Dynamic Analysis Scheme of Android Malware Based on Sandbox

doi:10.3969/j.issn.1671-1122.2014.12.005

Abstract

Abstract: The popularity of smart phones have greatly stimulated the spread of malicious software, because of its huge market share and revenue characteristics, the Android platform has become the preferred target of attackers. Since the traditional signature-based antivirus software can effectively detect known malicious software, the unknown malware is powerless. In this paper, we proposed a novel dynamic analysis scheme of Android malware based on sandbox, which is used to analyze unknown malware effectively. The scheme implements the Android sandbox by installing Android x86 virtual machine in the virtualization software Oracle VM VirtualBox, while using a command-line tool provide by VirtualBox to control the Android sandbox. The Android application performs the corresponding action by calling the appropriate API. We determine the behavioral characteristics by monitoring the API information called by Android application. We make the Android application to run automatically by inserting monitoring codes in the application package and transmit different user flow of events to simulate real operations of users on the application. Experiments show that the proposed scheme is feasible.

Key words: Android, malware, sandbox, dynamic analysis

CLC Number:

TP309

ZHAO Yang, HU Long, XIONG Hu, QIN Zhi-guang. Dynamic Analysis Scheme of Android Malware Based on Sandbox[J]. 信息网络安全, 2014, 14(12): 21-26.

References

[1] Strategy Analytics. Android Captured 79% Share of Global Smartphone Shipments in 2013[EB/OL]. http://blogs.strategyanalytics.com/WSS/post/2014/01/29/Android-Captured-79-Share-of-Global-Smartphone-Shipments-in-2013.aspx, 2014-02-06.
[2] CASTILLO C A. Android malware past, present, and future[EB/OL]. http://www.mcafee.com/us/resources/white-papers/wp-android-malware-past-present-future.pdf 2011.
[3] DINI G, MARTINELLI F, SARACINO A, et al. Madam: a multi-level anomaly detector for android malware[M]. Springer Berlin Heidelberg, 2012: 240-253.
[4] SAHS J, KHAN L. Amachine learning approach to Android malware detection[C]//Intelligence and Security Informatics Conference (EISIC), 2012 European. IEEE, 2012: 141-147.
[5] Anthony Desnos. Androguard[EB/OL]. https://code.google.com/p/androguard, 2014-04-06.
[6] CHANG C C, LIN C J. LIBSVM: a library for support vector machines[J]. ACM Transactions on Intelligent Systems and Technology (TIST), 2011, 2(03): 27.
[7] PEDREGOSA F, VAROQUAUX G, GRAMFORT A, et al. Scikit-learn: Machine learning in Python[J]. The Journal of Machine Learning Research, 2011, 12(10): 2825-2830.
[8] CHRISTODOTESCU M, JHA S. Static analysis of executables to detect malicious patterns[R]. WISCONSIN UNIV-MADISON DEPT OF COMPUTER SCIENCES, 2006.
[9] LO R W, LEBITT K N, OLSSON R A. MCF: A malicious code filter[J]. Computers & Security, 1995, 14(6): 541-566.
[10] ZHOU Y, JIANG X. Dissecting android malware: Characterization and evolution[C]//Security and Privacy (SP), 2012 IEEE Symposium on. IEEE, 2012: 95-109.
[11] BURGUERA I, ZURUTUZA U, NADJM T S. Crowdroid: behavior-based malware detection system for android[C]//Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices. ACM, 2011: 15-26.
[12] GRACE M, ZHOU Y, ZHANG Q, et al. Riskranker: scalable and accurate zero-day android malware detection[C]//Proceedings of the 10th international conference on Mobile systems, applications, and services. ACM, 2012: 281-294.
[13] JANA S, PORTER D E, SHMATIKOV V. TxBox: Building secure, efficient sandboxes with system transactions[C]//IEEE Symposium onSecurity and Privacy (SP), 2011: 329-344.
[14] 王马龙,胡晓勤,王琳,等. Android智能手机用户场景信息防泄漏系统的研究与实现[J]. 信息网络安全,2013,（2）：35-37.
[15] 林佳华,任伟,贾磊雷. Android手机隐私保护系统的设计与实现[J]. 信息网络安全,2013,（7）：16-19.
[16] Sandbox[EB/OL]. http://en.wikipedia.org/wiki/Sandbox(computer_security), 2014-04-07.
[17] Android-x86 Project - Run Android on Your PC[EB/OL]. http://www.android-x86.org/, 2014-05-17.
[18] Oracle V M. VirtualBox user manual[EB/OL]. http.//down-load. virtualbos, org/virtualbox/UserManual.pdf, 2014-05-14.
[19] 吴乐华,孙贤鲁,孟槟. 基于 Android 手机软件认证的U盘锁系统[J]. 信息网络安全,2014,（3）：68-73.
[20] 李宇翔,林柏钢. 基于Android重打包的应用程序安全策略加固系统设计[J]. 信息网络安全,2014,（1）：43-47.
[21] droidbox[EB/OL]. https://code.google.com/p/droidbox/, 2014-05-17.
[22] 高岳,胡爱群. 基于权限分析的Android隐私数据泄露动态检测方法[J]. 信息网络安全,2014,（2）：27-31.