International Journal of Engineering and Management Research e-ISSN: 2250-0758 | p-ISSN: 2394-6962

Volume-12, Issue-6, (December 2022)

www.ijemr.net https://doi.org/10.31033/ijemr.12.6.9

Malware Sandbox Evasion Techniques in Mobile Devices

Yugandharee Sankaranarayanan1, Sarangan Ravindran2, Suhail Ahamed3 and Kajanthan Balendraraja4
1
Faculty of Computing, Cyber Security, SLIIT, Colombo, SRI LANKA
2
Faculty of Computing, Cyber Security, SLIIT, Colombo, SRI LANKA
3
Faculty of Computing, Cyber Security, SLIIT, Colombo, SRI LANKA
4
Faculty of Computing, Cyber Security, SLIIT, Colombo, SRI LANKA
1
Corresponding Author: it19017884@my.sliit.lk

ABSTRACT to a virus creator is that the product remains undetectable.

The mobile platform is where it's at. There are Whenever malware enters into touch with various
currently very few professionals who dispute this view. protective and analysis engines, such as a sandbox and an
Because of the rapidly increasing number of smartphones anti-virus, it must be kept hidden and unobtrusive at first.
and other devices powered by the Android operating system A sandbox is a network-based segregated workspace that
all over the world, there has been a corresponding surge in
simulates end-user operating models. Sandboxes are used
the number of mobile apps, particularly harmful mobile
apps. This form of malware is very new, but it is rapidly to execute suspect programs without putting the host
changing, and it brings hazards that have not been seen device or network at risk. Using a sandbox for
before. As a part of Check Point’s ongoing efforts against the sophisticated malware detection adds another layer of
rising tide of mobile dangers, we, the Malware Research defense against emerging security threats, such as zero-day
Team, want to learn as much as we can about the constantly malware and subtle attacks. And what happens in the
shifting Android malware landscape. This requires sandbox stays in the sandbox, preventing malfunctions and
understanding the internal operation of as many malicious the propagation of software flaws. Sandboxes are divided
apps as we can, so we can learn as much as we can. Manual into several types, including applets, jails, and virtual
malware analysis has always been a difficult operation,
machines that run a guest operating system with restricted
taking days or even weeks to complete for each sample.
Because of this, the work is impracticable even for a small or rule-based access to system applications. Application
sample pool because of the amount of time it takes. Following sandboxes are the most common of these, as they allow
the successful application of this strategy to mobile malware, dangerous applications to operate in a separate operating
our response is to automate as much of the analysis process as system without harming the host operating system. For the
is practically practicable. Idan Revivo and Ofer Caspi from running and testing of malware binaries, there are various
Check Point’s Malware Research Team were tasked with online and standalone sandboxes available. Anubis,
developing a system that would take an application and Cuckoo, Malwr, ThreatExpert, Comodo Instant Malware
produce a report describing exactly what it does when it is Analysis, Joe Sandbox, FireEye Malware Analysis (AX
run, specifically pointing out anything "fishy." This would
Series), and TrendMicro Dynamic Threat Analysis System
enable us to perform an initial analysis with no human
intervention, which is exactly what they have done. The are just a few of the famous ones. In the future, sandbox-
popular CuckooDroid sandbox and a few other open-source evading malware is expected to become a common
projects form the basis of this automated, cross-platform powerful tool in the hands of hacktivists while ransomware
emulation and analysis framework, which allows for static and zero-day exploits were considered as big threats in the
and dynamic APK inspection in addition to evading some past decade. When considering mobile devices, there are
VM-detection techniques, encryption key extraction, SSL fewer detecting practices to find the malwares like in
inspection, API call trace, basic behavioral signatures, and computers. Lack of performance and precision on Built-in
more. It is easy to make changes and add new features to the malware identification systems in android devices, and
framework, and it draws heavily on the expertise of the
poor identification ability on exploit APKs and URLs
current Cuckoo community.
which violates data Privacy mechanisms harvesting user
Keywords-- Malware, Android, Sandbox, Security, Mobile data more than the required threshold. In this research, we
are focusing on finding ways to use malware sandbox
evasion techniques to detect the malware for android
mobile devices.
I. INTRODUCTION
Hackers are employing the latest technology to
overcome defenses, making cyber assaults more
challenging by the day. After all, the only thing that counts

