Join us for the Honeynet Workshop 2024: May 27th–29th, Copenhagen, Denmark

GSoC 2017 Summary: ReDroid toolbox

12 Oct 2017 Roberto Tanara gsoc

This is a contribution by GSoC student Ziyue Yang, find him on Github yzygitzh.

My project for GSoC 2017 is Android Sandbox Detection and Countermeasure, which came out to be the ReDroid toolbox. This post was presented for the final evaluation of my GSoC 2017 project.

ReDroid is a toolbox for automatically detecting and countering anti-sandbox behaviors in Android apps. You can:

Before GSoC 2017 begins, my GSoC mentor Yuanchun Li discussed with me about the proposal for the GSoC project. Generally our goal was to develop some mechanism that can counter anti-sandbox techniques presented in Android apps.

First, We raised three related research questions to solve:

  1. What sandbox-detection techniques are applied in Android apps, and how and to what extent are they applied?
  2. Is there a method capable of detecting such sandbox-detection techniques given a sample app?
  3. Is there an app analysis solution undetectable by common sandbox-detection methods?

After that, we came out with a plan with three stages:

  1. Investigating and collecting sandbox-detection techniques used in Android app (especially malware), and implementing a sample app using those techniques.
  2. Implementing a detection-aware system, which can identify whether an Android app has sandbox-detection techniques inside.
  3. Implementing an undetectable system. Such undetectable system is able to automatically find the detection activities inside an Android app, and convey countermeasures for them using data collected from 2). In such a system, an app would believe that it’s running on as a real device.
Tasks     Status     Comments
Investigating and collecting sandbox-detection techniques used in Android app
Done
Investigated anti-emulatorDenDroid and a malware dataset provided by contagiominidump.blogspot.com
Implementing a detection-aware system
Done
Modified Android source to enable robust and automatic trace collection; Implemented a runtime trace collecting system based on DroidBot and a heuristic trace difference detection system
Implementing an undetectable system
Partly
Done
Implemented a dynamic control flow correction system based on JDWP and Xposed, which is capable for modifying method return values; Modified Android source to enable dynamic control flow correction without known by apps

For more details, please visit this page

Future work:

  1. Support more complex method return types: currently ReDroid only supports return values of primitive types and String type.
  2. Support more advanced method hooking: currently ReDroid only supports hacking methods according to stack trace, and the methods hacked can have only one return value.
  3. Wrap ReDroid to make it usable for most people: to run ReDroid, one has to configure real device and emulators, which is much too complicated for normal users. ReDroid can be wrapped into a cloud service in the future.