache
Memory
Cache
Device Emulator
old code
new code
![Page 40: Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware (EUROSEC '14)](https://reader033.fdocuments.in/reader033/viewer/2022042713/54825b8eb07959520c8b4790/html5/thumbnails/40.jpg)
ARM Architecture
Thanasis Petsas 14
Memory
I-Cache D-Cache
Memory
Cache
Device Emulator
old code
new code
Clean the D-Cache range
![Page 41: Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware (EUROSEC '14)](https://reader033.fdocuments.in/reader033/viewer/2022042713/54825b8eb07959520c8b4790/html5/thumbnails/41.jpg)
ARM Architecture
Thanasis Petsas 14
Memory
I-Cache D-Cache
Memory
Cache
Device Emulator
old code
new code Invalidate the I-Cache
![Page 42: Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware (EUROSEC '14)](https://reader033.fdocuments.in/reader033/viewer/2022042713/54825b8eb07959520c8b4790/html5/thumbnails/42.jpg)
ARM Architecture
Thanasis Petsas 14
Memory
I-Cache D-Cache
Memory
Cache
Device Emulator
old code
new code
![Page 43: Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware (EUROSEC '14)](https://reader033.fdocuments.in/reader033/viewer/2022042713/54825b8eb07959520c8b4790/html5/thumbnails/43.jpg)
ARM Architecture
Thanasis Petsas 14
Memory
I-Cache D-Cache
Memory
Cache
Device Emulator
old code
new code
miss
Run the code
![Page 44: Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware (EUROSEC '14)](https://reader033.fdocuments.in/reader033/viewer/2022042713/54825b8eb07959520c8b4790/html5/thumbnails/44.jpg)
ARM Architecture
Thanasis Petsas 14
Memory
I-Cache D-Cache
Memory
Cache
Device Emulator
old code
new code Run the code
![Page 45: Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware (EUROSEC '14)](https://reader033.fdocuments.in/reader033/viewer/2022042713/54825b8eb07959520c8b4790/html5/thumbnails/45.jpg)
ARM Architecture
Thanasis Petsas 14
Memory
I-Cache D-Cache
Memory
Cache
Device Emulator
old code
new code
Android cacheflush: 1. Clean the D-Cache range 2. Invalidate the I-Cache
![Page 46: Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware (EUROSEC '14)](https://reader033.fdocuments.in/reader033/viewer/2022042713/54825b8eb07959520c8b4790/html5/thumbnails/46.jpg)
ARM Architecture
Thanasis Petsas 14
Memory
I-Cache D-Cache
Memory
Cache
Device Emulator
old code
new code
![Page 47: Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware (EUROSEC '14)](https://reader033.fdocuments.in/reader033/viewer/2022042713/54825b8eb07959520c8b4790/html5/thumbnails/47.jpg)
Identify QEMU execution – xFlowH
Thanasis Petsas 15
![Page 48: Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware (EUROSEC '14)](https://reader033.fdocuments.in/reader033/viewer/2022042713/54825b8eb07959520c8b4790/html5/thumbnails/48.jpg)
Identify QEMU execution – xFlowH
Thanasis Petsas 15
![Page 49: Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware (EUROSEC '14)](https://reader033.fdocuments.in/reader033/viewer/2022042713/54825b8eb07959520c8b4790/html5/thumbnails/49.jpg)
Identify QEMU execution – xFlowH
Thanasis Petsas 15
![Page 50: Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware (EUROSEC '14)](https://reader033.fdocuments.in/reader033/viewer/2022042713/54825b8eb07959520c8b4790/html5/thumbnails/50.jpg)
Identify QEMU execution – xFlowH
