Unmasking the Veiled: A Comprehensive Analysis of Android Evasive Malware
Authors: 
Antonio Ruggia, Dario Nisi, Savino Dambra, 
Alessio Merlo, Davide Balzarotti, Simone AonzoAuthors Info & Claims
Antonio Ruggia, Dario Nisi, Savino Dambra, Alessio Merlo, Davide Balzarotti, Simone AonzoAuthors Info & ClaimsPages 383 - 398
Abstract
Since Android is the most widespread operating system, malware targeting it poses a severe threat to the security and privacy of millions of users and is increasing from year to year. The response from the community was swift, and many researchers have ventured to defend this system. In this cat-and-mouse game, attackers pay special attention to flying under the radar of analysis tools, and the techniques to understand whether their app is under analysis have become more and more sophisticated. Moreover, these evasive techniques are also adopted by benign apps to deter reverse engineering, making this phenomenon pervasive in the Android app ecosystem.
While the scientific literature has proposed many evasive techniques and investigated their impact, one aspect still needs to be studied: how and to what extent Android apps, both malware and goodware, use such controls. This paper fills this gap by introducing a comprehensive taxonomy of evasive controls for the Android ecosystem and a proof-of-concept app that implements them all. We release the app as open source to help researchers and practitioners to assess whether their app analysis systems are sufficiently resilient to known evasion techniques. We also propose DroidDungeon, a novel probe-based sandbox, which circumvents evasive techniques thanks to a substantial engineering effort, making the apps under analysis believe they are running on an actual device. To the best of our knowledge, currently, DroidDungeon is the only solution providing anti-evasion capabilities, maintainability, and scalability at once.
Using our sandbox, we studied evasive controls in both benign and malicious Android apps, revealing insights about their purpose, differences, and relationships between evasive controls and packers/protectors. Finally, we analyzed how the execution of an app differs depending on the presence or absence of evasive counter-measures. Our main finding is that 14% and 4% of malicious and benign samples refrain from running in an analysis environment that does not correctly mitigate evasive controls.
References
[1]
2016. Android Hostile Environment Detection. https://github.com/Fuzion24/AndroidHostileEnvironmentDetection. Accessed June 2, 2024.
[2]
2018. Android Anti Debug. https://github.com/GToad/Android_Anti_Debug. Accessed June 2, 2024.
[3]
2020. 3 ways to detect the SELinux status in Android natively. https://erev0s.com/blog/3-ways-detect-selinux-status-android-natively/. Accessed June 2, 2024.
[4]
2021. Anti Debug and Memory Dump. https://github.com/darvincisec/AntiDebugandMemoryDump. Accessed June 2, 2024.
[5]
2021. GriftHorse Android Trojan Steals Millions from Over 10 Million Victims Globally. https://www.zimperium.com/blog/grifthorse-android-trojan-steals-millions-from-over-10-million-victims-globally/. Accessed June 2, 2024.
[6]
2022. Cybercriminals attack users with 400,000 new malicious files daily. https://www.kaspersky.com/about/press-releases/2022_cybercriminals-attack-users-with-400000-new-malicious-files-daily---that-is-5-more-than-in-2021. Accessed June 2, 2024.
[7]
2022. frida-detection. https://github.com/muellerberndt/frida-detection. Accessed June 2, 2024.
[8]
2022. Google Play Scraper. https://github.com/facundoolano/google-play-scraper. Accessed June 2, 2024.
[9]
2023. Al-Khaser. https://github.com/LordNoteworthy/al-khaser. Accessed June 2, 2024.
[10]
2023. Android Al-Khaser. https://github.com/eurecom-s3/AAl-Khaser. Accessed June 2, 2024.
[11]
2023. Android Verified Boot 2.0. https://android.googlesource.com/platform/external/avb/+/master/README.md. Accessed June 2, 2024.
[12]
2023. apkeep. https://github.com/EFForg/apkeep. Accessed June 2, 2024.
