%0 Conference Proceedings
%T AndroNeo: Hardening Android Malware Sandboxes by Predicting Evasion Heuristics
%+ University of Malta [Malta]
%A Leguesse, Yonas
%A Vella, Mark
%A Ellul, Joshua
%Z Part 4: Defences and Evaluation
%< avec comité de lecture
%( Lecture Notes in Computer Science
%B 11th IFIP International Conference on Information Security Theory and Practice (WISTP)
%C Heraklion, Greece
%Y Gerhard P. Hancke
%Y Ernesto Damiani
%I Springer International Publishing
%3 Information Security Theory and Practice
%V LNCS-10741
%P 140-152
%8 2017-09-28
%D 2017
%R 10.1007/978-3-319-93524-9_9
%K Android
%K Malware sandbox hardening
%K Sandbox evasion heuristics
%K Bytecode patching
%Z Computer Science [cs]Conference papers
%X Sophisticated Android malware families often implement techniques aimed at avoiding detection. Split personality malware for example, behaves benignly when it detects that it is running on an analysis environment such as a malware sandbox, and maliciously when running on a real user’s device. These kind of techniques are problematic for malware analysts, often rendering them unable to detect or understand the malicious behaviour. This is where sandbox hardening comes into play. In our work, we exploit sandbox detecting heuristic prediction to predict and automatically generate bytecode patches, in order to disable the malware’s ability to detect a malware sandbox. Through the development of AndroNeo, we demonstrate the feasibility of our approach by showing that the heuristic prediction basis is a solid starting point to build upon, and demonstrating that when heuristic prediction is followed by bytecode patch generation, split personality can be defeated.
%G English
%Z TC 11
%Z WG 11.2
%2 https://inria.hal.science/hal-01875520/document
%2 https://inria.hal.science/hal-01875520/file/469589_1_En_9_Chapter.pdf
%L hal-01875520
%U https://inria.hal.science/hal-01875520
%~ IFIP-LNCS
%~ IFIP
%~ IFIP-TC
%~ IFIP-TC11
%~ IFIP-WISTP
%~ IFIP-WG11-2
%~ IFIP-LNCS-10741