Morpheus: Automatically generating heuristics to detect android emulators

Yiming Jing, Ziming Zhao, Gail-Joon Ahn, Hongxin Hu

Research output: Chapter in Book/Report/Conference proceedingConference contribution

41 Citations (Scopus)

Abstract

Emulator-based dynamic analysis has been widely deployed in Android application stores. While it has been proven effective in vetting applications on a large scale, it can be detected and evaded by recent Android malware strains that carry detection heuristics. Using such heuristics, an application can check the presence or contents of certain artifacts and infer the presence of emulators. However, there exists little work that systematically discovers those heuristics that would be eventually helpful to prevent malicious applications from bypassing emulator-based analysis. To cope with this challenge, we propose a framework called Morpheus that automatically generates such heuristics. Morpheus leverages our insight that an effective detection heuristic must exploit discrepancies observable by an application. To this end, Morpheus analyzes the application sandbox and retrieves observable artifacts from both Android emulators and real devices. Afterwards, Morpheus further analyzes the retrieved artifacts to extract and rank detection heuristics. The evaluation of our proof-of-concept implementation of Morpheus reveals more than 10,000 novel detection heuristics that can be utilized to detect existing emulator-based malware analysis tools. We also discuss the discrepancies in Android emulators and potential countermeasures.

Original languageEnglish (US)
Title of host publicationACM International Conference Proceeding Series
PublisherAssociation for Computing Machinery
Pages216-225
Number of pages10
Volume2014-December
EditionDecember
DOIs
StatePublished - Dec 8 2014
Event30th Annual Computer Security Applications Conference, ACSAC 2014 - New Orleans, United States
Duration: Dec 8 2014Dec 12 2014

Other

Other30th Annual Computer Security Applications Conference, ACSAC 2014
CountryUnited States
CityNew Orleans
Period12/8/1412/12/14

Fingerprint

Dynamic analysis
Malware

Keywords

  • Android
  • Emulator
  • Malware

ASJC Scopus subject areas

  • Human-Computer Interaction
  • Computer Networks and Communications
  • Computer Vision and Pattern Recognition
  • Software

Cite this

Jing, Y., Zhao, Z., Ahn, G-J., & Hu, H. (2014). Morpheus: Automatically generating heuristics to detect android emulators. In ACM International Conference Proceeding Series (December ed., Vol. 2014-December, pp. 216-225). Association for Computing Machinery. https://doi.org/10.1145/2664243.2664250

Morpheus : Automatically generating heuristics to detect android emulators. / Jing, Yiming; Zhao, Ziming; Ahn, Gail-Joon; Hu, Hongxin.

ACM International Conference Proceeding Series. Vol. 2014-December December. ed. Association for Computing Machinery, 2014. p. 216-225.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Jing, Y, Zhao, Z, Ahn, G-J & Hu, H 2014, Morpheus: Automatically generating heuristics to detect android emulators. in ACM International Conference Proceeding Series. December edn, vol. 2014-December, Association for Computing Machinery, pp. 216-225, 30th Annual Computer Security Applications Conference, ACSAC 2014, New Orleans, United States, 12/8/14. https://doi.org/10.1145/2664243.2664250
Jing Y, Zhao Z, Ahn G-J, Hu H. Morpheus: Automatically generating heuristics to detect android emulators. In ACM International Conference Proceeding Series. December ed. Vol. 2014-December. Association for Computing Machinery. 2014. p. 216-225 https://doi.org/10.1145/2664243.2664250
Jing, Yiming ; Zhao, Ziming ; Ahn, Gail-Joon ; Hu, Hongxin. / Morpheus : Automatically generating heuristics to detect android emulators. ACM International Conference Proceeding Series. Vol. 2014-December December. ed. Association for Computing Machinery, 2014. pp. 216-225
@inproceedings{a692b26f45c04c1582470673053bcd96,
title = "Morpheus: Automatically generating heuristics to detect android emulators",
abstract = "Emulator-based dynamic analysis has been widely deployed in Android application stores. While it has been proven effective in vetting applications on a large scale, it can be detected and evaded by recent Android malware strains that carry detection heuristics. Using such heuristics, an application can check the presence or contents of certain artifacts and infer the presence of emulators. However, there exists little work that systematically discovers those heuristics that would be eventually helpful to prevent malicious applications from bypassing emulator-based analysis. To cope with this challenge, we propose a framework called Morpheus that automatically generates such heuristics. Morpheus leverages our insight that an effective detection heuristic must exploit discrepancies observable by an application. To this end, Morpheus analyzes the application sandbox and retrieves observable artifacts from both Android emulators and real devices. Afterwards, Morpheus further analyzes the retrieved artifacts to extract and rank detection heuristics. The evaluation of our proof-of-concept implementation of Morpheus reveals more than 10,000 novel detection heuristics that can be utilized to detect existing emulator-based malware analysis tools. We also discuss the discrepancies in Android emulators and potential countermeasures.",
keywords = "Android, Emulator, Malware",
author = "Yiming Jing and Ziming Zhao and Gail-Joon Ahn and Hongxin Hu",
year = "2014",
month = "12",
day = "8",
doi = "10.1145/2664243.2664250",
language = "English (US)",
volume = "2014-December",
pages = "216--225",
booktitle = "ACM International Conference Proceeding Series",
publisher = "Association for Computing Machinery",
edition = "December",

