GroddDroid: a Gorilla for Triggering Malicious Behaviors

Abstract : Android malware authors use sophisticated techniques to hide the malicious intent of their applications. They use cryptography or obfuscation techniques to avoid detection during static analysis. They can also avoid detection during a dynamic analysis. Frequently, the malicious execution is postponed as long as the malware is not convinced that it is running in a real smartphone of a real user. However, we believe that dynamic analysis methods give good results when they really monitor the malware execution. In this article, we propose a method to enhance the execution of the malicious code of unknown malware. We especially target malware that have triggering protections, for example branching conditions that wait for an event or expect a specific value for a variable before triggering malicious execution. In these cases, solely executing the malware is far from being sufficient. We propose to force the triggering of the malicious code by combining two contributions. First, we define an algorithm that automatically identifies potentially malicious code. Second, we propose an enhanced monkey called GroddDroid, that stimulates the GUI of an application and forces the execution of some branching conditions if needed. The forcing is used by GroddDroid to push the execution flow towards the previously identified malicious parts of the malware and execute it. The source code for our experiments with GroddDroid is released as free software. We have verified on a malware dataset that we investigated manually that the malicious code is accurately executed by GroddDroid. Additionally, on a large dataset of 100 malware we precisely identify the nature of the suspicious code and we succeed to execute it at 28%.
Document type :
Conference papers
Complete list of metadatas

Cited literature [24 references]  Display  Hide  Download

https://hal.inria.fr/hal-01201743
Contributor : Jean-François Lalande <>
Submitted on : Tuesday, March 8, 2016 - 4:17:43 PM
Last modification on : Thursday, February 7, 2019 - 2:48:57 PM
Long-term archiving on : Sunday, November 13, 2016 - 10:45:44 AM

Files

malcon15-hal.pdf
Files produced by the author(s)

Identifiers

Citation

Adrien Abraham, Radoniaina Andriatsimandefitra, Adrien Brunelat, Jean-François Lalande, Valérie Viet Triem Tong. GroddDroid: a Gorilla for Triggering Malicious Behaviors. 10th International Conference on Malicious and Unwanted Software, Oct 2015, Fajardo, Puerto Rico. pp.119-127, ⟨10.1109/MALWARE.2015.7413692⟩. ⟨hal-01201743v2⟩

Share

Metrics

Record views

1094

Files downloads

1132