DroidBox: alpha release
The Android application sandbox is now ready for an alpha release. Details on how to get DroidBox running are available at the project webpage.
At the moment, the following actions are logged during runtime:
- File read and write operations
- Cryptography API activity
- Opened network connections
- Outgoing network traffic
- Information leaks through the following sinks: network, file, sms
- Attempts to send SMS
- Phone calls that have been made
An analysis output looks like the following sample report:
____ __ ____
/\ _`\ [alpha] __ /\ \/\ _`\
\ \ \/\ \ _ __ ___ /\_\ \_\ \ \ \L\ \ ___ __ _
\ \ \ \ \/\`'__\ __`\/\ \ /'_` \ \ _ <' / __`\/\ \/'\
\ \ \_\ \ \ \/\ \L\ \ \ \/\ \L\ \ \ \L\ \ \L\ \/> \ \____/\ \_\ \____/\ \_\ \___,_\ \____/ \____//\_/\_\
\/___/ \/_/\/___/ \/_/\/__,_ /\/___/ \/___/ \//\/_/
^C [*] Collected 36 sandbox logs
[File activities]
-----------------
[Read operations]
-----------------
[1310660567.27] /data/data/droidbox.tests/files/myfilename.txt Fd: 28
[1310660567.29] /data/data/droidbox.tests/files/myfilename.txt Fd: 28
[1310660567.29] /data/data/droidbox.tests/files/myfilename.txt Fd: 28
[1310660567.3] /data/data/droidbox.tests/files/myfilename.txt Fd: 28
[1310660567.3] /data/data/droidbox.tests/files/output.txt?A? Fd: 28
[1310660567.31] /data/data/droidbox.tests/files/output.txt Fd: 28
[1310660567.32] /data/data/droidbox.tests/files/output.txt?A? Fd: 28
[1310660567.41] /data/data/droidbox.tests/files/output.txt Fd: 28
[Write operations]
------------------
[1310660567.23] /data/data/droidbox.tests/files/myfilename.txt Fd: 28
[1310660567.25] /data/data/droidbox.tests/files/output.txt?A? Fd: 28
[1310660567.26] /data/data/droidbox.tests/files/output.txt Fd: 28
[Crypto API activities]
-----------------------
[1310660567.47] Key:{0, 42, 2, 54, 4, 45, 6, 7, 65, 9, 54, 11, 12, 13, 60, 15} Algorithm: AES
[1310660567.48] Operation:{encryption} Algorithm: AES
Data:{000000000000000}
[1310660567.48] Key:{0, 42, 2, 54, 4, 45, 6, 7, 65, 9, 54, 11, 12, 13, 60, 15} Algorithm: AES
[1310660567.49] Operation:{decryption} Algorithm: AES
Data:{000000000000000}
[1310660567.5] Key:{0, 42, 2, 54, 4, 45, 6, 8} Algorithm: DES
[1310660567.5] Operation:{encryption} Algorithm: DES
Data:{000000000000000}
[1310660567.51] Key:{0, 42, 2, 54, 4, 45, 6, 8} Algorithm: DES
[1310660567.51] Operation:{decryption} Algorithm: DES
Data:{000000000000000}
[Network activity]
------------------
[Opened connections]
--------------------
[1310660567.58] Destination: code.google.com Port: 80
[1310660570.07] Destination: pjlantz.com Port: 80
[1310660573.26] Destination: pjlantz.com Port: 80
[Outgoing traffic]
------------------
[1310660567.64] Destination: code.google.com Port: 80
Data: GET /p/droidbox/ HTTP/1.1
[Intent receivers]
------------------
[Permissions bypassed]
----------------------
[Information leakage]
---------------------
[1310660567.26] Sink: File
File descriptor: 28
Tag: TAINT_CONTACTS
[1310660567.29] Sink: File
File descriptor: 28
Tag: TAINT_FILECONTENT
[1310660567.3] Sink: File
File descriptor: 28
Tag: TAINT_FILECONTENT
[1310660567.31] Sink: File
File descriptor: 28
Tag: TAINT_CONTACTS
[1310660567.41] Sink: File
File descriptor: 28
Tag: TAINT_CONTACTS
[1310660570.2] Sink: Network
Destination: pjlantz.com
Port: 80
Tag: TAINT_IMEI
Data: GET /imei.php?imei=c02c705e98588f724ca046ac59cafece65501e36
[1310660571.16] Sink: Network
Destination: pjlantz.com
Port: 80
Tag: TAINT_SMS
Data: GET /phone.php?phone=0735445281
[1310660572.2] Sink: Network
Destination: pjlantz.com
Port: 80
Tag: TAINT_SMS
Data: GET /msg.php?msg=Tjenare+hur+e+det
[1310660573.39] Sink: Network
Destination: pjlantz.com
Port: 80
Tag: TAINT_CONTACTS, TAINT_FILECONTENT
Data: GET /file.php?file=Write+a+line&Peppe
[1310660574.39] Sink: Network
Destination: pjlantz.com
Port: 80
Tag: TAINT_PACKAGE
Data: GET /app.php?installed=com.android.soundrecorder:com.android.gesture.builder:com.android.alarmclock:com.android.launcher:com.android.gallery:android:com.android.settings:com.android.providers.contacts:com.android.providers.applications:com.android.googlesearch:com.android.contacts:com.android.inputmethod.latin:com.android.phone:com.android.calculator2:droidbox.tests:com.android.providers.drm:com.android.htmlviewer:com.example.android.softkeyboard:com.android.term:com.android.providers.calendar:com.android.bluetooth:com.android.packageinstaller:com.android.development:com.android.calendar:com.android.browser:com.android.providers.telephony:com.android.music:com.android.providers.subscribedfeeds:com.svox.pico:com.android.camera:com.android.email:com.example.android.livecubes:com.android.providers.userdictionary:com.android.spare_parts:android.tts:com.android.providers.settings:com.android.mms:co
[1310660575.47] Sink: SMS
Number: 123456789
Tag: TAINT_IMEI
Data: dbd4e36bd5295531800c9596724361c4
[Sent SMS]
----------
[1310660575.45] Number: 0735445281
Message: Sending sms...
[Phone calls]
-------------
[1310660575.48] Number: 123456789
[1310660575.83] Number: 123456789
The development continues with static analysis of Android packages. More specifically, permissions, activities and registered Intent receivers are to be parsed from the Manifest file to coordinate with the dynamic analysis. Some of the features planned to be implemented are:
- Log incoming network traffic
- Dump content of file operations
- Detect apps with Intent receivers (example: apps monitoring incoming SMS)
- Log possible permissions that have been bypassed
The last milestone period is soon starting and the coding in this phase includes generating API flow graphs to better understand in what order the logged actions are executed. Additionally, generating treemaps on the sample behavior might ease the malware classification but will initially function as a proof-of-concept implementation.