[13]
2023. AppLovin MAX. https://www.applovin.com/. Accessed June 2, 2024.
[14]
2023. Chartboost. https://support.chartboost.com/en. Accessed June 2, 2024.
[15]
2023. Flurry. https://www.flurry.com/. Accessed June 2, 2024.
[16]
2023. genuine. https://github.com/brevent/genuine. Accessed June 2, 2024.
[17]
2023. Ghidra. https://ghidra.re/. Accessed June 2, 2024.
[18]
2023. InMobi. https://www.inmobi.com/sdk. Accessed June 2, 2024.
[19]
2023. Magisk. https://github.com/topjohnwu/Magisk. Accessed June 2, 2024.
[20]
2023. mbc-markdown. https://github.com/MBCProject/mbc-markdown. Accessed June 2, 2024.
[21]
2023. readelf. https://man7.org/linux/man-pages/man1/readelf.1.html. Accessed June 2, 2024.
[22]
Vitor Afonso, Anatoli Kalysch, Tilo Müller, Daniela Oliveira, André Grégio, and Paulo Lício de Geus. 2018. Lumus: Dynamically uncovering evasive Android applications. In Information Security: 21st International Conference, ISC 2018, Guildford, UK, September 9--12, 2018, Proceedings 21. Springer, 47--66.
[23]
Ashish Aggarwal and Pankaj Jalote. 2006. Integrating static and dynamic analysis for detecting vulnerabilities. In 30th Annual International Computer Software and Applications Conference (COMPSAC'06), Vol. 1. IEEE, 343--350.
[24]
Aisha Ali-Gombe, Sneha Sudhakaran, Andrew Case, Golden G Richard III, Sencun Zhu, Peiyi Han, Thenkurussi Kesavadas, Dawu Gu, Kehuan Zhang, XiaoFeng Wang, et al. 2019. DroidScraper: a tool for Android in-memory object recovery and reconstruction. In 22nd International Symposium on Research in Attacks, Intrusions and Defenses ({RAID} 2019). 547--559.
[25]
Jeremy Andrus, Christoffer Dall, Alexander Van't Hof, Oren Laadan, and Jason Nieh. 2011. Cells: a virtual mobile smartphone architecture. In Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles. 173--187.
[26]
Simone Aonzo, Yufei Han, Alessandro Mantovani, and Davide Balzarotti. 2023. Humans vs. machines in malware classification. Proc. of USENIX-23 (2023).
[27]
Luciano Bello and Marco Pistoia. 2018. Ares: triggering payload of evasive android malware. In Proceedings of the 5th International Conference on Mobile Software Engineering and Systems. 2--12.
[28]
Harel Berger, Chen Hajaj, and Amit Dvir. 2020. Evasion is not enough: A case study of android malware. In International Symposium on Cyber Security Cryptography and Machine Learning. Springer, 167--174.
[29]
Stefano Berlato and Mariano Ceccato. 2020. A large-scale study on the adoption of anti-debugging and anti-tampering protections in android apps. Journal of Information Security and Applications 52 (2020), 102463.
[30]
Lorenzo Bordoni, Mauro Conti, and Riccardo Spolaor. 2017. Mirage: Toward a stealthier and modular malware analysis sandbox for android. In Computer Security-ESORICS 2017: 22nd European Symposium on Research in Computer Security, Oslo, Norway, September 11--15, 2017, Proceedings, Part I 22. Springer, 278--296.
[31]
Software Freedom Conservancy. 2023. QEMU. https://www.qemu.org/. Accessed June 2, 2024.
[32]
The MITRE Corporation. 2023. EvadeMe. https://attack.mitre.org/techniques/T1633/001/. Accessed June 2, 2024.
[33]
Cryptomathic. 2022. Virtualization/Sandbox Evasion: System Checks. https://www.cryptomathic.com/news-events/blog/app-hardening-for-mobile-banking-and-payment-apps-emulator-detection. Accessed June 2, 2024.
[34]
Yuning Cui, Yi Sun, and Zhaowen Lin. 2023. DroidHook: a novel API-hook based Android malware dynamic analysis sandbox. Automated Software Engineering 30, 1 (2023), 10.
