Glassbox: Dynamic Analysis Platform for Malware Android Applications on Real Devices
This addresses malware detection issues for Android security researchers, though it is incremental as it builds on existing dynamic analysis methods.
The paper tackles the problem of malware evasion in Android dynamic analysis by proposing Glassbox, a system that uses real devices instead of emulators, resulting in an average 13.52% increase in basic block coverage compared to the Monkey program.
Android is the most widely used smartphone OS with 82.8% market share in 2015. It is therefore the most widely targeted system by malware authors. Researchers rely on dynamic analysis to extract malware behaviors and often use emulators to do so. However, using emulators lead to new issues. Malware may detect emulation and as a result it does not execute the payload to prevent the analysis. Dealing with virtual device evasion is a never-ending war and comes with a non-negligible computation cost. To overcome this state of affairs, we propose a system that does not use virtual devices for analysing malware behavior. Glassbox is a functional prototype for the dynamic analysis of malware applications. It executes applications on real devices in a monitored and controlled environment. It is a fully automated system that installs, tests and extracts features from the application for further analysis. We present the architecture of the platform and we compare it with existing Android dynamic analysis platforms. Lastly, we evaluate the capacity of Glassbox to trigger application behaviors by measuring the average coverage of basic blocks on the AndroCoverage dataset. We show that it executes on average 13.52% more basic blocks than the Monkey program.