Modern World Android Malware and Sandbox Evasion Techniques

Shivang Desai

Zscaler Inc

Abstract:

In the past decade, extensive research has been done in relation to Android sandbox evasion techniques. To evade sandbox analysis, a broad spectrum of anti-emulation techniques have been developed and adopted by adversaries. This seems to be effective at first but countermeasures are brought in, by the security community, to diminish the effectiveness of anti-emulation.

Despite the efforts, how is modern world Android malware succeeding in evading modern day Android Sandboxes? For example, Joker malware family effectively evades almost all the sandboxes, including the evasion of Google Play checks!

Our paper extensively focuses on evasion techniques employed by latest malware families we came across in <redacted> cloud in 2021 as well as malware families in the wild including bankers, spywares, ransomwares, Android botnets, etc.

Along with this, the paper talks about ways to detect such techniques in an automated manner and also discusses measures to be taken in order to overcome the evasion techniques. We will also talk about the efficacy of various sandboxes and their effectiveness in detecting anti-emulation techniques.

At the end, we will conclude the research with techniques that are hot favorites amongst the latest malware families and ways to combat them.

Key takeaways :

• Evasion techniques deployed by modern world Android Malware Families.
• An automated way to detect the evasion techniques.
• Analysis of various Android sandboxes and it’s efficacy against the evasion techniques.
• Ways to combat the techniques