[35]
Deshun Dai, Ruixuan Li, Junwei Tang, Ali Davanian, and Heng Yin. 2020. Parallel space traveling: A security analysis of app-level virtualization in android. In Proceedings of the 25th ACM Symposium on Access Control Models and Technologies. 25--32.
[36]
Savino Dambra, Yufei Han, Simone Aonzo, Platon Kotzias, Antonino Vitale, Juan Caballero, Davide Balzarotti, and Leyla Bilge. 2023. Decoding the Secrets of Machine Learning in Malware Classification: A Deep Dive into Datasets, Feature Extraction, and Model Performance. arXiv preprint arXiv:2307.14657 (2023).
[37]
Daniele Cono D'Elia, Emilio Coppa, Federico Palmaro, and Lorenzo Cavallaro. 2020. On the Dissection of Evasive Malware. IEEE Transactions on Information Forensics and Security 15 (2020), 2750--2765.
[38]
Wael F Elsersy, Ali Feizollah, and Nor Badrul Anuar. 2022. The rise of obfuscated Android malware and impacts on detection methods. PeerJ Computer Science 8 (2022), e907.
[39]
evilthreads669966. 2021. EvadeMe. https://github.com/evilthreads669966/evademe. Accessed June 2, 2024.
[40]
Farnood Faghihi, Mohammad Zulkernine, and Steven Ding. 2022. CamoDroid: An Android application analysis environment resilient against sandbox evasion. Journal of Systems Architecture 125 (2022), 102452.
[41]
Parvez Faruki, Rati Bhan, Vinesh Jain, Sajal Bhatia, Nour El Madhoun, and Rajendra Pamula. 2023. A Survey and Evaluation of Android-Based Malware Evasion Techniques and Detection Frameworks. Information 14, 7 (2023), 374.
[42]
Stichting Cuckoo Foundation. 2023. Cuckoo Sandbox. https://cuckoosandbox.org/. Accessed June 2, 2024.
[43]
Jyoti Gajrani, Jitendra Sarswat, Meenakshi Tripathi, Vijay Laxmi, Manoj Singh Gaur, and Mauro Conti. 2015. A robust dynamic analysis system preventing SandBox detection by Android malware. In Proceedings of the 8th International Conference on Security of Information and Networks. 290--295.
[44]
Nicola Galloro, Mario Polino, Michele Carminati, Andrea Continella, and Stefano Zanero. 2022. A Systematical and longitudinal study of evasive behaviors in windows malware. Computers & Security 113 (2022), 102550.
[45]
Tal Garfinkel, Keith Adams, Andrew Warfield, Jason Franklin, et al. 2007. Compatibility Is Not Transparency: VMM Detection Myths and Realities. In HotOS.
[46]
Genymobile. 2023. Genymotion. https://www.genymotion.com/. Accessed June 2, 2024.
[47]
Google. 2018. Protecting WebView with Safe Browsing. https://android-developers.googleblog.com/2018/04/protecting-webview-with-safe-browsing.html. Accessed June 2, 2024.
[48]
Google. 2023. Configuring ART. https://source.android.com/docs/core/runtime/configure. Accessed June 2, 2024.
[49]
Google. 2023. Google Safe Browsing Service. https://developer.android.com/develop/ui/views/layout/webapps/managing-webview#safe-browsing. Accessed June 2, 2024.
[50]
Google. 2023. Play Integrity API. https://developer.android.com/google/play/integrity. Accessed June 2, 2024.
[51]
Google. 2023. Protect against security threats with SafetyNet. https://developer.android.com/training/safetynet. Accessed June 2, 2024.
[52]
Skanda Hazarika. 2022. Xposed. https://www.xda-developers.com/best-xposed-modules/. Accessed June 2, 2024.
[53]
Muhammad Ibrahim, Abdullah Imran, and Antonio Bianchi. 2021. Safetynot: on the usage of the safetynet attestation API in android. In Proceedings of the 19th Annual International Conference on Mobile Systems, Applications, and Services. 150--162.
[54]
Irdeto. 2023. Denuvo Mobile Games Protection. https://irdeto.com/denuvo/mobile-games-protection/. Accessed June 2, 2024.
