Christoph Dietzel successfully defended his Master thesis on Tuesday, May 6th 2014, after working with da/sec and Siemens CERT in the period of October 2013 to April 2014.
Smartphones are an integral part of our daily routine. With being the most widely used mobile operating system, cyber criminals naturally extended their malicious activities towards Android. Security analysts recognized an alarming increase in Android malware families of 390% from 2012 to 2013.
The major challenge in analyzing this massive amount of malware samples is a growing number of employed obfuscation techniques disguising the malicious portions of source code from analysts. Sandboxes are able to overcome obfuscation by executing malware within an isolated environment. Unfortunately, sophisticated malware can determine that it is running within an analysis environment and dynamically adapt its behavior to be considered as benign.
To conquer this limitation, we extend the Android application sandbox DroidBox to be more resilient towards detection techniques and additionally feature compatibility with up-to-date Android applications. Thus, this Thesis is divided into two, not directly related, challenges: First we verified the accurate operation of DroidBox 4.1 and utilized it as a base for our continuative porting to the most recent version of Android. Thereby we semi-automated the porting procedure to aid further developments. Second, we investigate defense strategies applied by Android malware to thwart dynamic analysis. A taxonomy is developed and leveraged to cluster a huge amount of practically applicable sandbox evasion techniques. Finally, we propose anti-detection measures in alignment with the taxonomy and successfully tackle all introduced evasion techniques. Consequently, from malware’s point of view our extension of DroidBox is indistinguishable from a real device.
We demonstrate our detection methods to not only be effective against all existing online sandboxes, but also putting the defenders a step ahead by assisting analysts in combating evasive mobile malware through an improved version of DroidBox. Ultimately, it is integrated into the online analysis services Mobile-Sandbox.