Smartphones, in general, and Android, in particular, are increasingly
the focus of cybercriminals’ attacks. Because the number of threats
has grown in the last years, researchers have found a clear necessity
to introduce automated analysis for mobile. For this reason we have
designed a system to automatically analyze Android applications. is
approach blends dierent analysis techniques including static and
dynamic. is technique, also known as sandboxing, uses the results
of the static analysis to complete the dynamic analysis (Figure8.1).
We will make a brief introduction for those readers who are not so
acquainted with this technology.
Sandboxing consists of creating a virtual stage between the sys-
tem and an application; a more representative example is the common
stage of a malware infection interacting between the browser and the
operation system. is virtual scene designated sandbox may be a
machine or multiple virtual machines with an operating system. e
virtual machine uses the performances of ROM BIOS, simulated,
hardware, and software.
e sandbox emulates the complete sequence of events for a normal
system, loading the operating system les and the command structure
from the virtual unity. e sandbox contains necessary directories and
les of the system, adjusting the virtual system les to the physical
When samples are analyzed using a sandbox environment, the
changes that malware performs on the operating system are intercepted
Figure 8.1 Simple sandbox process.
android Malware and analysis
by the sandbox, preventing changes to the system. Shares of suspi-
cious applications in that simulated environment allow antimalware
applications know which application would be potentially dangerous.
Ultimately, a sandbox is an evaluation environment for malware
analysis that enables advanced tracing and clarity of malware actions
on an infected host. A sandbox is also a controlled environment which
is far safer than running code dynamically on a production host.
at environment oers many advantages, one being that the ana-
lyst gets a series of almost immediate results. Other similar projects
that provide this type of analysis x86, like the known Cuckoo Sandbox
project of Claudio Guarrineri, allows implementation of every sandbox
functionality, making it easier for users to understand the reaction of
malware in an operating system. Possibly, this process seems quite opti-
mal but like most automated processes has a number of limitations. It is
vital that an analyst understands sandboxing in the analysis of malware
in order to help the analyst to determine if another analysis is required.
Sandbox oers many advantages over classical analysis methodologies,
but unfortunately the main limitation has to do with the way that the
malware is discovered, which is being executed in a sandbox environment,
and therefore acts with other behavior feigning to be a legitimate appli-
cation. e malware can perform dierent tests to ascertain what kind
of environment is executed and prove the limitations with a real device
(e.g., installed applications, application version, Internet connection).
erefore, inferences and implications based on this analysis may lead
analysts to conclude that the executable that they are using is legitimate.
In reality, the program is malware that is not running as expected because
it has detected that it is being executed within an analysis environment.
At this point and knowing the limitations, the approach of this chapter
is to create an environment in our infrastructure to analyze threats in an
easy and understandable way. For this you should know how Android
works and what its base architecture is, both at the system and application
levels. In this chapter, we will create a sandbox based on the two types of
analysis—static and dynamic—that are supported by dierent tools.
Static analysis researches properties of software that can be investi-
gated by the inspection of the application and its source code. e