Brian Kondracki (Stony Brook University), Babak Amin Azad (Stony Brook University), Najmeh Miramirkhani (Stony Brook University), Nick Nikiforakis (Stony Brook University)

Malware sandboxes have long been a valuable tool for detecting and analyzing malicious software. The proliferation of mobile devices and, subsequently, mobile applications, has led to a surge in the development and use of mobile device sandboxes to ensure the integrity of application marketplaces. In turn, to evade these sandboxes, malware has evolved to suspend its malicious activity when it is executed in a sandbox environment. Sophisticated malware sandboxes attempt to prevent sandbox detection by patching runtime properties indicative of malware- analysis systems.

In this paper, we propose a set of novel mobile-sandbox- evasion techniques that we collectively refer to as “environment- aware” sandbox detection. We explore the distribution of artifacts extracted from readily available APIs in order to distinguish real user devices from sandboxes. To that end, we identify Android APIs that can be used to extract environment-related features, such as artifacts of user configurations (e.g. screen brightness), population of files on the device (e.g. number of photos and songs), and hardware sensors (e.g. presence of a step counter).

By collecting ground truth data from real users and Android sandboxes, we show that attackers can straightforwardly build a classifier capable of differentiating between real Android devices and well-known mobile sandboxes with 98.54% accuracy. More- over, to demonstrate the inefficacy of patching APIs in sandbox environments individually, we focus on feature inconsistencies between the claimed manufacturer of a sandbox (Samsung, LG, etc.) and real devices from these manufacturers. Our findings emphasize the difficulty of creating robust sandbox environments regardless of their underlying platform being an emulated en- vironment, or an actual mobile device. Most importantly, our work signifies the lack of protection against “environment-aware” sandbox detection in state-of-the-art mobile sandboxes which can be readily abused by mobile malware to evade detection and increase their lifespan.

View More Papers

PASS: A System-Driven Evaluation Platform for Autonomous Driving Safety...

Zhisheng Hu (Baidu Security), Junjie Shen (UC Irvine), Shengjian Guo (Baidu Security), Xinyang Zhang (Baidu Security), Zhenyu Zhong (Baidu Security), Qi Alfred Chen (UC Irvine) and Kang Li (Baidu Security)

Read More

Uncovering Cross-Context Inconsistent Access Control Enforcement in Android

Hao Zhou (The Hong Kong Polytechnic University), Haoyu Wang (Beijing University of Posts and Telecommunications), Xiapu Luo (The Hong Kong Polytechnic University), Ting Chen (University of Electronic Science and Technology of China), Yajin Zhou (Zhejiang University), Ting Wang (Pennsylvania State University)

Read More

PMTUD is not Panacea: Revisiting IP Fragmentation Attacks against...

Xuewei Feng (Tsinghua University), Qi Li (Tsinghua University), Kun Sun (George Mason University), Ke Xu (Tsinghua University), Baojun Liu (Tsinghua University), Xiaofeng Zheng (Institute for Network Sciences and Cyberspace, Tsinghua University; QiAnXin Technology Research Institute & Legendsec Information Technology (Beijing) Inc.), Qiushi Yang (QiAnXin Technology Research Institute & Legendsec Information Technology (Beijing) Inc.), Haixin Duan…

Read More

Fuzzing Configurations of Program Options

Zenong Zhang (University of Texas at Dallas), George Klees (University of Maryland), Eric Wang (Poolesville High School), Michael Hicks (University of Maryland), Shiyi Wei (University of Texas at Dallas)

Read More