research-article

Public Access

BareDroid: Large-Scale Analysis of Android Apps on Real Devices

Authors:

Yanick Fratantonio,

Antonio Bianchi,

Luca Invernizzi,

Jacopo Corbetta,

Christopher Kruegel,

Giovanni VignaAuthors Info & Claims

ACSAC '15: Proceedings of the 31st Annual Computer Security Applications Conference

Pages 71 - 80

https://doi.org/10.1145/2818000.2818036

Published: 07 December 2015 Publication History

Abstract

To protect Android users, researchers have been analyzing unknown, potentially-malicious applications by using systems based on emulators, such as the Google's Bouncer and Andrubis. Emulators are the go-to choice because of their convenience: they can scale horizontally over multiple hosts, and can be reverted to a known, clean state in a matter of seconds. Emulators, however, are fundamentally different from real devices, and previous research has shown how it is possible to automatically develop heuristics to identify an emulated environment, ranging from simple flag checks and unrealistic sensor input, to fingerprinting the hypervisor's handling of basic blocks of instructions. Aware of this aspect, malware authors are starting to exploit this fundamental weakness to evade current detection systems. Unfortunately, analyzing apps directly on bare metal at scale has been so far unfeasible, because the time to restore a device to a clean snapshot is prohibitive: with the same budget, one can analyze an order of magnitude less apps on a physical device than on an emulator.

In this paper, we propose BareDroid, a system that makes bare-metal analysis of Android apps feasible by quickly restoring real devices to a clean snapshot. We show how BareDroid is not detected as an emulated analysis environment by emulator-aware malware or by heuristics from prior research, allowing BareDroid to observe more potentially malicious activity generated by apps. Moreover, we provide a cost analysis, which shows that replacing emulators with BareDroid requires a financial investment of less than twice the cost of the servers that would be running the emulators. Finally, we release BareDroid as an open source project, in the hope it can be useful to other researchers to strengthen their analysis systems.

References

[1]

Anubis. http://anubis.cs.ucsb.edu.

[2]

Sanddroid. http://sanddroid.xjtu.edu.cn/.

[3]

D. Balzarotti, M. Cova, C. Karlberger, C. Kruegel, E. Kirda, and G. Vigna. Efficient Detection of Split Personalities in Malware. In Proceedings of the Symposium on Network and Distributed System Security (NDSS), 2010.

[4]

X. Chen, J. Andersen, Z. M. Mao, M. Bailey, and J. Nazario. Towards an Understanding of Anti-Virtualization and Anti-Debugging Behavior in Modern Malware. In Dependable Systems and Networks With FTCS and DCC, 2008.

[5]

CNET. Google's $349 Nexus 5 hits today with LTE, KitKat. http://www.cnet.com/news/googles-349-nexus-5-hits-today-with-lte-kitkat/.

[6]

Contagio mobile mini-dump. OBAD. http://contagiominidump.blogspot.it/2013/06/backdoorandroidosobada.html.

[7]

DexLab. Detecting Android Sandboxes. http://www.dexlabs.org/blog/btdetect.

[8]

S. Dey, N. Roy, W. Xu, R. R. Choudhury, and S. Nelakuditi. Accelprint: Imperfections of Accelerometers Make Smartphones Trackable. In Proceedings of the Symposium on Network and Distributed System Security (NDSS), 2014.

[9]

A. Dinaburg, P. Royal, M. Sharif, and W. Lee. Ether: Malware Analysis via Hardware Virtualization Extensions. In Proceedings of the ACM Conference on Computer and Communications Security (CCS), 2008.

Digital Library

[10]

F-Secure. Android Pincer A. https://www.f-secure.com/weblog/archives/00002538.html.

[11]

P. Ferrie. Attacks on Virtual Machine Emulators. Technical report, Symantec Corporation, 2007.

[12]

FireEye. Android.HeHe. https://www.fireeye.com/blog/threat-research/2014/01/android-hehe-malware-now-disconnects-phone-calls.html.

[13]

G. Ho, D. Boneh, L. Ballard, and N. Provos. Tick tock: building browser red pills from timing side channels. In Proceedings of the USENIX Workshop on Offensive Technologies (WOOT), 2014.

Digital Library

[14]

X. Jiang and X. Wang. "Out-of-the-Box" Monitoring of VM-Based High-Interaction Honeypots. Proceedings of the Symposium on Recent Advances in Intrusion Detection (RAID), 2007.

Digital Library

[15]

X. Jiang, X. Wang, and D. Xu. Stealthy Malware Detection through Vmm-based Out-of-The-Box Semantic View Reconstruction. In Proceedings of the ACM Conference on Computer and Communications Security (CCS), 2007.

Digital Library

[16]

Y. Jing, Z. Zhao, G.-J. Ahn, and H. Hu. Morpheus: Automatically Generating Heuristics to Detect Android Emulators. In Proceedings of the Annual Computer Security Applications Conference (ACSAC), 2014.

