Identifying and Evading Android Sandbox Through Usage-Profile Based Fingerprints

Android sandbox is built either on the Android emulator or the real device with a hooking framework. Fingerprints of the Android sandbox could be used to evade the dynamic detection. So, in this paper, we first conduct a measurement on eight Android sandboxes and find that their customized usage profile (e.g., contact, SMS) can be fingerprinted by attackers for evading the sandbox. From our measurement results, most Android sandboxes have empty usage profile fingerprints, or fixed fingerprints, or random artifact fingerprints. So, without protections on such user profiles, Android malware can identify these fingerprints that associate with different sandboxes and hide its malicious behaviors. At last, we propose several mitigation solutions trivial to implement, including generating and feeding random real usage profiles to the malware sample every time, as well as a hybrid approach, which combines both random and fixed usage profiles.