{"id":7334,"date":"2017-04-13T07:50:00","date_gmt":"2017-04-13T15:50:00","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/04\/13\/news-1125\/"},"modified":"2017-04-13T07:50:00","modified_gmt":"2017-04-13T15:50:00","slug":"news-1125","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/04\/13\/news-1125\/","title":{"rendered":"Android malware anti-emulation techniques"},"content":{"rendered":"

Credit to Author: Bill Brenner| Date: Thu, 13 Apr 2017 15:35:54 +0000<\/strong><\/p>\n

\"\"The following report is by SophosLabs Android specialist\u00a0Chen Yu, with support from Android team members William Lee, Jagadeesh Chandraiah and\u00a0Ferenc L\u00e1szl\u00f3 Nagy.<\/span><\/em><\/p>\n

As the amount of Android malware grows, it follows every step of its Windows counterparts when it comes to techniques\u00a0used to evade emulators used for dynamic analysis.<\/span><\/p>\n

<\/span><\/p>\n

In this blog post, we’ll\u00a0show some of those anti-emulator techniques.<\/p>\n

An emulator\u00a0is hardware or software that allows\u00a0one computer (the host) to imitate\u00a0another computer (the guest). It\u00a0typically allows\u00a0the host system to run software or use peripheral devices designed for the guest system. In security, it’s a handy way to test malware behavior — which is why the malware creators want to disrupt it.<\/p>\n

Anti-emulation techniques are found in many different Android malware families, one being\u00a0the recent Android Adload adware found in Google Play.<\/p>\n

With that, here are six common anti-emulator techniques SophosLabs discovered:<\/p>\n

1.<\/span>\u00a0C<\/span>heck telephony services information<\/span><\/strong><\/p>\n

Emulator detecting\u00a0is all about spotting the difference between the environment that the emulator and real device provide. Firstly, the\u00a0deviceID, phone number, IMEI, and IMSI would be different on an emulator than on a real device. The\u00a0Android.os<\/i><\/span>.<\/i><\/span>TelephonyManager<\/i>\u00a0class provides methods to get the information. Applications can use the methods in this class to determine telephony services and states, and access some types of subscriber information, and register a listener to receive notification of telephony state changes. For example, it can use\u00a0getLine1Number<\/i><\/span> to get the phone number on line 1. On an emulator, it would be 1555521 with emulator\u2019s port number. If the port number is 5554<\/span>, t<\/span>he return value will be 15555215554.<\/span><\/p>\n

Andr\/RuSms-AT uses this code to detect the emulator:<\/span><\/p>\n

\"\"<\/a><\/p>\n

\u00a0<\/span><\/strong><\/p>\n

2<\/span><\/strong>.<\/span>\u00a0\u00a0<\/span>Check build info<\/span><\/strong><\/p>\n

We\u2019ve found multiple malware families checking the build info to determine if it\u2019s running on an emulator.\u00a0<\/span>For example, this banker malware has the following anti-emulator code (click to enlarge):<\/span><\/p>\n

\"\"<\/a><\/p>\n

The strings are encrypted. After decrypting, it\u2019s checking this:\u00a0<\/span><\/p>\n

ctx.getSystemService(“phone”).getDeviceId().equals(“000000000000000”)<\/i><\/span><\/p>\n

Build.MODEL.contains(“google_sdk”)<\/i><\/span><\/p>\n

Build.MODEL.contains(“Emulator”)<\/i><\/span><\/p>\n

Build.MODEL.contains(“Android SDK”)<\/i><\/span><\/p>\n

Build.FINGERPRINT.startsWith(“generic”)<\/i><\/span><\/p>\n

Build.FINGERPRINT.startsWith(“unknown”)<\/i><\/span><\/p>\n

Build.MODEL.contains(“Android SDK built for x86”)<\/i><\/span><\/p>\n

Build.MANUFACTURER.contains(“Genymotion”)<\/i><\/span><\/p>\n

Build.BRAND.startsWith(“generic”) &&\u00a0Build.DEVICE.startsWith(“generic”)<\/i><\/span><\/p>\n

The function above is called by a broadcast receiver. In the app manifest, this receiver is defined to receive\u00a0android.intent.action.BOOT_COMPLETED<\/i> and android.intent.action.SCREEN_ON<\/i>. That means it\u2019s called every time the phone is booted and awoken\u00a0from sleep. It\u2019s a common place for malware to launch their malicious actions. But as showed below, this malware won\u2019t do anything if the emulator checking function returns “True.”<\/span><\/p>\n

\u00a0\"\"<\/a><\/span><\/p>\n

\u00a0<\/span>3.<\/span>\u00a0\u00a0<\/span>Check system properties<\/span><\/strong><\/p>\n

Another way is to check system properties. Some system properties on an emulator are different from those on real devices. For example, device brand, hardware and model.\u00a0<\/span>This table shows\u00a0some of the\u00a0system property values on an emulator:<\/span><\/p>\n\n\n\n\n\n\n\n\n\n
\n

