Enter Sandbox: Android Sandbox Comparison

TL;DR

This paper reviews and compares various Android sandboxing platforms, highlighting their limitations in detecting malware due to code reuse and evasion techniques like Master Key bugs.

Contribution

It provides a comprehensive overview and evaluation of existing Android dynamic analysis platforms, revealing their vulnerabilities and the need for improved detection methods.

Findings

Low diversity among analysis platforms increases evasion risk

Master Key bugs can be exploited to hide malicious behavior

Current platforms are vulnerable to code reuse and evasion techniques

Abstract

Expecting the shipment of 1 billion Android devices in 2017, cyber criminals have naturally extended their vicious activities towards Google's mobile operating system. With an estimated number of 700 new Android applications released every day, keeping control over malware is an increasingly challenging task. In recent years, a vast number of static and dynamic code analysis platforms for analyzing Android applications and making decision regarding their maliciousness have been introduced in academia and in the commercial world. These platforms differ heavily in terms of feature support and application properties being analyzed. In this paper, we give an overview of the state-of-the-art dynamic code analysis platforms for Android and evaluate their effectiveness with samples from known malware corpora as well as known Android bugs like Master Key. Our results indicate a low level of diversity in analysis platforms resulting from code reuse that leaves the evaluated systems vulnerable to evasion. Furthermore the Master Key bugs could be exploited by malware to hide malicious behavior from the sandboxes.