69 This work is licensed under Creative Commons Attribution 4.0 International License.
International Journal of Engineering and Management Research e-ISSN: 2250-0758 | p-ISSN: 2394-6962
Volume-12, Issue-6, (December 2022)
www.ijemr.net https://doi.org/10.31033/ijemr.12.6.9

II. BACKGROUND AND LITRATURE which then gathers data from it and reports it to Cuckoo
SURVEY Sandbox. The description of a few of the major
components in figure 1 is provided above.
A. Sandbox C. Malware
Sandboxes are designed to test for malwares. One-third of mobile devices are at medium to
Application can run in sandboxes, which are closed high risk of data exposure, and Android smartphones are
environments, under close supervision. They enable roughly twice as likely as iOS devices to contain malware.
defenders to check both known malware and unknown In this part, we will discuss some of the most common
software for dangerous behavior in order to develop mobile malwares.
behavioral signatures for use in anti-malware systems. In Trojans
order to confine the undesirable consequences of A Trojan is a piece of software that seems to the
potentially dangerous programs, these systems might be user to be a harmless program but executes dangerous
physical devices (sometimes referred to as "bare-metal operations in the background. Trojans are employed to aid
sandboxes") with restricted network capabilities. Virtual in the assault on a system by executing actions that may
machines and other system emulators, however, offer a weaken the system's security, allowing for easy hacking.
scalable platform for building malware sandboxes because FakeNetflix is an example of a Trojan that harvests user
of the enormous quantity of program executables that have credentials for Netflix accounts in Android settings. The
been analyzed. Trojan KeyRaider was used to steal Apple IDs and
As it was already said that the Android platform passwords.
has a greater market area, the "Google Play Store," the Root exploits - back doors
major application marketplace on the Android, has almost Backdoors employ root access to hide malware
3 million applications accessible for download, and that from antivirus software. Rage against the cage (RATC) is
figure is growing every day [1]. It is hard to manually a common Android root hack that allows complete device
analyze each app in light of the enormous surge of new control. If the root exploit achieves root power, the
ones. Malware sandboxes are used to automate the malware can conduct any activity on the device, including
detection and removal of dangerous apps from the the installation of programs while the user is ignorant.
environment by application marketplaces and security Xagent is an iOS Trojan that opens a back door and grabs
companies. data from the attacked device.
B. CuckooDroid Ransomware
CuckooDroid is a feature of Cuckoo Sandbox, an Ransomware restricts users' access to their data
open-source program for automatically analyzing dynamic by locking the device or encrypting the data files until the
malware. It makes it possible for Cuckoo to run and ransom is paid. Fake Defender is malware that
examine Android applications. masquerades as Avast antivirus. For the purpose of money,
Cuckoodroid has two major components: a "host" it locks the victim's device. In 2017, hackers exploited a
and a "guest." architecture of the CuckooDroid is shown in Safari weakness used for pop-ups to create an iOS
Figure 1. malware.
Botnets
A "bot" is a sort of malware that allows an
attacker to take control of an infected mobile device. They
are part of a network of infected computers known as a
"botnet," which is generally made up of all victim mobile
devices worldwide. Geinimi is a botnet for Android.
Spyware
Spying software is what spyware is. It runs in the
background undetected while collecting data or providing
remote access to its author. Android malware such as
Nickspy and GPSSpy observes the user's sensitive
information and sends it to the owner. Passrobber is an
example of iOS Spyware since it is capable of intercepting
Figure 1: CuckooDroid Architecture outbound SSL traffic, checking for Apple IDs and
passwords, and sending these stolen credentials to a
The android emulator is managed by Cuckoo command-and-control server.
Sandbox, which also creates a report at the end of the
report. The application is executed by Android Emulator,
70 This work is licensed under Creative Commons Attribution 4.0 International License.
International Journal of Engineering and Management Research e-ISSN: 2250-0758 | p-ISSN: 2394-6962
Volume-12, Issue-6, (December 2022)
www.ijemr.net https://doi.org/10.31033/ijemr.12.6.9

