Top

Published in:

2021 | OriginalPaper | Chapter

Emulation Versus Instrumentation for Android Malware Detection

Authors : Anukriti Sinha, Fabio Di Troia, Philip Heller, Mark Stamp

Published in: Digital Forensic Investigation of Internet of Things (IoT) Devices

Publisher: Springer International Publishing

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

In resource constrained devices, malware detection is typically based on offline analysis using emulation. An alternative to such emulation is malware analysis based on code that is executed on an actual device. In this research, we collect features from a corpus of Android malware using both emulation and on-phone instrumentation. We train machine learning models using the emulator-based features and we train models on features collected via instrumentation, and we compare the results obtained in these two cases. We obtain strong detection and classification results, and our results improve slightly on previous work. Consistent with previous work, we find that emulation fails for a significant percentage of malware applications. However, we also find that emulation fails to extract useful features from an even larger percentage of benign applications. We show that for applications that are amenable to emulation, malware detection and classification rates based on emulation are consistently within 1% of those obtained using more intrusive and costly on-phone analysis. We also show that emulation failures are easily explainable and appear to have little to do with malware writers employing anti-emulation techniques, contrary to claims made in previous research. Among other contributions, this work points to a lack of sophistication in Android malware.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

next chapter Towards a Generic Approach of Quantifying Evidence Volatility in Resource Constrained Devices

Based on our experiments, it appears that the authors of [2] consistently used the Weka default settings for their machine learning experiments.

Alzaylaee MK, Yerima SY, Sezer S (2016) DynaLog: an automated dynamic analysis framework for characterizing Android applications. In: 2016 international conference on cyber security and protection of digital services, Cyber Security 2016, pp 1–8. arXiv:1607.08166

Alzaylaee MK, Yerima SY, Sezer S (2017) EMULATOR vs REAL PHONE: Android malware detection using machine learning. In: Proceedings of the 3rd ACM on international workshop on security and privacy analytics, IWSPA ’17, pp 65–72

Amos B, Turner HA, White J (2013) Applying machine learning classifiers to dynamic Android malware detection at scale. In: 9th international wireless communications and mobile computing conference, IWCMC 2013, pp 1666–1671

Aycock J (2006) Computer viruses and malware. Advances in information security. Springer US

Continella A, Fratantonio Y, Lindorfer M, Puccetti A, Zand A, Krügel C, Vigna G (2017) Obfuscation-resilient privacy leak detection for mobile apps through differential analysis. In: 24th annual network and distributed system security symposium, NDSS, 2017. http://www.s3.eurecom.fr/~yanick/publications/2017_ndss_agrigento.pdf

Coogan K, Debray S, Kaochar T, Townsend G (2009) Automatic static unpacking of malware binaries. In: 16th working conference on reverse engineering, WCRE 2009, pp 167–176

Damodaran A, Di Troia F, Visaggio CA, Austin TH, Stamp M (2017) A comparison of static, dynamic, and hybrid analysis for malware detection. J Comput Virol Hacking Tech 13(1):1–12CrossRef

The Drebin dataset. https://www.sec.cs.tu-bs.de/~danarp/drebin/

DroidBox Google archive. https://code.google.com/archive/p/droidbox/

10.

Duan Y, Zhang M, Bhaskar AV, Yin H, Pan X, Li T, Wang X, Wang X (2018) Things you may not know about Android (un) packers: a systematic study based on whole-system emulation. In: 25th annual network and distributed system security symposium, NDSS, pp 18–21. https://www.informatics.indiana.edu/xw7/papers/ndss18-paper296.pdf

11.

Feizollah A, Anuar NB, Salleh R, Suarez-Tangil G, Furnell S (2017) AndroDialysis: analysis of Android intent effectiveness in malware detection. Comput Secur 65:121–134. http://www0.cs.ucl.ac.uk/staff/G.SuarezdeTangil/papers/2017cosec-androdialysis.pdf

12.

Fratantonio Y, Bianchi A, Robertson W, Kirda E, Kruegel C, Vigna G (2016) Triggerscope: towards detecting logic bombs in Android applications. In: 2016 IEEE symposium on security and privacy, SP 2016, pp 377–396. https://sites.cs.ucsb.edu/~vigna/publications/2016_SP_Triggerscope.pdf

13.

Global smartphone shipments by OS. https://www.statista.com/statistics/263437/global-smartphone-sales-to-end-users-since-2007/

14.

Intents and intent filters: Android developers guide. https://developer.android.com/guide/components/intents-filters

15.

Jing Y, Zhao Z, Ahn G-J, Hu H (2014) Morpheus: automatically generating heuristics to detect Android emulators. In: Proceedings of the 30th annual computer security applications conference, ACSAC ’14, pp 216–225,

16.

Kang H, Jang J, Mohaisen A (2015) Kim HK (2015) Detecting and classifying Android malware using static analysis along with creator information. Int J Distrib Sens Netw 7(1–7):9

17.

