Rage Against the Virtual Machine:
Hindering Dynamic Analysis of Android Malware
Thanasis Petsas,
*
Giannis Voyatzis,
*
Elias Athanasopoulos,
*
Michalis Polychronakis,
†
Sotiris Ioannidis
*
*
Institute of Computer Science, Foundation for Research and Technology—Hellas, Greece
†
Columbia University, USA
{petsas, jvoyatz, elathan, sotiris}@ics.forth.gr, mikepo@cs.columbia.edu
ABSTRACT
Antivirus companies, mobile application marketplaces, and the se-
curity research community, employ techniques based on dynamic
code analysis to detect and analyze mobile malware. In this paper,
we present a broad range of anti-analysis techniques that malware
can employ to evade dynamic analysis in emulated Android envi-
ronments. Our detection heuristics span three different categories
based on (i) static properties, (ii) dynamic sensor information, and
(iii) VM-related intricacies of the Android Emulator. To assess the
effectiveness of our techniques, we incorporated them in real mal-
ware samples and submitted them to publicly available Android dy-
namic analysis systems, with alarming results. We found all tools
and services to be vulnerable to most of our evasion techniques.
Even trivial techniques, such as checking the value of the IMEI, are
enough to evade some of the existing dynamic analysis frameworks.
We propose possible countermeasures to improve the resistance of
current dynamic analysis tools against evasion attempts.
1. INTRODUCTION
The popularity of Android, in conjunction with the openness of
the platform, has made it an attractive target for attackers [13]. The
antivirus and research community have responded to this increas-
ing security concern through malicious app analysis services and
tools. Google has also created Bouncer [1], a service that auto-
matically scans and detects malicious apps. Scanning an app for
inferring its potentially hidden malicious activities can be based on
static [22, 25] and dynamic analysis [14, 17, 19, 28]. Unfortunately
both static and dynamic analysis approaches can be evaded. As
far as static analysis is concerned, researchers have demonstrated
a series of techniques which can exploit currently available analy-
sis tools [30]. As we demonstrate in this work, dynamic analysis
using emulation for inspecting Android malware is not perfect ei-
ther. A malicious program can try to infer whether it runs in an
emulated environment, and therefore evade detection by pausing
all malicious activities.
Specifically, in this paper we investigate how Android applica-
tions can infer whether they are running on an emulated ARM ar-
chitecture or on actual hardware. We begin with the creation of
Permission to make digital or hard copies of all or part of this work for personal or
classroom use is granted without fee provided that copies are not made or distributed
for profit or commercial advantage and that copies bear this notice and the full cita-
tion on the first page. Copyrights for components of this work owned by others than
ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or re-
publish, to post on servers or to redistribute to lists, requires prior specific permission
and/or a fee. Request permissions from Permissions@acm.org.
EuroSec’14, April 14 - 17 2014, Amsterdam, Netherlands.
Copyright 2014 ACM 978-1-4503-2715-2/14/04 ...$15.00.
http://dx.doi.org/10.1145/2592791.2592796.
a taxonomy of possible ways for identifying features of the exe-
cution environment using sets of heuristics. Our heuristics span a
wide spectrum of sophistication. Many of them are simple, and can
be thwarted by simple modifications to the emulated environment
for confusing the heuristic, such as using realistic values for static
properties like the serial number of the device. Others are more
robust, as the emulated environment needs to incorporate realistic
output of mobile sensors, such as the accelerometer. Finally, we
present a set of heuristics that require design changes in the actual
emulated environment to be defeated.
To assess the importance of our findings we repackaged a set of
actual malware samples, by incorporating the developed heuristics,
and submitted them to online analysis tools. Surprisingly, all of the
tested analysis tools could be evaded using some of our heuristics.
There was no single malware analysis service that could cope with
all of the tested heuristics. Furthermore, at least 5 of the 12 analy-
sis tools we checked can be evaded by using heuristics as simple as
checking the IMEI value. More complex heuristics based on virtual
machine intricacies could evade all but four of the tested services.
Those four services do not support native code, and thus can only be
used by reviewing a subset of Android apps. Finally, all tested ser-
vices were vulnerable to sensor-based heuristics. We argue that cur-
rent practices for malware analysis can be easily evaded by demon-
strating that actual malware can conceal its malicious functionality
from publicly available malware analysis services. We propose a
set of countermeasures for making emulated Android app analysis
environment more robust to evasion attempts.
2. ANTI-ANALYSIS TECHNIQUES
Anti-analysis techniques that can be employed by Android apps
to evade detection can be classified in three categories: (a) static
heuristics, based on static information always initialized to fixed
values in the emulated environment, (b) dynamic heuristics, based
on observing unrealistic behavior of various sensors, and (c) hy-
pervisor heuristics, based on incomplete emulation of the actual
hardware. Table 1 provides a summary of all categories, along with
some representative examples.
2.1 Static Heuristics
The static set includes heuristics that can be used for detecting
emulated environments by checking the presence and the content
of unique device identifiers, such as the serial number (device ID),
the current build version, or the layout of the routing table.
Device ID. Each smartphone contains an IMEI (International Mo-
bile Station Equipment Identity), which is a unique number identi-
fying it in the GSM network. The IMEI has already been used by
malicious Android apps to hinder analysis by malware detection
tools running on emulators [2]. Another mobile device identifier is
1