Artifacts Analysis

Artifacts are imperfections that make a sandbox distinguishable from a real device. To put ourselves in attacker’s shoes, we studied the Android sen- sors API in order to find out which sensors artifacts malware could leverage to evade dynamic analysis. First, we analyzed real smartphones such as LG/Google Nexus 5 and 5X, Samsung Galaxy S5 and S6, Galaxy Ace Plus, and Asus ZenFone 2. These real devices were running different operating system versions, ranging from Android 2.3 (API level 9) to Android 7 (API level 24), which is the most recent release at the time of writing. Then, we analyzed how emulators supports sensors. In this analysis, we considered Android SDK’s emulator and Genymotion (free plan), given their popular- ity among developers. On one hand, the Android SDK provides a mobile device emulator based on QEMU (QEMU from now on). Such emulator uses Android Virtual Device (AVD) configurations to customize the em- ulated hardware platform. Moreover, QEMU includes a log console and it can simulate interrupts and latency on the network [16]. On the other hand, Genymotion is a third party emulator, but it is compatible with Android SDK tools. Genymotion allows developers to control features like the cam- era, the GPS and battery charge levels. Most of the features of Genymotion are also manageable through a Java API [83].

The first discrepancy we noticed is that both emulators support a limited set of sensors. In Table 7.1, we show that QEMU simulates nearly as many sensors as an entry-level smartphone embeds (e.g., Galaxy Ace), but Geny- motion only simulates the accelerometer. Despite in Table 7.1 we report our findings only focusing on three real mobile devices (due to lack of space), we verified that the other devices at our disposal exhibit similar characteris- tics. The developers of Android defined some types of sensors (i.e., the ones whose names begin with android.sensor.*). For such sensors, the getType method returns an integer number less than or equal to 100. Moreover, ven- dors can introduce custom sensors, i.e., the sensors for which getStringType returns a string that begins with com.google.sensor.* in the Nexus 5X. Given this fact, we can argue that a malware author who wants to target as much users as possible will not rely on device-specific sensors. In addition to that, malware authors have to focus on sensors available in API level 9 in or-

getStringType getType API Lv. Nexus 5X Galaxy S5 Galaxy Ace QEMU Geny- motion android.sensor. accelerometer 1 3 3 3 3 3 3 magnetic field 2 3 3 3 3 3 7 orientation 3 3 3 3 3 3 7 gyroscope 4 3 3 3 7 7 7 light 5 3 3 3 7 3 7 pressure 6 3 3 3 7 3 7 temperature 7 3 7 7 7 3 7 proximity 8 3 3 3 3 3 7 gravity 9 9 3 3 3 7 7 linear acceleration 10 9 3 3 3 7 7 rotation vector 11 9 3 3 3 7 7 relative humidity 12 14 7 7 7 3 7

magnetic field uncalibrated 14 18 3 3 7 7 7

game rotation vector 15 18 3 3 7 7 7

gyroscope uncalibrated 16 18 3 3 7 7 7

significant motion 17 18 3 3 7 7 7

step detector 18 19 3 3 7 7 7

step counter 19 19 3 3 7 7 7

geomagnetic rotation vector 20 19 3 7 7 7 7

tilt detector 22 n/a 3 7 7 7 7

pick up gesture 25 n/a 3 7 7 7 7

com.google.

sensor.internal temperature 65536 n/a 3 7 7 7 7

sensor.sync 65537 n/a 3 7 7 7 7

sensor.double twist 65538 n/a 3 7 7 7 7

sensor.double tap 65539 n/a 3 7 7 7 7

sensor.window orientation 65540 n/a 3 7 7 7 7

Empty String 65558 n/a 7 3 7 7 7

Total 24 17 7 8 1

Table 7.1: Sensors availability in some of the tested devices.

der to target most of the devices (approximately 99.9% of the active devices according to Google Play [13]). As an example, API levels prior to 9 do not support the relative humidity sensor (TYPE RELATIVE HUMIDITY) [18].

In our analysis, we considered the sensors embedded in real devices and the ones simulated by virtual devices. For each sensor, we called all methods available in the Sensor class. As an example, in Table 7.2 we show the discrepancies in terms of return values for accelerometer methods on real and emulated Nexus 5X. In Table 7.2, we also include the return values for our proposal, which we discuss in details in Section 7.5. Malware authors can rely on those discrepancies to develop simple detection techniques (a single conditional statement is enough). We refer to these techniques as static heuristics, since they exploit an artifact due to the Android API, which is not related to events streams. Based on such value, the app decides whether to execute the malicious payload or to remain dormant. Another example is the proximity sensor, which is called Goldfish Proximity sensor in QEMU and RPR0521 proximity in the real Nexus 5X. The accelerometer, thanks to its wide availability, is particularly well suited for broad-spectrum heuristics.

