Mobile Konami Codes: Analysis of Android Malware Services Utilizing Sensor And Resource-Based State Changes

Abstract

Challenges in static analysis of mobile malware have stimulated the need for emulated, dynamic analysis techniques. Unfortunately, emulating mobile devices is nontrivial because of the different types of hardware features onboard (e.g., sensors) and the manner in which users interact with their devices as compared to traditional computing platforms. To test this, our research focuses on the enumeration and comparison of static attributes and dynamic event values from sensors and resources within Android runtime environments on physical devices and within several online services’ analysis environments. Utilizing the results from enumeration, we develop two different Android applications that are successful in detecting and evading the emulated environments utilized by those mobile analysis services during execution. When ran on physical devices, the same applications successfully perform a pseudo-malware action and send device identifying information to our server.