Digital Library

[17]

A. Kapravelos, M. Cova, C. Kruegel, and G. Vigna. Escape from Monkey Island: Evading high-interaction Honeyclients. In Proceedings of the Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA), 2011.

Digital Library

[18]

D. Kirat, G. Vigna, and C. Kruegel. BareBox: Efficient Malware Analysis on Bare-Metal. In Proceedings of the Annual Computer Security Applications Conference (ACSAC), 2011.

Digital Library

[19]

D. Kirat, G. Vigna, and C. Kruegel. Barecloud: Bare-metal Analysis-based Evasive Malware Detection. In Proceedings of the USENIX Security Symposium (USENIX), 2014.

Digital Library

[20]

P. Lantz, A. Desnos, and K. Yang. DroidBox: Android Application Sandbox, 2012.

[21]

S. Mutti, Y. Fratantonio, A. Bianchi, L. Invernizzi, J. Corbetta, D. Kirat, C. Kruegel, and G. Vigna. BareDroid Source Code. https://github.com/ucsb-seclab/baredroid.

[22]

J. Oberheide and C. Miller. Dissecting the Android Bouncer. SummerCon, 2012.

[23]

R. Paleari, L. Martignoni, G. Fresi Roglia, and D. Bruschi. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators. In Proceedings of the USENIX Workshop on Offensive Technologies (WOOT), 2009.

Digital Library

[24]

T. Petsas, G. Voyatzis, E. Athanasopoulos, M. Polychronakis, and S. Ioannidis. Rage against the virtual machine: hindering dynamic analysis of Android malware. In Proceedings of the ACM European Workshop on System Security (EUROSEC), 2014.

Digital Library

[25]

A. Reina, A. Fattori, and L. Cavallaro. A system Call-Centric Analysis and Stimulation Technique to Automatically Reconstruct Android Malware Behaviors. In Proceedings of the ACM European Workshop on System Security (EUROSEC), 2013.

[26]

J. Rutkowska. Red Pill... or how to detect VMM using (almost) one CPU instruction. http://invisiblethings.org/papers/redpill.html, 2004.

[27]

J. Security. JOE Sandbox Mobile. http://www.joesecurity.org.

[28]

Server Direct. Server prices. http://www.serversdirect.com.

[29]

S. Smalley and R. Craig. Security Enhanced (SE) Android: Bringing Flexible MAC to Android. In Proceedings of the Symposium on Network and Distributed System Security (NDSS), 2013.

[30]

M. Spreitzenbarth, F. Freiling, F. Echtler, T. Schreck, and J. Hoffmann. Mobile-sandbox: Having a Deeper Look into Android Applications. In Proceedings of the ACM Symposium on Applied Computing (SAC), 2013.

Digital Library

[31]

K. Tim, S. Khan, A. Fattori, and L. Cavallaro. CopperDroid: Automatic Reconstruction of Android Malware Behaviors. In Proceedings of the Symposium on Network and Distributed System Security (NDSS), 2015.

[32]

A. Vasudevan and R. Yerraballi. Cobra: Fine-grained Malware Analysis Using Stealth Localized-executions. Proceedings of the IEEE Symposium on Security and Privacy, 2006.

Digital Library

[33]

T. Vidas and N. Christin. Evading Android runtime analysis via sandbox detection. In Proceedings of the ACM Symposium on Information, Computer and Communications Security (AsiaCCS), 2014.

Digital Library

[34]

L. Weichselbaum, M. Neugschwandtner, M. Lindorfer, Y. Fratantonio, V. van der Veen, and C. Platzer. Andrubis: Android Malware Under The Magnifying Glass. Technical Report TR-ISECLAB-0414-001, iSecLab, May 2014.

[35]

K. Yoshioka, Y. Hosobuchi, T. Orii, and T. Matsumoto. Your Sandbox is Blinded: Impact of Decoy Injection to Public Malware Analysis Systems. Journal of Information Processing, 2011.

Cited By

Li SLi RYang SDiao W(2024)Android’s Cat-and-Mouse Game: Understanding Evasion Techniques against Dynamic Analysis2024 IEEE 35th International Symposium on Software Reliability Engineering (ISSRE)10.1109/ISSRE62328.2024.00028(192-203)Online publication date: 28-Oct-2024
https://doi.org/10.1109/ISSRE62328.2024.00028
Tanabe RInoue YIchikawa DKasama TInoue DYoshioka KMatsumoto T(2024)Customized Malware: Identifying Target Systems Using Personally Identifiable Information2024 IEEE 48th Annual Computers, Software, and Applications Conference (COMPSAC)10.1109/COMPSAC61105.2024.00137(1007-1012)Online publication date: 2-Jul-2024
https://doi.org/10.1109/COMPSAC61105.2024.00137
Gavrila RZacharis A(2024)Advancements in Malware Evasion: Analysis Detection and the Future Role of AIMalware10.1007/978-3-031-66245-4_12(275-297)Online publication date: 5-Jul-2024
https://doi.org/10.1007/978-3-031-66245-4_12
Show More Cited By