launched. The manifest also specifies the permissions

required to access the API's protected areas. Access to
particular hardware elements may be a sign of malicious
activities.
Analyzing the applications' byte code is another
tactic. The application's possible pathways cannot be
predicted because the code is not run and no variables are
set. Analysts can comprehend an application's internal
workings and the relationships between its code blocks
with the aid of graphs [2]. With that method, suspicious
API requests that access sensitive information can be
found. API calls that encrypt or decrypt data or run
external code are frequently used to obfuscate code, but
they may also be found through static analysis [3].
Checking each type of resource file in the Android
Figure 2: Android malware and PUA amount Application Package (APK) will reveal any external code.
Malware frequently conceals libraries in external files that
D. Malware Evasion Techniques appear to be innocent in order to disguise suspicious API
In their 2016-year results Kaspersky LABs calls. Dalvik Executable Files (.dex Files) are created
claimed that malware developers explored new methods to when Android apps are built. String searches are possible
circumvent Android security systems. To evade discovery, in the disassembled.dex files. IP addresses that potentially
malware authors must continually analyze mobile security lead to command-and-control servers or data sinks for
solutions and develop new ways. These are known as sensitive information can be found by scanning these
evasion strategies, and they are detailed below. strings for them. Androguard, which disassembles and
Anti-security techniques: decompiles Dalvik byte code to Java source code, is a
These strategies are used to prevent detection by well- known tool for static code analysis. That static code
security devices and applications such as anti-malware, analyzer is used by frameworks including Sanddroid,
firewalls, and other environmental protection measures. Andrubis, and Tracedroid.
Anti-sandbox techniques The program will run on either a virtual computer
Sandboxing is a technique used to segregate or an actual device as part of the dynamic analysis
operating applications and therefore avoid any harm to the strategy. The analysis includes observing and analyzing
computer system from untested apps. The anti-sandbox the application's activity. Compared to the static analysis,
technology is used to identify automated analysis and to the dynamic analysis produces a less abstract
avoid reporting on malware activities. This is understanding of the application. Only few of the possible
accomplished by recognizing registry keys, files, or code pathways are actually used during runtime. High code
processes associated with virtual environments. coverage is the fundamental objective for analysis
Anti-analyst techniques frameworks since all activities should be taken in order to
To avoid reverse engineering, these solutions detect any potentially dangerous activity. According to
employ a monitoring tool. To monitor and detect malware, research, code coverage for fully randomized input is 40%
analysts may use tools such as Process Explorer or or below [4]. Various methods exist to keep an eye on an
Wireshark. application's behavior depending on the data of interest.
E. Malware Analysis Techniques Taint tracking is one analytical method. Message flow
Malware analysis for android applications is often analysis and potential exploitation of private, sensitive
done in one of two ways: static analysis or dynamic information by third-party apps are both possible with a
analysis or combination of both. The static analysis system-wide enabled taint propagation [6]. TaintDroid is a
examines several features without actually running the widely used framework that employs that method. It tracks
application. The manifest file needed by the application is the real-time access and manipulation of user data by apps
a crucial asset that many frameworks examine. The and was created with the Dalvik Virtual Machine. While
Android Manifest contains meta data about the specific moving through variables, files, and messages, it marks the
package name, utilized activities, services, broadcast sensitive data. But TaintDroid can only identify explicit
receivers, and content sources. It identifies the classes that data flow; it cannot examine implicit flow through control
carry out these elements and makes their capabilities flow. That channel could be used to send sensitive
accessible. The Android operating system uses this information [5].
knowledge to determine when each component must be
71 This work is licensed under Creative Commons Attribution 4.0 International License.
International Journal of Engineering and Management Research e-ISSN: 2250-0758 | p-ISSN: 2394-6962
Volume-12, Issue-6, (December 2022)
www.ijemr.net https://doi.org/10.31033/ijemr.12.6.9

F. Existing android malware analysis sandboxes ability to take into account the three key obstacles that
When it comes to sandboxes, there are a few were discussed earlier, we came to the conclusion that it
frameworks, sandboxes, and analytic systems already was the best one for us to adopt. In order for us to carry out
available for android sandboxes, as well as some that have this automated research method, we made use of the
been proposed as well. Static approach was initially resources that were provided by IEEE, Science Direct,
employed to assess Android apps. A rudimentary system Research Gate, and Medline (the version that is available
that has been developed by Schmidt et al, utilizes the through PubMed). The search was limited to articles in
"readelf" program to extract the function calls from an academic periodicals and journals that were exclusively
Android application and compares the resultant list with available in the English language between the years of
the information of identified malware [6]. Another 2010and 2022. Additionally, the works had to have been
instance of the static analysis technique is “Androguard”, a evaluated by other specialists before they were published.
totally open-source system proposed by Desnos et al. In Throughout the course of the investigation, a number of
this scenario, the system decompiles the application and distinct search terms, such as "Analyzing the system
uses signature-based malware identification [7] [8]. It was information like CPU core count, Digital system signature,
discovered that malware authors began to develop more installed programs, OS reboots and hardware
obfuscated code, which has demonstrated its efficacy components,"CuckooDroid Sandbox status research
against static analysis, indicating that static analysis alone papers," "Sandbox mobile application testing," "Android
is insufficient for those advancing malware. As a result, applications malware detection," and "Mobile applications
researchers developed a dynamic analysis mechanism for malware testing," were utilized; these terms were all
Android apps. The first solution with dynamic analysis that owned by us for the purpose of finding the research papers.
offers real-time analysis by utilizing Android's runtime In addition, the reference lists of studies that were included
environment is “TaintDroid” by Enck et al [5]. By Lantz because they satisfied the criteria for inclusion were
[9], a completely automated user emulation and reporting combed through in order to look for prospective research
system that goes by the name “Droidbox” was added to that might fit those criteria and be added. As a result of our
this system. “Droidbox” is a powerful tool for analyzing investigation, we were made aware of a hole in the
Android apps, however it doesn't have the ability to log research, and we proposed that it be filled by improving
native API calls. The very first system integrating static the testing of the mobile applications troths CuckooDroid
and dynamic analysis for the Android platform in a very Sandbox that were developed in relation to the analyzed
primitive manner was the AASandbox system by Bläsing malware detection system that was developed by us. This
et al [10]. Sadly, it appears that AASandbox is no longer realization came about as a direct result of our having
being managed. DroidRanger is a system developed by discovered the hole in the research. The realization that
Zhou et al [11]. that combines static and dynamic analysis. there was a gap in our knowledge initially sparked the
DroidRanger uses a mix of permission-based behavioral thought that we should do this. It is necessary to carry out
foot prints to identify samples of existing well-known these steps in order for the gap to be filled.
malware families and a heuristic-based filtering method to As the second step to examine it and test Android
identify unidentified harmful groups. applications, the CuckooDroid sandbox first has to be
installed. There are three options for installing this
sandbox. Android on Linux Machine, Android Emulator,
Android Device Cross-platform. Using the first approach,
we have installed it. The data, which consists of android
application files, was gathered from the online sources. We
obtained around 30 samples from web surfing, and we also
obtained about 3000 samples from the Canadian Institute
for Cyber Security [12] by reading various study articles.
Even though we obtained many samples, we were unable
to test them all since CuckooDroid only supports Android
4.1.2, while our samples were unable to install on the
emulator due to an outdated SDK version.

III. METHODOLOGY IV. RESULTS AND DISCUSSION

Our first journey into the world of study involved Obad.A and EvadeMe were the primary two
looking through various historical records and applications we concentrated on. The older SDK version
manuscripts. Because this strategy provided us with the problem prohibits the EvadeMe Application from being

72 This work is licensed under Creative Commons Attribution 4.0 International License.
International Journal of Engineering and Management Research e-ISSN: 2250-0758 | p-ISSN: 2394-6962
Volume-12, Issue-6, (December 2022)
www.ijemr.net https://doi.org/10.31033/ijemr.12.6.9

deployed and tested in the CuckooDroid environment.

However, a Virus Total scan was unable to identify the
EvadeMe program as malicious.

