android Malware and analysis
by the sandbox, preventing changes to the system. Shares of suspi-
cious applications in that simulated environment allow antimalware
applications know which application would be potentially dangerous.
Ultimately, a sandbox is an evaluation environment for malware
analysis that enables advanced tracing and clarity of malware actions
on an infected host. A sandbox is also a controlled environment which
is far safer than running code dynamically on a production host.
at environment oers many advantages, one being that the ana-
lyst gets a series of almost immediate results. Other similar projects
that provide this type of analysis x86, like the known Cuckoo Sandbox
project of Claudio Guarrineri, allows implementation of every sandbox
functionality, making it easier for users to understand the reaction of
malware in an operating system. Possibly, this process seems quite opti-
mal but like most automated processes has a number of limitations. It is
vital that an analyst understands sandboxing in the analysis of malware
in order to help the analyst to determine if another analysis is required.
Sandbox oers many advantages over classical analysis methodologies,
but unfortunately the main limitation has to do with the way that the
malware is discovered, which is being executed in a sandbox environment,
and therefore acts with other behavior feigning to be a legitimate appli-
cation. e malware can perform dierent tests to ascertain what kind
of environment is executed and prove the limitations with a real device
(e.g., installed applications, application version, Internet connection).
erefore, inferences and implications based on this analysis may lead
analysts to conclude that the executable that they are using is legitimate.
In reality, the program is malware that is not running as expected because
it has detected that it is being executed within an analysis environment.
At this point and knowing the limitations, the approach of this chapter
is to create an environment in our infrastructure to analyze threats in an
easy and understandable way. For this you should know how Android
works and what its base architecture is, both at the system and application
levels. In this chapter, we will create a sandbox based on the two types of
analysis—static and dynamic—that are supported by dierent tools.
Static analysis researches properties of software that can be investi-
gated by the inspection of the application and its source code. e