[55]
Sainadh Jamalpur, Yamini Sai Navya, Perla Raja, Gampala Tagore, and G Rama Koteswara Rao. 2018. Dynamic malware analysis using cuckoo sandbox. In 2018 Second international conference on inventive communication and computational technologies (ICICCT). IEEE, 1056--1060.
[56]
Yiming Jing, Ziming Zhao, Gail-Joon Ahn, and Hongxin Hu. 2014. Morpheus: automatically generating heuristics to detect android emulators. In Proceedings of the 30th Annual Computer Security Applications Conference. 216--225.
[57]
Michael Kerrisk. 2021. xdr. https://man7.org/linux/man-pages/man3/xdr.3.html. Accessed June 2, 2024.
[58]
Brian Kondracki, Babak Amin Azad, Najmeh Miramirkhani, and Nick Nikiforakis. 2022. The droid is in the details: Environment-aware evasion of android sandboxes. In Proceedings of the 29th Network and Distributed System Security Symposium (NDSS).
[59]
Lang Liu, Yacong Gu, Qi Li, and Purui Su. 2017. RealDroid: Large-Scale Evasive Malware Detection on" Real Devices". In 2017 26th International Conference on Computer Communication and Networks (ICCCN). IEEE, 1--8.
[60]
Check Point Software Technologies LTD. 2017. CuckooDroid. https://github.com/idanr1986/cuckoo-droid. Accessed June 2, 2024.
[61]
Jining Luohe Network Technology Co. Ltd. 2020. VirtualApp. https://github.com/asLody/VirtualApp Accessed online: June 2, 2024.
[62]
Tongbo Luo, Cong Zheng, Zhi Xu, and Xin Ouyang. 2017. Anti-plugin: Don't let your app play as an android plugin. Proceedings of Blackhat Asia (2017).
[63]
Lorenzo Maffia, Dario Nisi, Platon Kotzias, Giovanni Lagorio, Simone Aonzo, and Davide Balzarotti. 2021. Longitudinal Study of the Prevalence of Malware Evasive Techniques. arXiv preprint arXiv:2112.11289 (2021).
[64]
Dominik Maier, Tilo Müller, and Mykola Protsenko. 2014. Divide-and-conquer: Why android malware cannot be stopped. In 2014 Ninth International Conference on Availability, Reliability and Security. IEEE, 30--39.
[65]
Guozhu Meng, Yinxing Xue, Chandramohan Mahinthan, Annamalai Narayanan, Yang Liu, Jie Zhang, and Tieming Chen. 2016. Mystique: Evolving android malware for auditing anti-malware tools. In Proceedings of the 11th ACM on Asia conference on computer and communications security. 365--376.
[66]
Alessio Merlo, Antonio Ruggia, Luigi Sciolla, and Luca Verderame. 2021. You shall not repackage! demystifying anti-repackaging on android. Computers & Security 103 (2021), 102181.
[67]
Najmeh Miramirkhani, Mahathi Priya Appini, Nick Nikiforakis, and Michalis Polychronakis. [n. d.]. Spotless sandboxes: Evading malware analysis systems using wear-and-tear artifacts. In 2017 IEEE Symposium on Security and Privacy (SP). 1009--1024.
[68]
Samrah Mirza, Haider Abbas, Waleed Bin Shahid, Narmeen Shafqat, Mariagrazia Fugini, Zafar Iqbal, and Zia Muhammad. 2021. A malware evasion technique for auditing android anti-malware solutions. In 2021 IEEE 30th International Conference on Enabling Technologies: Infrastructure for Collaborative Enterprises (WETICE). IEEE, 125--130.
[69]
Dario Nisi, Antonio Bianchi, and Yanick Fratantonio. 2019. Exploring {Syscall-Based} Semantics Reconstruction of Android Applications. In 22nd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2019). 517--531.
[70]
NowSecure. 2023. Frida. https://frida.re/. Accessed June 2, 2024.
[71]
Roberto Paleari, Lorenzo Martignoni, Giampaolo Fresi Roglia, and Danilo Bruschi. 2009. A fistful of red-pills: How to automatically generate procedures to detect CPU emulators. In Proceedings of the USENIX Workshop on Offensive Technologies (WOOT), Vol. 41. 86.