Security and Privacy Threats on Mobile

Devices through Side-Channels Analysis R. Spolaor

A malware can leverage several methods for the same purpose, e.g., getFifoMaxEventCount in Algorithm 1. This second static heuristic checks the number of events that could be batched for the accelerometer. The number of events is not likely to be zero for real accelerometers, since they usually support batch mode (i.e., the ability of storing events in a hardware FIFO). Please notice that getMaxDelay may return zero on older real de- vices, hence a zero delay does not necessarily guarantee that the execution is taking place in an emulator [14]. In conclusion, an adversary could exploit most of the return values from the Sensor class for sandbox detection.

if accelerometer.getFifoMaxEventCount() == 0 then benign behavior

else

malicious behavior end

Algorithm 1: Static heuristic based on getFifoMaxEventCount method.

In the literature, researchers already pointed out the feasibility of dy- namic heuristics, in which they exploited sensors events that emulators gen- erate [159, 199]. We investigated further: for each real mobile device at our disposal, we registered callback methods to receive changes in sensors state. By applying the option SENSOR DELAY FASTEST, we got those states as fast as possible. In our experiments, we observed that collecting an incoming stream of events for ten seconds is enough for our purpose. We collected sensors data from real mobile devices in three different scenarios: lying on a table, while typing and leaving them in a pocket while walking. Then, we re- peated the data collection task on QEMU and Genymotion emulators. Such emulators allow only two modes of screen rotation: portrait and landscape. During our experiments, we were able to observe some differences be- tween real and emulated motion sensors. In real mobile devices, we noticed that motion sensors (e.g., the accelerometer) quickly oscillate among a small range of values, even when the device is lying on a flat surface. In emula- tors, we noticed that it is possible to stimulate the accelerometer by changing from landscape to portrait mode. In contrast, without rotating the screen, each motion sensor in emulators produce the same value. As an example, the accelerometer in QEMU constantly returns (0, 9.77622, 0.813417). Again in QEMU, rotating the screen has the sole effect of toggling the ac- celerometer values between (0, 9.77622, 0.813417) and (9.77622, 0, 0.813417) in portrait position and landscape mode, respectively. Table 7.3 records the constant values that each sensor in QEMU produces. It is wor- thy of note that some sensors in QEMU produce values only along one axis, so in Table 7.3 we mark the cells related to the other two axes as n/a. A similar logic applies to the accelerometer in Genymotion, which toggles between (-0, 9.81, 0) and (9.81, 6.0068924E-16, 0) in portrait and landscape mode, respectively. Regarding the events that sensors produce

Device getName getVendor getFifoMax- EventCount

Real BMI160 accelerometer Bosch 5736

QEMU Goldfish 3-axis

Accelerometer

The Android Open

Source Project 0

Genymotion Genymotion Accelerometer Genymobile 0

QEMU + Mirage BMI160 accelerometer Bosch 5736

Table 7.2: Example of return values for Nexus 5X accelerometer in real de- vices, vanilla emulators (i.e., QEMU and Genymotion) and QEMU enriched with Mirage.

Portrait Landscape

getStringType values[0] values[1] values[2] values[0] values[1] values[2]

android.sens

or.

accelerometer 0 9.77622 0.813417 9.77622 0 0.813417

magnetic field 0 0 0 0 0 0

light 0 n/a n/a 0 n/a n/a

pressure 0 n/a n/a 0 n/a n/a

proximity 1 n/a n/a 1 n/a n/a

relative humidity 0 n/a n/a 0 n/a n/a

Table 7.3: Constant values produced by sensors in QEMU, grouped by screen orientation.

whenever their accuracy changes, we observed no significant differences be- tween QEMU and a real mobile device lying on a table. However, during our experiments, Genymotion did not report any accuracy change, hence malware may exploit such imperfection to detect the emulator.

To show the detectability of the analyzed emulators, we implemented a fast dynamic heuristic that observes the variance of accelerometer val- ues. This heuristic consists in observing the variance of values along one accelerometer axis. Since by default such emulators are able to produce at most two different accelerometer values along one axis, if the accelerometer produces at least three different values it is likely to be on a real device. In general, static heuristics are faster than dynamic ones, because static heuristics do not require looping or waiting. Hence, the execution time of our dynamic heuristics depends on how fast sensors generate events, since it needs to retrieve at least three values in order to decide. For example, a malicious app that monitors proximity values may have to wait a long time before the user covers the proximity sensor. Until the user does not bring the smartphone to her ear, or until she covers the proximity sensor with an object, the malicious app cannot be sure that dynamic analysis is not taking place. For this reason, motion sensors are the best choice since they oscillate quickly even if the device is lying on a table. Unfortunately, dynamic heuristics that rely on sensors are harder to tackle than static ones. Indeed, an ideal countermeasure against such dynamic heuristics consist in simulating or replaying events.

Security and Privacy Threats on Mobile

Devices through Side-Channels Analysis R. Spolaor