What is Cuckoo Sandbox ?
Cuckoo Sandbox is an Open Source Automated Malware Analysis System. Cuckoo launches and performs various analyses on every program in a virtual machine (a sandbox). Up to now, Cuckoo has been supported Windows, Linux, OS X and Android application. The Android support in Cuckoo is brand new in Version 2.0 and my work on GSoC 2016 is the first step to improve the code coverage of the dynamic analysis for Android applications.
Google Summer of Code 2016
For the Google Summer of Code 2016, one of the projects at The Honeynet Project is integrating DroidBot into Cuckoo Sandbox. I have been working on this project for 3 months with my mentors : Jurrian Bremer and Hanno Lemoine.
I spent the whole time to reimplement DroidBot as an auxiliary module for Cuckoo Android analyzer, which includes:
- Refactoring DroidBot to make it compatible with current design of Cuckoo Sandbox. DroidBot in Cuckoo Sandbox will only work with dynamic event policy because it is the best option for malware analysis and all interactions must be automated.
- Improving API library. Cuckoo Sandbox had a poor API library which only supports installing and executing samples, taking screenshots, dumping logs and executing browser. Because DroidBot uses a 3rd library AndroidViewClient and we do not want to bring the whole library into Android analyzer, I have collected APIs that are required by DroidBot, reimplement them in Cuckoo API library. These APIs can be used by other modules in the future.
And a big change that impacts to Cuckoo Sandbox system : the analysis configuration now supports JSON format. This change makes Cuckoo Sandbox analyzers become more flexible. DroidBot takes advatange of this change to passes static analysis results to the analyzer inside virtual machines.
With DroidBot, Cuckoo now has the ability to automatically interact with Android applications by simulating many events :
- Broadcasting intents.
- Pressing keys.
- Touching, dragging.
But there is also a limitation that we are facing:
- We can’t simulate incoming phone calls, SMS, etc in the virtual environment. Previously, DroidBot can simulate these events by using gsm service, but it requires DroidBot to connect to the device via telnet connection. Because DroidBot is now performed inside the virtual machines, we can not make it work.
You can find all commits of the project during GSoC here.
How to get Cuckoo ?
The latest version of Cuckoo Sandbox is available on Github.
To assess the improvement of the dynamic analysis, Android malwares are choosen as samples. Screenshots and logs ascertain the effectiveness of the integration.
Sensitive behaviours of the sample are logged :
Collected sensitive behaviours :
DroidBot has been successfully integrated into Cuckoo Sandbox. All goals for GSoC 2016 are met. The integration is the very first step to develop automated Android analysis functionalities and will sure lead to further and faster improvements.
Thanks so much for taking the time to help with the project @bremer, @hanno and @yli.