Common Weaknesses of Android Malware Analysis Frameworks

June 16, 2015

This paper was written as part of the conference seminar ”IT Security” which was organized by the Chair for IT Security Infrastructures (Prof. Dr. F. Freiling) at the University of Erlangen-Nuremberg during summer term 2015.

My paper was honoured with the Best Paper Award in the end of the seminar.

View the paper as pdf here: Paper

View the german presentation here: Presentation

Abstract

In order to evade anti-malware products of different vendors, Android malware authors are seeking for possibilities to gain information about the execution environment of their applications. So called split-personality malware loads additional code during runtime to prevent detection by offline code analysis e.g. the Google Bouncer. To evade detection during runtime it behaves like a normal app and analyzes its environment at first. If an analysis environment can be excluded the app will load and execute the malicious code. To prevent such analysis by malware an Android sandbox seeks to simulate the real smart phone as close as possible and leaves minimum trace of the vir- tualization. In previous work different Android sandboxes where fingerprinted to detect the analysis environment. In this paper we are building on these findings to present and categorize different weaknesses of Android malware analysis frameworks. With that knowledge it is possible to improve Android sandboxes to spoof e.g. split-personality applications to execute their malicious code and thus detect them.