Property<\/span><\/p>\n<\/td>\n

\n

Value indicates emulator<\/span><\/p>\n<\/td>\n<\/tr>\n

\n

ro.bootloader<\/span><\/p>\n<\/td>\n

\n

Unknown<\/span><\/p>\n<\/td>\n<\/tr>\n

\n

ro.bootmode<\/span><\/p>\n<\/td>\n

\n

Unknown<\/span><\/p>\n<\/td>\n<\/tr>\n

\n

ro.hardware<\/span><\/p>\n<\/td>\n

\n

Goldfish<\/span><\/p>\n<\/td>\n<\/tr>\n

\n

ro.product.model<\/span><\/p>\n<\/td>\n

\n

Sdk<\/span><\/p>\n<\/td>\n<\/tr>\n

\n

ro.product.device<\/span><\/p>\n<\/td>\n

\n

Generic<\/span><\/p>\n<\/td>\n<\/tr>\n

\n

ro.product.name<\/span><\/p>\n<\/td>\n

\n

Sdk<\/span><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

\u00a0<\/span>4.<\/span>\u00a0\u00a0<\/span>Check presence of emulator related files.<\/span><\/strong><\/p>\n

This is another technique found in malware samples. They check if QEMU (Quick Emulator) or other emulator-related files exist. For example this piece of code is found in a Andr\/Pornclk variant.\u00a0<\/span><\/p>\n

\u00a0\"\"<\/a><\/span><\/p>\n

5.<\/span>\u00a0<\/span>Check debugger and installer<\/span><\/strong><\/p>\n

This one is not an anti-emulator but its\u00a0purpose is\u00a0also to obstruct the dynamic analysis. Like this skinner adware reported by\u00a0checkpoint<\/span><\/a>, it uses\u00a0<\/span>Debug.isDebuggerConnected()<\/i><\/span> <\/i>and\u00a0<\/i><\/span>Debug.waitingForDebugger()<\/i><\/span>\u00a0<\/i><\/span>to check if a debugger exists. More interesting, it also gets the installer using\u00a0<\/span>getInstallerPackageName<\/i><\/span>\u00a0and sees if it\u2019s installed by Google Play (<\/span>com.android.vending<\/i><\/span>).\u00a0<\/i>So\u00a0<\/i><\/span>if you install\u00a0the program to a device\u00a0with adb, like most analysts do, the application won’t<\/span> work.<\/span><\/p>\n

\u00a0<\/span>6. Time bomb<\/span><\/strong><\/p>\n

This is another way many malware\/adware families hide themselves from dynamic analysis. After installation, they await a certain time until they start their activities. For example, the configuration file below has been seen in an adware sample:<\/span><\/p>\n

\u00a0 “settings”: {<\/span><\/p>\n

\u00a0\u00a0\u00a0 “adDelay”: 180000,<\/span><\/p>\n

\u00a0\u00a0\u00a0 “firstAdDelay”: 86400000,<\/span><\/p>\n

\u00a0\u00a0\u00a0 “unlockDelay”: 2,<\/span><\/p>\n

\u00a0\u00a0\u00a0 “bannerDelay”: 180000,<\/span><\/p>\n

\u00a0\u00a0\u00a0 “bannerPreDelay”: 10000,<\/span><\/p>\n

\u00a0\u00a0\u00a0 “bannersPerDay”: 25<\/span><\/p>\n

},<\/span><\/p>\n

firstAdDelay<\/i> is the millisecond until the first advertisement is delivered, 24 hours in this case. This can prevent the user from getting suspicious as well.<\/span><\/p>\n

We believe Android malware and adware writers will continue to weave anti-emulation techniques into their code, as they have had a fair degree of success in doing so thus far. Security companies must match them with better detection methods.<\/span><\/p>\n

Reference:<\/span><\/strong><\/p>\n

https:\/\/github.com\/strazzere\/anti-emulator<\/a><\/span><\/p>\n

http:\/\/blog.checkpoint.com\/2017\/03\/08\/skinner-adware-rears-ugly-head-google-play\/<\/a><\/span><\/p>\n

Filed under: Corporate<\/a>, SophosLabs<\/a> Tagged: Android<\/a>, malware<\/a>, SophosLabs<\/a>
http:\/\/feeds.feedburner.com\/sophos\/dgdY<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Credit to Author: Bill Brenner| Date: Thu, 13 Apr 2017 15:35:54 +0000<\/strong><\/p>\n

The following report is by SophosLabs Android specialist\u00a0Chen Yu, with support from Android team members William Lee, Jagadeesh Chandraiah and\u00a0Ferenc L\u00e1szl\u00f3 Nagy. As the amount of Android malware grows, it follows every step of its Windows counterparts when it comes to techniques\u00a0used to evade emulators used for dynamic analysis. In this blog post, we’ll\u00a0show some […]\"\"<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10378,10377],"tags":[10462,10379,3764,10383],"class_list":["post-7334","post","type-post","status-publish","format-standard","hentry","category-security","category-sophos","tag-android","tag-corporate","tag-malware","tag-sophoslabs"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/7334","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=7334"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/7334\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=7334"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=7334"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=7334"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}