Project 5 - DroidBox: An Android Application Sandbox for Dynamic Analysis

Primary mentor: Anthony Desnos (FR)
Student: Patrik Lantz

Project Overview:
In recent time there has been an increase of malicious Android applications showing up on both official and unofficial markets. If one had a tool that via sandboxing technique would provide an initial perspective on a package's behavior, one could reduce the risk of getting exposed to such malware.

To accomplish this, the sandbox will utilize static pre-check, dynamic taint analysis and API monitoring. Data leaks can be detected by tainting sensitive data and placing taint sinks throughout the API. Additionally, by logging relevant API function parameters and return values, a potential malware can be discovered and reported for further analysis.

Project website: http://code.google.com/p/droidbox/

Project Plan:
These are the milestones for the project during GSoC:

i) 4 June - 10 July

  • Extend TaintDroid with new taint tags and add new taint sources for sensitive data. Put new taint sinks and API monitors throughout the framework
  • Implement Android service for parsing TaintLogs and receiving broadcasted Intents
  • Parse logs from the sandbox system with logcat filtering
  • Write some proof of concept Android applications to generate TaintLogs for debugging purpose. Additionally, test with real-world samples

ii) 11 July - 25 July

  • Support for starting an analysis in a clean emulator state by executing snapshot
  • Implement monkeyrunner script to perform static pre-check, sending control messages, executing activities and taking screenshots
  • Extend logcat filter to perform the analysis and add support for control messages coming from the monkeyrunner script

iii) 26 July - 15 August

  • Compile logs to generate summaries, treemaps and flow graphs accessible via a HTML output file
  • Write a command line utility to interact with the system, i.e., feeding samples and retrieving analyses
  • Enable classic debugging of dex bytecode if time allows
  • Documentation

Updates:

August 4th
Done last weeks:
- Implemented static pre-check of APK packages to parse permissions, activities and receivers
- Integrated pre-check with analysis output
- Automate analysis with monkeyrunner script

Planned this week and next (last):
- Generate behavior graph and treemap
- Analysis report in HTML format
- Fix bugs

July 18th
Done last week:
- Alpha release showing up the features that are currently implemented
- Static pre-check: retrieve manifest package name, permissions, activities, services and receivers

Planned next week:
- Integrate the pre-check with runtime analysis
- Automate analysis with monkeyrunner scripts

July 11th
Done last week:
- Implemented logcatfilter parser: Parsing sandbox system logs and generating an initial report
- Changed sandbox logs to JSON format
- Mid-term evaluation submitted!

Planned next week:
- Alpha release
- Static pre-check on Android packages

July 4th
Done last week:
- Logging file operations (read & write)
- Began to test with Droidkungfu sample

Planned next week:
- Parsing logs (in JSON format) from the sandbox system
- Make enhancements to existing log output
- Submit mid-term evaluation on Friday, 11th July

June 27th
Done last week:
- Log attempts to send SMS and calling numbers. Started testing on real-world samples, see blog post on test result for Geinimi app.

Planned next week:
- Log behavior for read and write operations on files.

June 20th
Done last week:
- Logging keys and encrypted/decrypted data with AES and DES encryptions using javax.crypto lib. Also tainting encrypted data so that it's detected at the sinks. Logging database queries and tainting database strings.
- Added coresponding tests

Planned next week:
- Log sent SMS, email (using Intent.ACTION_SEND) and phone calls. Present blog post on test results with malware samples (DroidKungFu & Geinimi) concerning encryptions.
- Add tests

June 13th
Done last week:
- Network activity is being logged, with and without tainted data. Logging hash parameters in crypto API as PoC
- Extended the test app. Log output is shown here: https://gist.github.com/1022843

Planned next week:
- Continue to add API hooks in the crypto API, taint data from databases and extend test app

Issues:
- Problems with slow compilation process of the system image slowed the coding down a litte bit

June 5th

Done last weekend:
- TaintDroid modifications: Alert usage of hashing through crypto API, logging destination port in network taint sink
- Test app: Wrote tests for the mentioned TaintDroid modifications

Planned next week:
- Continue to modify TaintDroid: taint data fetched from databases, dump all network traffic, log crypto API parameters
- Extend test app as new TaintDroid modifications are added. The app is mainly for testing if modifications are working by checking if TaintLogs are generated