COMEX: Deeply Observing Application Behavior on Real Android Devices

COMEX: Deeply Observing Application Behavior on Real Android Devices

연구 분야: Strategies

학회: CSET '24: Proceedings of the 17th Cyber Security Experimentation and Test Workshop

Apart from becoming an essential part of our daily lives, mobile applications add to the threat landscape drastically. The difference between benign and malicious applications keeps blurring. Analyzing APKs dynamically becomes critical as APK developers employ techniques to evade static code inspections. However, these APKs can often bypass the test environment e.g., in case of emulators. Also, there are several ways with which they can even detect instrumentation of the test environment and bypass them. Thus, we present COMEX, an Android testbed that modifies the test environment minimally with checks in place to prevent evasion. It has two parts – AXMod and DCoP. AXMod module is designed to perform a detailed dynamic analysis of an APK on real mobile devices. DCoP, a data collection pipeline, generates raw dynamic analysis data for a given set of APKs in a balanced and efficient manner. COMEX provides raw data related to all possible categories, such as system, network, and hardware in a time-stamped format. We analyzed approximately a thousand APKs including equal number of benign and malware APKs which gives us ≈ 72M benign and ≈ 70M malware system calls, ≈ 180k packets exchanged over network and ≈ 545k times files accessed and ≈ 30M total binder transactions. Finally, we publish the source code and analysis scripts to aid further studies.