Thanasis Petsas 15
![Page 51: Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware (EUROSEC '14)](https://reader033.fdocuments.in/reader033/viewer/2022042713/54825b8eb07959520c8b4790/html5/thumbnails/51.jpg)
Identify QEMU execution – xFlowH
Thanasis Petsas 15
![Page 52: Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware (EUROSEC '14)](https://reader033.fdocuments.in/reader033/viewer/2022042713/54825b8eb07959520c8b4790/html5/thumbnails/52.jpg)
Identify QEMU execution – xFlowH
Thanasis Petsas 15
cacheflush();
cacheflush();
with cacheflush:
![Page 53: Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware (EUROSEC '14)](https://reader033.fdocuments.in/reader033/viewer/2022042713/54825b8eb07959520c8b4790/html5/thumbnails/53.jpg)
Identify QEMU execution – xFlowH
Thanasis Petsas 15
cacheflush();
cacheflush();
with cacheflush:
![Page 54: Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware (EUROSEC '14)](https://reader033.fdocuments.in/reader033/viewer/2022042713/54825b8eb07959520c8b4790/html5/thumbnails/54.jpg)
Identify QEMU execution – xFlowH
Thanasis Petsas 15
cacheflush();
cacheflush();
with cacheflush:
![Page 55: Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware (EUROSEC '14)](https://reader033.fdocuments.in/reader033/viewer/2022042713/54825b8eb07959520c8b4790/html5/thumbnails/55.jpg)
Identify QEMU execution – xFlowH
Thanasis Petsas 15
cacheflush();
cacheflush();
with cacheflush:
![Page 56: Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware (EUROSEC '14)](https://reader033.fdocuments.in/reader033/viewer/2022042713/54825b8eb07959520c8b4790/html5/thumbnails/56.jpg)
Identify QEMU execution – xFlowH
Thanasis Petsas 15
cacheflush();
cacheflush();
with cacheflush:
same behavior.
![Page 57: Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware (EUROSEC '14)](https://reader033.fdocuments.in/reader033/viewer/2022042713/54825b8eb07959520c8b4790/html5/thumbnails/57.jpg)
Identify QEMU execution – xFlowH
Thanasis Petsas 15
with cacheflush:
same behavior.
without cacheflush:
![Page 58: Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware (EUROSEC '14)](https://reader033.fdocuments.in/reader033/viewer/2022042713/54825b8eb07959520c8b4790/html5/thumbnails/58.jpg)
Identify QEMU execution – xFlowH
Thanasis Petsas 15
with cacheflush:
same behavior.
without cacheflush:
![Page 59: Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware (EUROSEC '14)](https://reader033.fdocuments.in/reader033/viewer/2022042713/54825b8eb07959520c8b4790/html5/thumbnails/59.jpg)
Identify QEMU execution – xFlowH
Thanasis Petsas 15
with cacheflush:
same behavior.
without cacheflush:
![Page 60: Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware (EUROSEC '14)](https://reader033.fdocuments.in/reader033/viewer/2022042713/54825b8eb07959520c8b4790/html5/thumbnails/60.jpg)
Identify QEMU execution – xFlowH
Thanasis Petsas 15
with cacheflush:
same behavior.
without cacheflush:
![Page 61: Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware (EUROSEC '14)](https://reader033.fdocuments.in/reader033/viewer/2022042713/54825b8eb07959520c8b4790/html5/thumbnails/61.jpg)
Identify QEMU execution – xFlowH
Thanasis Petsas 15
with cacheflush:
same behavior.
without cacheflush:
different behavior!
