Short: Evading Android Runtime Analysis Through Detecting Programmed Interactions

Wenrui Diao, Xiangyu Liu, Zhou Li, Kehuan Zhang

Dynamic analysis technique has been widely used in Android malware detection. Previous works on evading dynamic analysis focus on discovering the fingerprints of emulators. However, such method has been challenged since the introduction of real devices in recent works. In this paper, we propose a new approach to evade automated runtime analysis through detecting programmed interactions. This approach, in essence, tries to tell the identity of the current app controller (human user or automated exploration tool), by finding intrinsic differences between human user and machine tester in interaction patterns. The effectiveness of our approach has been demonstrated through evaluation against 11 real-world online dynamic analysis services.

A variety of systems perform dynamic analysis of Android applications in an automated manner. However, malicious applications may disguise harmful behavior if they can detect when they are executed in an emulator. This paper proposes several techniques to perform the detection of dynamic analysis systems. This includes examining the parameters of API calls and comparing the patterns of interactions with what is expected from humans. To evaluate their techniques, the authors submit their test application to several application analysis services. The paper provides a comparison of the analysis systems based on how resilient they are to the described detection of programmed interactions.

The program committee liked the fact that the approach is effective for detection of emulators. In addition, the provided comparison of analysis services shows interesting insight into the state-of-the-art of academic and commercial dynamic analysis services. However, the PC would have liked to see a more detailed technical description of the techniques that were applied, such as the specific algorithms used to detect programmed interaction patterns. Also, some of the proposed techniques seem relatively easy to defeat. Finally, the authors could have provided a more detailed analysis of their evaluation and the implications of their findings. Nevertheless, the PC felt that the paper will be a nice addition to the program of WiSec and hopefully spark some interesting discussions.