Large-Scale Android Dynamic Analysis
Total Page:16
File Type:pdf, Size:1020Kb
Andlantis: Large-scale Android Dynamic Analysis Michael Biermayz, Eric Gustafsonz, Jeremy Ericksony, David Fritzy, Yung Ryn Choey ∗ySandia National Laboratories fmbierma, jericks, djfritz, [email protected] zUniversity of California, Davis fmhbierma, [email protected] Abstract— In this paper, we present Andlantis: a highly scalable Analyzing Android applications for malicious behavior is an dynamic analysis framework for analyzing applications on important area of research, and is made difficult, in part, by the Android operating system. Andlantis runs the Android the increasingly large number of applications available for the operating system in a virtualized environment and is able platform. While techniques exist to perform static analysis on a to provide the virtual device with artificial network data in large number of applications, dynamic analysis techniques are order to provide an environment which closely replicates that relatively limited in scale due to the computational resources of a physical device. Andlantis is able to schedule and run required to emulate the full Android system to achieve accurate thousands of Android instances in parallel, enabling us to execution. We present Andlantis, a scalable dynamic analysis investigate the behavior of mobile malware at scale. system capable of processing over 3000 Android applications per hour. During this processing, the system is able to collect Andlantis employs a scalable high-performance emulytics valuable forensic data, which helps reverse-engineers and mal- framework, minimega, to parallelize this expensive task as ware researchers identify and understand anomalous application much as possible and achieve a level of throughput un- behavior. We discuss the results of running 1261 malware samples precedented in Android dynamic analysis. Minimega provides through the system, and provide examples of malware analysis the ability to coordinate and distribute our analysis across a performed with the resulting data. cluster constructed from inexpensive, commodity hardware. Our experiment framework captures an application’s disk I. INTRODUCTION and network activity, which is further parsed for anomalous As the marketshare and popularity of the Android platform behavior. Additionally, we are able to run applications within has expanded, the number of applications available to users has different operating environments and compare the results for increased dramatically. It is estimated that 70% of the worlds interesting behavioral differences. smartphones run Android, with over 900,000 applications available on the official Google application store as of May The rest of this paper provides: a description and analysis 2013 [1]. This has made Android a tempting target for malware of related work, a detailed description of the Andlantis archi- authors, and is the victim of 92% of mobile malware threats tecture, the results of our experiments on Android malware [2]. using Andlantis, an evaluation of the Andlantis system, a de- scription of the limitations and future work, and a concluding In an attempt to get a better understanding of the nature section. of this large volume of executable code, researchers employ a combination of static and dynamic analysis techniques. Static II. RELATED WORK analysis—the analysis of a program’s source or byte code to determine behavior—is much easier to scale, due to its reliance To date, there have been a number of frameworks designed on data operations that are easily accelerated and parallelized. for the analysis of Android applications. We can classify these Previous static methods have scaled to hundreds of thousands as static analysis [13], [9], [10], [18] and dynamic analysis [8], of Android applications[12]. However, dynamic analysis— [5], [7], [19], [17], [15], [6], [4], [14] frameworks. observing the program’s execution to determine behavior—is In [18], Schmidt et. al. utilize machine learning techniques much harder to scale due to the need to accurately replicate to identify malicious binaries in Android applications through the desired execution environment, usually through the use of the extraction of functions and function calls found in the ELF emulation or virtualization. In many cases, dynamic analysis binaries. is necessary to uncover vulnerabilities too complicated for static analysis, or discover flaws in program logic only known RiskRanker and Andarwin[13], [9] are scalable frameworks at runtime (e.g. dynamic dispatch). In addition to simply which provide valuable insight to Android application behav- emulating the applications, the researcher must also obtain ior. RiskRanker utilizes a variety of static analysis techniques enough data from the running applications to detect the desired to detect malware on Android devices. These techniques in- behaviors, adding an extra level of complexity to an already clude program control flow graph evaluation and evaluation large computational burden. of byte code signatures. AnDarwin is designed for the scal- able detection of plagiarized applications. This is performed ∗Sandia National Laboratories is a multi-program laboratory managed and operated by Sandia Corporation, a wholly owned subsidiary of Lockheed through the construction of a Program Dependency Graph Martin Corporation, for the U.S. Department of Energys National Nuclear (PDG) of the Android application. A semantic vector is then Security Administration under contract DE-AC04-94AL85000. extracted from the PDG to represent the application, which can then be quickly compared with the semantic vectors of other III. ARCHITECTURE applications. As seen in Figure1, our system is divided up into three These papers are relevant because they address the issue main components: a malware analysis repository (FARM[20]), of scale, analyzing malware signature generation and cloned a distribution system built on top of a cluster management application detection, respectively. However, we are interested framework (Minimega[11]), and a behavioral analysis environ- in the dynamic analysis of Android applications, which gives ment to capture forensic data. It runs on a large commodity insight into runtime behavior. cluster. 1) Kane: Commodity Cluster for Malware Analysis: In The work that comes closest to our work in scalable dy- order to provide a safe, scalable, and reliable environment namic Android analysis is Crowdroid [6]. This paper creates a for the analysis of malware, we constructed Kane, a 520- scalable analysis framework by crowdsourcing its data collec- node system consisting of reasonably priced commodity PCs. tion. It relies on users to run applications on their phones and Each node is capable of hosting between 8 and 20 virtual send back information to a centralized server. While this is very machines, depending on the CPU and RAM requirements of similar to our companion application, Arkhunter, (described in the application and guest OS. The systems are intentionally the Discussion section), it only scales well when there are a diskless and PXE boot from a collection of experiment images large number of active users on the system. There may also be stored on the cluster head node. Because there are no disks, problems with users tampering with, or skewing the data based even malware employing VM breakout techniques will have on their usage of the application. Andlantis avoids these issues difficulty infecting the host machine permanently. A simple by running the dynamic analysis on a collection of virtual reboot will wipe the node clean, and any damage the malware Android devices instead of using a crowdsourced platform. could cause to other systems would be limited because our system’s internal network has no connection out to the Internet. Similarly, Mahmood et. al developed a scalable dynamic analysis framework for analyzing Android applications in the 2) FARM: Malware collection and organization: The cloud [17]. Their platform utilizes the robotium test automation Forensics Analysis Repository for Malware (FARM) is the framework to drive the user interfaces of the applications. primary input to our system. FARM stores known-bad, known- Robotium allows for blackbox testing of Android applications good, and unknown applications, as well as the results from through the development of a companion (testing) app that automated analysis tools. Researchers and analysts can request is installed alongside the testee application. The robotium a file to be analyzed by various systems, including Andlantis. platform requires the testee app to be signed in debug mode. In addition to managing the results from automated tools, Because production applications are rarely signed in debug FARM is able to leverage its large repository of malware mode, they must be resigned in order to work with robotium. to correlate information across samples. As mobile malware Application signatures can be checked by the application techniques approach the sophistication of PC-based malware, during runtime, and applications may break or significantly it will only become more important to be able to compare reduce functionality if they detect they have been resigned. samples across different platforms for similar behavior and Because we are interested in the dynamic analysis of Android functionality. malware, we wish to avoid conflicting behaviors that occur 3) Andlantis Agent: Job control: When an analyst selects when an application is modified. Andlantis can reap the benefit a sample for examination, it is sent to the control node of our of operating on