![Page 62: Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware (EUROSEC '14)](https://reader033.fdocuments.in/reader033/viewer/2022042713/54825b8eb07959520c8b4790/html5/thumbnails/62.jpg)
Implementation
• Use of Android SDK for static & dynamic heuristics
• Use of Android NDK for hypervisor heuristics
• Implementation of an Android app – runs the heuristics – send the results to an HTTP server
• Repackaging of well known Android malware samples
– Smali/Baksmali – Apktool – Patching the Smali Dalvik Bytecode
Thanasis Petsas 16
![Page 63: Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware (EUROSEC '14)](https://reader033.fdocuments.in/reader033/viewer/2022042713/54825b8eb07959520c8b4790/html5/thumbnails/63.jpg)
Evaluation: Malware Set
Thanasis Petsas 17
Source:
http://contagiominidump.blogspot.com/
![Page 64: Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware (EUROSEC '14)](https://reader033.fdocuments.in/reader033/viewer/2022042713/54825b8eb07959520c8b4790/html5/thumbnails/64.jpg)
Evaluation: Dynamic Analysis Services
• Stand alone tools
– DroidBox, DroidScope, TaintDroid
• Online services
– Andrubis, SandDroid, ApkScan, Visual Threat, TraceDroid, CopperDroid, APK Analyzer, ForeSafe, Mobile SandBox
Thanasis Petsas 18
![Page 65: Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware (EUROSEC '14)](https://reader033.fdocuments.in/reader033/viewer/2022042713/54825b8eb07959520c8b4790/html5/thumbnails/65.jpg)
Methodology (1/2)
Thanasis Petsas 19
![Page 66: Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware (EUROSEC '14)](https://reader033.fdocuments.in/reader033/viewer/2022042713/54825b8eb07959520c8b4790/html5/thumbnails/66.jpg)
Methodology (2/2)
Thanasis Petsas 20
![Page 67: Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware (EUROSEC '14)](https://reader033.fdocuments.in/reader033/viewer/2022042713/54825b8eb07959520c8b4790/html5/thumbnails/67.jpg)
Resilience of dynamic analysis tools
Thanasis Petsas 21
Static Dynamic Hypervisor
![Page 68: Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware (EUROSEC '14)](https://reader033.fdocuments.in/reader033/viewer/2022042713/54825b8eb07959520c8b4790/html5/thumbnails/68.jpg)
Resilience of dynamic analysis tools
Thanasis Petsas 21
Static Dynamic Hypervisor
All studied services are vulnerable to 5 or more heuristics
![Page 69: Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware (EUROSEC '14)](https://reader033.fdocuments.in/reader033/viewer/2022042713/54825b8eb07959520c8b4790/html5/thumbnails/69.jpg)
Resilience of dynamic analysis tools
Thanasis Petsas 21
Static Dynamic Hypervisor
These tools failed to infer malicious behavior of the repackaged malware samples
![Page 70: Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware (EUROSEC '14)](https://reader033.fdocuments.in/reader033/viewer/2022042713/54825b8eb07959520c8b4790/html5/thumbnails/70.jpg)
Resilience of dynamic analysis tools
Thanasis Petsas 21
Static Dynamic Hypervisor
Only 1 service provides information about VM evasion attempts
![Page 71: Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware (EUROSEC '14)](https://reader033.fdocuments.in/reader033/viewer/2022042713/54825b8eb07959520c8b4790/html5/thumbnails/71.jpg)
Countermeasures
• Static heuristics – Emulator modifications
• Dynamic heuristics
– Realistic sensor event simulation
• Hypervisor heuristics – Accurate binary translation – Hardware-assisted virtualization – Hybrid application execution
Thanasis Petsas 22
![Page 72: Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware (EUROSEC '14)](https://reader033.fdocuments.in/reader033/viewer/2022042713/54825b8eb07959520c8b4790/html5/thumbnails/72.jpg)
Summary
• Evaluation of VM evasion to 12 Android dynamic analysis tools
• Only half of the services detected our most trivial heuristics
• No service was resilient to our dynamic and hypervisor heuristics
• Majority of the services failed to detect repackaged malware
• Only 1 service – generated VM evasion attempts – was resilient to all our static heuristics
Thanasis Petsas 23
![Page 73: Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware (EUROSEC '14)](https://reader033.fdocuments.in/reader033/viewer/2022042713/54825b8eb07959520c8b4790/html5/thumbnails/73.jpg)
Thank you!
Thanasis Petsas 24
Rage Against The Virtual Machine: Hindering Dynamic Analysis of Android
Malware
Thanasis Petsas, Giannis Voyatzis, Elias Athanasopoulos, Sotiris Ioannidis,
{petsas, jvoyatz, elathan, sotiris}@ics.forth.gr
Michalis Polychronakis,