}

TY - GEN

T1 - Morpheus

T2 - Automatically generating heuristics to detect android emulators

AU - Jing, Yiming

AU - Zhao, Ziming

AU - Ahn, Gail-Joon

AU - Hu, Hongxin

PY - 2014/12/8

Y1 - 2014/12/8

N2 - Emulator-based dynamic analysis has been widely deployed in Android application stores. While it has been proven effective in vetting applications on a large scale, it can be detected and evaded by recent Android malware strains that carry detection heuristics. Using such heuristics, an application can check the presence or contents of certain artifacts and infer the presence of emulators. However, there exists little work that systematically discovers those heuristics that would be eventually helpful to prevent malicious applications from bypassing emulator-based analysis. To cope with this challenge, we propose a framework called Morpheus that automatically generates such heuristics. Morpheus leverages our insight that an effective detection heuristic must exploit discrepancies observable by an application. To this end, Morpheus analyzes the application sandbox and retrieves observable artifacts from both Android emulators and real devices. Afterwards, Morpheus further analyzes the retrieved artifacts to extract and rank detection heuristics. The evaluation of our proof-of-concept implementation of Morpheus reveals more than 10,000 novel detection heuristics that can be utilized to detect existing emulator-based malware analysis tools. We also discuss the discrepancies in Android emulators and potential countermeasures.

AB - Emulator-based dynamic analysis has been widely deployed in Android application stores. While it has been proven effective in vetting applications on a large scale, it can be detected and evaded by recent Android malware strains that carry detection heuristics. Using such heuristics, an application can check the presence or contents of certain artifacts and infer the presence of emulators. However, there exists little work that systematically discovers those heuristics that would be eventually helpful to prevent malicious applications from bypassing emulator-based analysis. To cope with this challenge, we propose a framework called Morpheus that automatically generates such heuristics. Morpheus leverages our insight that an effective detection heuristic must exploit discrepancies observable by an application. To this end, Morpheus analyzes the application sandbox and retrieves observable artifacts from both Android emulators and real devices. Afterwards, Morpheus further analyzes the retrieved artifacts to extract and rank detection heuristics. The evaluation of our proof-of-concept implementation of Morpheus reveals more than 10,000 novel detection heuristics that can be utilized to detect existing emulator-based malware analysis tools. We also discuss the discrepancies in Android emulators and potential countermeasures.

KW - Android

KW - Emulator

KW - Malware

UR - http://www.scopus.com/inward/record.url?scp=84954555914&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84954555914&partnerID=8YFLogxK

U2 - 10.1145/2664243.2664250

DO - 10.1145/2664243.2664250

M3 - Conference contribution

AN - SCOPUS:84954555914

VL - 2014-December

SP - 216

EP - 225

BT - ACM International Conference Proceeding Series

PB - Association for Computing Machinery

ER -