BareDroid: Large-Scale Analysis of Android Apps on Real Devices
1. Security and privacy
  1. Systems security
2. Social and professional topics
  1. Computing / technology policy

Recommendations

A Survey On Automated Dynamic Malware Analysis Evasion and Counter-Evasion: PC, Mobile, and Web
ROOTS: Proceedings of the 1st Reversing and Offensive-oriented Trends Symposium

Automated dynamic malware analysis systems are important in combating the proliferation of modern malware. Unfortunately, malware can often easily detect and evade these systems. Competition between malware authors and analysis system developers has ...
Supporting Transparent Snapshot for Bare-metal Malware Analysis on Mobile Devices
ACSAC '17: Proceedings of the 33rd Annual Computer Security Applications Conference

The increasing growth of cybercrimes targeting mobile devices urges an efficient malware analysis platform. With the emergence of evasive malware, which is capable of detecting that it is being analyzed in virtualized environments, bare-metal analysis ...
MalGene: Automatic Extraction of Malware Analysis Evasion Signature
CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security

Automated dynamic malware analysis is a common approach for detecting malicious software. However, many malware samples identify the presence of the analysis environment and evade detection by not performing any malicious activity. Recently, an approach ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ACSAC '15: Proceedings of the 31st Annual Computer Security Applications Conference

December 2015

489 pages

ISBN:9781450336826

DOI:10.1145/2818000

Copyright © 2015 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

In-Cooperation

ACSA: Applied Computing Security Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 07 December 2015

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

Conference

ACSAC 2015

ACSAC 2015: 2015 Annual Computer Security Applications Conference

December 7 - 11, 2015

CA, Los Angeles, USA

Acceptance Rates

Overall Acceptance Rate 104 of 497 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

37
Total Citations
View Citations
1,128
Total Downloads

Downloads (Last 12 months)123
Downloads (Last 6 weeks)15

Reflects downloads up to 03 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Li SLi RYang SDiao W(2024)Android’s Cat-and-Mouse Game: Understanding Evasion Techniques against Dynamic Analysis2024 IEEE 35th International Symposium on Software Reliability Engineering (ISSRE)10.1109/ISSRE62328.2024.00028(192-203)Online publication date: 28-Oct-2024
https://doi.org/10.1109/ISSRE62328.2024.00028
Tanabe RInoue YIchikawa DKasama TInoue DYoshioka KMatsumoto T(2024)Customized Malware: Identifying Target Systems Using Personally Identifiable Information2024 IEEE 48th Annual Computers, Software, and Applications Conference (COMPSAC)10.1109/COMPSAC61105.2024.00137(1007-1012)Online publication date: 2-Jul-2024
https://doi.org/10.1109/COMPSAC61105.2024.00137
Gavrila RZacharis A(2024)Advancements in Malware Evasion: Analysis Detection and the Future Role of AIMalware10.1007/978-3-031-66245-4_12(275-297)Online publication date: 5-Jul-2024
https://doi.org/10.1007/978-3-031-66245-4_12
Ho J(2024)Game Theoretic Approach Toward Detection of Input‐Driven Evasive Malware in the IoTSECURITY AND PRIVACY10.1002/spy2.4678:1Online publication date: 19-Sep-2024
https://doi.org/10.1002/spy2.467
Faruki PBhan RJain VBhatia SEl Madhoun NPamula R(2023)A Survey and Evaluation of Android-Based Malware Evasion Techniques and Detection FrameworksInformation10.3390/info1407037414:7(374)Online publication date: 30-Jun-2023
https://doi.org/10.3390/info14070374
Li LWang RZhan XWang YGao CWang SLiu YJust RFraser G(2023)What You See Is What You Get? It Is Not the Case! Detecting Misleading Icons for Mobile ApplicationsProceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3597926.3598076(538-550)Online publication date: 12-Jul-2023
https://dl.acm.org/doi/10.1145/3597926.3598076
Rashed MSuarez-Tangil G(2021)An Analysis of Android Malware Classification ServicesSensors10.3390/s2116567121:16(5671)Online publication date: 23-Aug-2021
https://doi.org/10.3390/s21165671
Song WMing JJiang LXiang YPan XFu JPeng GKim YKim JVigna GShi E(2021)Towards Transparent and Stealthy Android OS Sandboxing via Customizable Container-Based VirtualizationProceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security10.1145/3460120.3484544(2858-2874)Online publication date: 12-Nov-2021
https://dl.acm.org/doi/10.1145/3460120.3484544
Massarelli LAniello LCiccotelli CQuerzoni LUcci DBaldoni R(2020)AndroDFA: Android Malware Classification Based on Resource ConsumptionInformation10.3390/info1106032611:6(326)Online publication date: 16-Jun-2020
https://doi.org/10.3390/info11060326
Biørn-Hansen ARieger CGrønli TMajchrzak TGhinea G(2020)An empirical investigation of performance overhead in cross-platform mobile development frameworksEmpirical Software Engineering10.1007/s10664-020-09827-625:4(2997-3040)Online publication date: 9-Jun-2020
https://doi.org/10.1007/s10664-020-09827-6
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents