Hi there, my name is Li Yuanchun and I’m glad to introduce DroidBot, a tool to improve the coverage of dynamic analysis.
As it is the case for malware targeting the desktop, static and dynamic analysis are also used for detection of Android malware. However, existing static analysis tools such as FlowDroid or DroidSafe lack accuracy because of specific characteristics of the Android framework like ICC (Inter-Component Communication), dynamic loading, alias, etc.
I’m announcing the new features of Android dynamic analysis tool DroidBox as GSoC 2012 approaches the end. In this release, I would like to introduce two parts of my work: DroidBox porting and APIMonitor.
DroidBox for Android 2.3 Based on TaintDroid 2.3, I’ve ported DroidBox to support Android 2.3 and fixed some bugs.
Download bata version: http://droidbox.googlecode.com/files/DroidBox23.tar.gz Source code repository: https://github.com/kelwin Usage is same with the previous version. You can check the project page.
Beta version is out and the install instructions are available at the project webpage. The new features are:
Prevent some emulator evasion techniques Added visualization of analysis results Automated app installation and execution Displaying analysis information about the APK Static pre-check extracts the app’s registered Intents The following figures show the new visualization added to the beta version.
Image to the left is a PoC for classifying malwares and their similarity.
The Android application sandbox is now ready for an alpha release. Details on how to get DroidBox running are available at the project webpage.
At the moment, the following actions are logged during runtime:
File read and write operations Cryptography API activity Opened network connections Outgoing network traffic Information leaks through the following sinks: network, file, sms Attempts to send SMS Phone calls that have been made An analysis output looks like the following sample report:
One of the very first Android malwares, Geinimi has been analyzed in the application sandbox DroidBox that is currently being developed. The project is part of GSoC 2011 in collaboration with Honeynet and as a master thesis. The Geinimi application uses DES encryption, and it’s possible to uncrypt statically the content, see picture below.
But it’s very easy to do that because the key is not well hidden, so an approach by using dynamic analysis will be more interesting with complex samples.