Glassbox: Dynamic Analysis Platform for Malware Android Applications on Real Devices

TL;DR

Glassbox is a dynamic analysis platform for Android malware that runs applications on real devices to improve behavior detection and overcome emulator evasion issues, achieving higher code coverage than traditional methods.

Contribution

It introduces a fully automated real-device analysis system for Android malware, enhancing behavior detection and coverage over emulator-based approaches.

Findings

Executes 13.52% more basic blocks than Monkey.

Effectively triggers malware behaviors on real devices.

Provides a comparison with existing analysis platforms.

Abstract

Android is the most widely used smartphone OS with 82.8% market share in 2015. It is therefore the most widely targeted system by malware authors. Researchers rely on dynamic analysis to extract malware behaviors and often use emulators to do so. However, using emulators lead to new issues. Malware may detect emulation and as a result it does not execute the payload to prevent the analysis. Dealing with virtual device evasion is a never-ending war and comes with a non-negligible computation cost. To overcome this state of affairs, we propose a system that does not use virtual devices for analysing malware behavior. Glassbox is a functional prototype for the dynamic analysis of malware applications. It executes applications on real devices in a monitored and controlled environment. It is a fully automated system that installs, tests and extracts features from the application for further analysis. We present the architecture of the platform and we compare it with existing Android dynamic analysis platforms. Lastly, we evaluate the capacity of Glassbox to trigger application behaviors by measuring the average coverage of basic blocks on the AndroCoverage dataset. We show that it executes on average 13.52% more basic blocks than the Monkey program.