Automated Android Malware Analysis with Cuckoo Sandbox – GSoC 2016

What is Cuckoo Sandbox ?

Cuckoo Sandbox is an Open Source Automated Malware Analysis System. Cuckoo launches and performs various analyses on every program in a virtual machine (a sandbox). Up to now, Cuckoo has been supported Windows, Linux, OS X and Android application. The Android support in Cuckoo is brand new in Version 2.0 and my work on GSoC 2016 is the first step to improve the code coverage of the dynamic analysis for Android applications.

Google Summer of Code 2016

For the Google Summer of Code 2016, one of the projects at The Honeynet Project is integrating DroidBot into Cuckoo Sandbox. I have been working on this project for 3 months with my mentors : Jurrian Bremer and Hanno Lemoine.

I spent the whole time to reimplement DroidBot as an auxiliary module for Cuckoo Android analyzer, which includes:

  • Refactoring DroidBot to make it compatible with current design of Cuckoo Sandbox. DroidBot in Cuckoo Sandbox will only work with dynamic event policy because it is the best option for malware analysis and all interactions must be automated.
  • Improving API library. Cuckoo Sandbox had a poor API library which only supports installing and executing samples, taking screenshots, dumping logs and executing browser. Because DroidBot uses a 3rd library AndroidViewClient and we do not want to bring the whole library into Android analyzer, I have collected APIs that are required by DroidBot, reimplement them in Cuckoo API library. These APIs can be used by other modules in the future.

And a big change that impacts to Cuckoo Sandbox system : the analysis configuration now supports JSON format. This change makes Cuckoo Sandbox analyzers become more flexible. DroidBot takes advatange of this change to passes static analysis results to the analyzer inside virtual machines.

With DroidBot, Cuckoo now has the ability to automatically interact with Android applications by simulating many events :

  • Broadcasting intents.
  • Pressing keys.
  • Touching, dragging.
  • Typing.

But there is also a limitation that we are facing:

  • We can’t simulate incoming phone calls, SMS, etc in the virtual environment. Previously, DroidBot can simulate these events by using gsm service, but it requires DroidBot to connect to the device via telnet connection. Because DroidBot is now performed inside the virtual machines, we can not make it work.

You can find all commits of the project during GSoC here.

How to get Cuckoo ?

The latest version of Cuckoo Sandbox is available on Github.

The improvement

To assess the improvement of the dynamic analysis, Android malwares are choosen as samples. Screenshots and logs ascertain the effectiveness of the integration.

Sample 1
Figure 1. Sandbox is started
Figure 1. Sandbox is started
Figure 2. The sample is installed and launched with a fake Adobe Flash Player screen
Figure 2. The sample is installed and launched with a fake Adobe Flash Player screen
Figure 3. The sample pops up a message box
Figure 3. The sample pops up a message box
Figure 4. Cuckoo clicked OK button
Figure 4. Cuckoo clicked OK button
Figure 5. The sample asks for administration perrmision
Figure 5. The sample asks for administration perrmision
Figure 6. After Cuckoo automatically clicked Activate button
Figure 6. After Cuckoo automatically clicked Activate button
Figure 7. A fraudulent screen
Figure 7. A fraudulent screen
Figure 8. Cuckoo scrolls the view
Figure 8. Cuckoo scrolls the view

Sensitive behaviours of the sample are logged :

Decode URL and HTTP parameters
Decode URL and HTTP parameters
Get device and network operator information
Get device and network operator information
Get SIM information
Get SIM information
Sample 2:
Figure 9. The sample starts with a message box
Figure 9. The sample starts with a message box
Figure 10. After clicked OK, a screen with pornographies is executed
Figure 10. After clicked OK, a screen with pornographies is executed
Figure 11. Cuckoo automatically scrolls the view
Figure 11. Cuckoo automatically scrolls the view
Figure 12. Cuckoo automatically interacts with the application
Figure 12. Cuckoo automatically interacts with the application

Collected sensitive behaviours :

The application finds a native library named libus.so
The application finds a native library named libus.so
Get information about the device and network operator
Get information about the device and network operator
Open files
Open files
Register receivers
Register receivers
Leak sensitive information
Leak sensitive information

Conclusion

DroidBot has been successfully integrated into Cuckoo Sandbox. All goals for GSoC 2016 are met. The integration is the very first step to develop automated Android analysis functionalities and will sure lead to further and faster improvements.

Thanks so much for taking the time to help with the project @bremer, @hanno and @yli.

One thought on “Automated Android Malware Analysis with Cuckoo Sandbox – GSoC 2016

Leave a Reply

Your email address will not be published. Required fields are marked *