[72]
Thanasis Petsas, Giannis Voyatzis, Elias Athanasopoulos, Michalis Polychronakis, and Sotiris Ioannidis. 2014. Rage against the virtual machine: hindering dynamic analysis of android malware. In Proceedings of the seventh european workshop on system security. 1--6.
[73]
Andrey Petukhov and Dmitry Kozlov. 2008. Detecting security vulnerabilities in web applications using dynamic analysis with penetration testing. Computing Systems Lab, Department of Computer Science, Moscow State University (2008), 1--120.
[74]
pjlantz. 2019. DroidBox. https://github.com/pjlantz/droidbox. Accessed June 2, 2024.
[75]
Zhengyang Qu, Shahid Alam, Yan Chen, Xiaoyong Zhou, Wangjun Hong, and Ryan Riley. 2017. DyDroid: Measuring dynamic code loading and its security implications in Android applications. In 2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). IEEE, 415--426.
[76]
rednaga. 2023. APKiD. https://github.com/rednaga/APKiD. Accessed June 2, 2024.
[77]
Andrea Romdhana, Alessio Merlo, Mariano Ceccato, and Paolo Tonella. 2022. Deep reinforcement learning for black-box testing of android apps. ACM Transactions on Software Engineering and Methodology (2022).
[78]
Antonio Ruggia, Andrea Possemato, Alessio Merlo, Dario Nisi, and Simone Aonzo. 2023. Android, Notify Me When It Is Time To Go Phishing. In EUROS&P 2023, 8th IEEE European Symposium on Security and Privacy.
[79]
Onur Sahin, Ayse K Coskun, and Manuel Egele. 2018. Proteus: Detecting android emulators from instruction-level profiles. In Research in Attacks, Intrusions, and Defenses: 21st International Symposium, RAID 2018, Heraklion, Crete, Greece, September 10--12, 2018, Proceedings 21. Springer, 3--24.
[80]
samohyes. 2018. Anti-vm-in-Android. https://github.com/samohyes/Anti-vm-in-android. Accessed June 2, 2024.
[81]
scottyab. 2021. RootBeer. https://github.com/scottyab/rootbeer. Accessed June 2, 2024.
[82]
Silvia Sebastián and Juan Caballero. 2020. Avclass2: Massive malware tag extraction from av labels. In Annual Computer Security Applications Conference. 42--53.
[83]
OWASP Mobile Application Security. 2023. Android Anti-Reversing Defenses. https://mas.owasp.org/MASTG/Android/0x05j-Testing-Resiliency-Against-Reverse-Engineering/. Accessed June 2, 2024.
[84]
Luman Shi, Jianming Fu, Zhengwei Guo, and Jiang Ming. 2019. " Jekyll and Hyde" is Risky: Shared-Everything Threat Mitigation in Dual-Instance Apps. In Proceedings of the 17th Annual International Conference on Mobile Systems, Applications, and Services. 222--235.
[85]
IBM Mobile Enterprise Software. 2018. evadroid. https://bitbucket.org/IBMmobile/evadroid/src/master/. Accessed June 2, 2024.
[86]
Wenna Song, Jiang Ming, Lin Jiang, Yi Xiang, Xuanchen Pan, Jianming Fu, and Guojun Peng. 2021. Towards transparent and stealthy android os sandboxing via customizable container-based virtualization. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security. 2858--2874.
[87]
San-Tsai Sun, Andrea Cuadros, and Konstantin Beznosov. 2015. Android rooting: Methods, detection, and evasion. In Proceedings of the 5th Annual ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices. 3--14.
[88]
Kimberly Tam, Aristide Fattori, Salahuddin Khan, and Lorenzo Cavallaro. 2015. Copperdroid: Automatic reconstruction of android malware behaviors. In NDSS Symposium 2015. 1--15.
[89]
Kimberly Tam, Ali Feizollah, Nor Badrul Anuar, Rosli Salleh, and Lorenzo Cavallaro. 2017. The evolution of android malware and android analysis techniques. ACM Computing Surveys (CSUR) 49, 4 (2017), 1--41.