The testing results show that the CuckooDroid

has excellent capabilities to deal with dynamically
developing malware, but it relies on out-of-date "virus
total" and "malware Cook book" information, making it
unable to identify newly evolving malware. Additionally,
identifying malware will become more important in the
Figure 4: Virus Total Report of EvadeMe
future, thus CuckooDroid's malware detection features,
which may be used to find more advanced malware in
Using the dex2jar tool, we converted the
Android applications, should be enhanced.
EvadeMe app into a jar file and used Java decompiler to
examine it. The MainActivityKt class in that application
has various methods for retrieving device information that V. CONCLUSION & FUTURE WORK
may be used to verify the environment.
Due to Android's status as the leading mobile
operating system for smartphones, it has attracted the
attention of researchers and malicious software developers
alike. Despite the many proposed malware analysis
methods, the number of malicious apps specifically
developed to harm Android devices is growing at an
alarming rate. Technologies like sandboxing are available
for the detection such sophisticated malware but, modern
malware will nearly always try to detect and circumvent a
sandbox if one is present. When an application learns it is
running in a sandbox, it may opt to avoid doing anything
that could get it into trouble, such as deleting itself from
disks, terminating, or using some other evasion technique.
In this research, we analyzed CuckooDroid, an Android
malware detection tool that has several features, and the
ways to improve it to recognize dynamically changing
Figure 5: Snapshot of EvadeMe decomplication malware. Future work will test out simulated user behavior
in sandbox environments, fake networks, change and share
CucukooDroid examined the "Obad.A" information about various system artifacts when malware
application and generated a report. The report includes requests it, to demonstration the CuckooDroid to the
information on permissions, signatures, fingerprints, and malware as a real environment and also improve the
other facts, but the issue is that CuckooDroid's report does Cuckoodroid malware detection signatures that are already
not mention of whether it is malware or not, unlike other in place.
analysis reports. Although it employs the colors green and
red, it is difficult to determine if the app is harmful or not ACKNOWLEDGMENT
based just on those hues.
This research was supported by the authority of
Sri Lanka Institute of Information Technology (SLIIT),
and we would like to express our gratitude towards them.

73 This work is licensed under Creative Commons Attribution 4.0 International License.
International Journal of Engineering and Management Research e-ISSN: 2250-0758 | p-ISSN: 2394-6962
Volume-12, Issue-6, (December 2022)
www.ijemr.net https://doi.org/10.31033/ijemr.12.6.9

REFERENCES [7] Lilicoding, “Lilicoding/SA3Repo: A repository of

peer-reviewed publications in the field of static analysis of
[1] Kondracki, Brian, et al. (2022) The droid is in the Android apps,” GitHub. [Online]. Available at:
details: Environment-aware evasion of android sandboxes. https://github.com/lilicoding/SA3Repo. [Accessed: 18-
Proc. Network and Distributed Systems Security May-2022].
Symposium (NDSS). [8] Desnos, Anthony & Geoffroy Gueguen. (2011).
[2] Johannes Hoffmann. (2014). From mobile to security. Android: From reversing to decompilation. Proc. of Black
PhD Thesis, Ruhr-Universitt Bochum. Hat Abu Dhabi, 1.
[3] Arp, Daniel, et al. (2014). "Drebin: Effective and [9] “Droidbox – Android Application Sandbox,” The
explainable detection of android malware in your pocket. Honeynet Project. [Online]. Available at:
Ndss., 14. https://www.honeynet.org/projects/active/droidbox/.
[4] Gilbert, Peter, et al. (2011). Automating privacy testing [Accessed: 12-Jun-2022].
of smartphone applications. Technical Report CS-2011-02. [10] Bläsing, Thomas, et al. (2010). An android
[5] Enck, William, et al. (2014). Taintdroid: An application sandbox system for suspicious software
information-flow tracking system for realtime privacy detection. 5th International Conference on Malicious and
monitoring on smartphones. ACM Transactions on Unwanted Software. IEEE.
Computer Systems (TOCS), 32(2), 1-29. [11] Zhou, Yajin, et al. (2012). Hey, you, get off of my
[6] Schmidt, A-D., et al. (2009). Static analysis of market: detecting malicious apps in official and alternative
executables for collaborative malware detection on android markets. NDSS, 25(4).
android. IEEE International Conference on [12] “MalDroid. (2020). Datasets | Research |
Communications. Canadian Institute for Cybersecurity | UNB,” www.unb.ca.
[Online].Available:https://www.unb.ca/cic/datasets/maldro
id-2020.html.

74 This work is licensed under Creative Commons Attribution 4.0 International License.