Evadroid suite
Test suite of evasive Android apps

About

Malware is evasive. It tries to avoid detection and analysis by detecting the running setting and executing the payload under particular circumstances. Malware analyzers need to be aware of the evasion techniques used by malware.

Evadroid is a catalog of techniques that malware can use to evade detection and analysis. Each of the sample apps in this catalog detects a very specific aspect of the running system on which the payload execution depends. If this particular condition is fulfilled, the test will try to send an SMS, as a payload example.

This test suite can be used to test your evasion detection techniques. They all have the same structure and payload. We refer to the README file included in the zip file for technical details on the log format and expected behavior.

Evadroid is mainly developed by the Mobile Enterprise Software research group in IBM T. J. Watson Research Center. Contributions are welcome and properly attributed.

Download Suite v1.0

Case Descriptions

AbnormalSetting

installedApps

It checks for com.android.development in the list of installed apps. It does not trigger the payload if it is installed. It calls getPackageManager to list the installed apps.

uptime

It triggers the payload only when the app is started in a system that has been on for more than 4 hours. It calls uptimeMillis for detecting the uptime of the system.

AnalysisDetection

adbEnable

It uses ADB_ENABLED to detect if ADB is enabled and triggers the payload when it is not.

adbPortDetector

It parses the file /proc/net/tcp to detect if there is a port between 5555 and 5585 opened.

signatureVerification

Inspired by AnserverBot, checks if the app was repacked by checking the signature.

EmulatorConstants

constantCalls1

In the paper Evading Android Runtime Analysis via Sandbox Detection (Vidas and Christin, 2014) a set of constants are suggested to detect an emulated host environment. This test checks for some of the method calls listed in this paper to avoid the execution of the payload under emulated conditions.

constantCalls2

In the paper Evading Android Runtime Analysis via Sandbox Detection (Vidas and Christin, 2014) a set of constants are suggested to detect an emulated host environment. This test checks for some of the method calls listed in this paper to avoid the execution of the payload under emulated conditions.

constants1

In the paper Evading Android Runtime Analysis via Sandbox Detection (Vidas and Christin, 2014) a set of constants are suggested to detect an emulated host environment. This test checks some of them.

constants2

In the paper Evading Android Runtime Analysis via Sandbox Detection (Vidas and Christin, 2014) a set of constants are suggested to detect an emulated host environment. This test checks some of them.

constantsDLC

Dynamically loads the constants1.apk and runs it. It behaves as constants1.

divById

Divides 1 for the sum of the integer representation of each char in getDeviceId(). In many emulators, this sum should be 0, and the payload is triggered only in cases where the ArithmeticException is not thrown.

qemuFingerprinting

In the paper Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware (Petsas et al., 2014) a set of heuristics is described to detect an emulated host environment. One of them is the so called xFlowH heuristic, which checks for constants in QEMU. This test runs that heuristic. The native library libbt_detect2.so was provided by the authors of the mentioned paper.

Network

network1

Only triggers the payload when the app is started on a device with an IP different to 0.0.0.0.

network2

Inspired in the netH heuristic from the paper Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware (Petsas et al., 2014), this test checks the typical emulator network setting.

Sensors

accelH

Inspired in the accelH heuristic from the paper Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware (Petsas et al., 2014), this test only triggers the payload when a movement is detected by the accelerometer.

batteryCharging

It uses BatteryManager.EXTRA_STATUS to detect when the battery is full and only triggers the payload in such an event.

batteryFull

It uses BatteryManager.EXTRA_STATUS to detect if the device is charging. Since, by default, most of the emulators simulated charging devices, it triggers the payload when the status is not charging.

batteryStatus

The paper Evading Android Runtime Analysis via Sandbox Detection (Vidas and Christin, 2014) suggests monitoring changes in the battery to detect an emulated host environment. This test detects a fluctuation in the battery load.

Time

atNight

Inspired by DroidDream (malware family that triggers at night) and the paper AppContext: Differentiating Malicious and Benign Mobile App Behaviors Using Context (Yang et al., 2015), this test triggers its payload between 11pm and 5am.

longAction

This test triggers the payload in a thread (to avoid blocking the UI thread) after reading all the accessible files and coping their content in /dev/null. This action is I/O expensive and takes several minutes.

postDelayed

This test triggers the payload in a thread (to avoid blocking the UI thread) after waiting 30 minutes. It uses postDelayed.

sleep

This test triggers the payload in a thread (to avoid blocking the UI thread) after waiting 30 minutes. It uses sleep.