Kapratwar A, Di Troia F, Stamp M (2017) Static and dynamic analysis of Android malware. In: Mori P, Furnell S, Camp O (eds) Proceedings of the 3rd international conference on information systems security and privacy, ICISSP 2017, Porto, Portugal. SciTePress, pp 653–662, 19–21 Feb 2017

18.

Lindorfer M, Neugschwandtner M, Platzer C (2015) MARVIN: efficient and comprehensive mobile app classification through static and dynamic analysis. In: IEEE 39th annual computer software and applications conference, COMPSAC 2015, pp 422–433

19.

Lindorfer M, Neugschwandtner M, Weichselbaum L, Fratantonio Y, van der Veen V, Platzer C (2014) Andrubis–1,000,000 apps later: a view on current Android malware behaviors. In: Proceedings of the international workshop on building analysis datasets and gathering experience returns for security, BADGERS 2014, Wroclaw, Poland, Sept 2014

20.

McAfee threats report 2017. https://www.mcafee.com/us/resources/reports/rp-quarterly-threats-dec-2017.pdf

21.

NVISO Apkscan. https://apkscan.nviso.be/

22.

Petsas T, Voyatzis G, Athanasopoulos E, Polychronakis M, Ioannidis S (2014) Rage against the virtual machine: hindering dynamic analysis of Android malware. In: Proceedings of the seventh European workshop on system security, EuroSec ’14, pp 5:1–5:6

23.

Pincer Android attacks. https://www.fsecure.com/weblog/archives/00002538.html

24.

Raghavan A, Di Troia F, Stamp M (2019) Hidden Markov models with random restarts versus boosting for malware detection. J Comput Virol Hacking Tech 15(2):97–107CrossRef

25.

Rasthofer S, Arzt S, Miltenberger M, Bodden E (2016) Harvesting runtime values in Android applications that feature anti-analysis techniques. In: 23rd annual network and distributed system security symposium, NDSS, 2016. https://www.bodden.de/pubs/ssme16harvesting.pdf

26.

Rastogi V, Chen Y, Enck W (2013) AppsPlayground: automatic security analysis of smartphone applications. In: Proceedings of the third ACM conference on data and application security and privacy, CODASPY ’13, pp 209–220

27.

SandDroid—an automatic Android application analysis system. http://sanddroid.xjtu.edu.cn/

28.

Singh T, Di Troia F, Visaggio CA, Austin TH, Stamp M (2016) Support vector machines and malware detection. J Comput Virol Hacking Tech 12(4):203–212CrossRef

29.

Smartphone OS market share worldwide 2009–2017. https://www.statista.com/statistics/263453/global-market-share-held-by-smartphone-operating-systems

30.

Stamp M (2017) Introduction to machine learning with applications in information security. Chapman and Hall/CRC, Boca RatonCrossRef

31.

Sun M, Wei T, Lui JC (2016) TaintART: a practical multi-level information-flow tracking system for Android runtime. In: Proceedings of the 2016 ACM SIGSAC conference on computer and communications security, CCS ’16, pp 331–342. https://www.cse.cuhk.edu.hk/~cslui/PUBLICATION/CCS16.pdf

32.

Tam K, Khan SJ, Fattori A, Cavallaro L (2015) CopperDroid: automatic reconstruction of Android malware behaviors. In: NDSS symposium, NDSS 2015, pp 8–11

33.

Tracedroid. https://github.com/ligi/tracedroid

34.

Vidas T, Christin N (2014) Evading Android runtime analysis via sandbox detection. In: Proceedings of the 9th ACM symposium on information, computer and communications security, ASIA CCS ’14, pp 447–458

35.

Weichselbaum L, Neugschwandtner M, Lindorfer M, Fratantonio Y, van der Veen V, Platzer C (2014) Andrubis: Android malware under the magnifying glass. Technical Report TR-ISECLAB-0414-001, Vienna Univeristy of Technology, 5

36.

Weka 3: machine learning software in Java. https://www.cs.waikato.ac.nz/ml/weka/index.html

37.

Yan L-K, Yin H (2012) DroidScope: seamlessly reconstructing the OS and Dalvik semantic views for dynamic Android malware analysis. In: USENIX security symposium, USENIX 2012, pp 569–584. http://www.cs.columbia.edu/~lierranli/coms6998-11Fall2012/papers/droidscope_usenixsec2012.pdf

38.

Zhou Y, Jiang X (2012) Android malware genome project. http://www.malgenomeproject.org

Title: Emulation Versus Instrumentation for Android Malware Detection
Authors: Anukriti Sinha
Fabio Di Troia
Philip Heller
Mark Stamp
Publisher: Springer International Publishing
Book: Digital Forensic Investigation of Internet of Things (IoT) Devices
Print ISBN: 978-3-030-60424-0

Electronic ISBN: 978-3-030-60425-7

Copyright Year: 2021
DOI: https://doi.org/10.1007/978-3-030-60425-7_1

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner