R&R tool for Android applications hiding malicious features

R&R tool for Android applications hiding malicious features

연구 분야: Safety

학회: SAC '22: Proceedings of the 37th ACM/SIGAPP Symposium on Applied Computing

Dynamic malware analysis executes the Application in a virtual environment such as a virtual machine or an emulator with the purpose of observing the behaviors of malicious code and tracing what it does. Dynamic malware analysis sometimes requires elevating the privileges to analyze their internal operations. However, it is difficult to analyze malware that has capabilities for detecting and evading protection mechanisms as well as for hiding malicious functionality in an emulator or dynamic malware analyzer. It is because that malware that has capabilities for detecting and evading protection mechanisms calls the Android APIs to determine the execution environment, so it is necessary to record and replay the Android APIs. In this paper, we propose a tool for recording and replaying Android APIs used to discover rooting traces and detect rooted devices, which is applied in sophisticated Android malware that applied evasion techniques. The proposed Record and Replay tool is implemented on the AOSP(Android Open Source Project platform). We also show that the proposed tool works well on the reference board by replaying an Android malware Application which makes different behaviors differently in different environments.