[90]
DroidPlugin Team. 2020. DroidPlugin. https://github.com/DroidPluginTeam/DroidPlugin Accessed online: June 2, 2024.
[91]
Timothy Vidas and Nicolas Christin. 2014. Evading android runtime analysis via sandbox detection. In Proceedings of the 9th ACM symposium on Information, computer and communications security. 447--458.
[92]
VirusTotal. 2023. VirusTotal. https://www.virustotal.com. Accessed June 2, 2024.
[93]
Jue Wang, Yepang Liu, Chang Xu, Xiaoxing Ma, and Jian Lu. 2016. E-greenDroid: effective energy inefficiency analysis for android applications. In proceedings of the 8th Asia-Pacific Symposium on Internetware. 71--80.
[94]
Yifang Wu, Jianjun Huang, Bin Liang, and Wenchang Shi. 2020. Do not jail my app: Detecting the Android plugin environments by time lag contradiction. Journal of Computer Security 28, 2 (2020), 269--293.
[95]
Lei Xu, Guoxi Li, Chuan Li, Weijie Sun, Wenzhi Chen, and Zonghui Wang. 2015. Condroid: a container-based virtualization solution adapted for android devices. In 2015 3rd IEEE International Conference on Mobile Cloud Computing, Services, and Engineering. IEEE, 81--88.
[96]
Lok-Kwong Yan and Heng Yin. 2012. Droidscope: seamlessly reconstructing the os and dalvik semantic views for dynamic android malware analysis. In USENIX security symposium. 569--584.
[97]
Lei Zhang, Zhemin Yang, Yuyu He, Mingqi Li, Sen Yang, Min Yang, Yuan Zhang, and Zhiyun Qian. 2019. App in the middle: Demystify application virtualization in Android and its security threats. Proceedings of the ACM on Measurement and Analysis of Computing Systems 3, 1 (2019), 1--24.
[98]
Cong Zheng, Tongbo Luo, Zhi Xu, Wenjun Hu, and Xin Ouyang. 2018. Android plugin becomes a catastrophe to Android ecosystem. In Proceedings of the First Workshop on Radical and Experiential Security. 61--64.
Index Terms
- Unmasking the Veiled: A Comprehensive Analysis of Android Evasive Malware
Recommendations
Adaptive Android Malware Signature Detection
ICCET '18: Proceedings of the 2018 International Conference on Communication Engineering and TechnologyThis paper proposes signature-based malware detection using permission and broadcast-receiver data, which is extracted from the manifest file. The malicious signatures are constructed from 800 applications thru the filtering and statistical processes. ...
Detection of Evasive Android Malware Using EigenGCN
AbstractRecently there is an upsurge in Android malware that use obfuscation and repackaging techniques for evasion. Malware may also combine both these techniques to create stealthy adversarial mimicry samples to launch mimicry attacks. In mimicry ...
Vetting undesirable behaviors in android apps with permission use analysis
CCS '13: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications securityAndroid platform adopts permissions to protect sensitive resources from untrusted apps. However, after permissions are granted by users at install time, apps could use these permissions (sensitive resources) with no further restrictions. Thus, recent ...
Comments
Information & Contributors
Information
Published In
July 2024
1987 pages
ISBN:9798400704826
DOI:10.1145/3634737
- Chair:
- Jianying Zhou,
- Co-chair:
- Tony Q. S. Quek,
- Program Chairs:
- Debin Gao,
- Alvaro Cardenas
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs International 4.0 License.
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 01 July 2024
Check for updates
Author Tags
Qualifiers
- Research-article
Conference
ASIA CCS '24
Sponsor:
ASIA CCS '24: 19th ACM Asia Conference on Computer and Communications Security
July 1 - 5, 2024
Singapore, Singapore
Acceptance Rates
Overall Acceptance Rate 418 of 2,322 submissions, 18%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 545Total Downloads
- Downloads (Last 12 months)545
- Downloads (Last 6 weeks)122
Reflects downloads up to 06 Feb 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in