My project for GSoC 2017 is Android Sandbox Detection and Countermeasure, which came out to be the ReDroid toolbox. Most of the plans made before are cleared. This post is presented for the final evaluation for my GSoC 2017 project.

Project overview

ReDroid is a toolbox for automatically detecting and countering anti-sandbox behaviors in Android apps. You can:

What we planned

Before GSoC 2017 begins, my GSoC mentor Yuanchun Li discussed with me about the proposal for the GSoC project. Generally our goal is to develop some mechanism that can counter anti-sandbox techniques presented in Android apps.

First, We raised three related research questions to solve:

  1. What sandbox-detection techniques are applied in Android apps, and how and to what extent are they applied?
  2. Is there a method capable of detecting such sandbox-detection techniques given a sample app?
  3. Is there an app analysis solution undetectable by common sandbox-detection methods?

After that, we came out with a plan with three stages:

  1. Investigating and collecting sandbox-detection techniques used in Android app (especially malware), and implementing a sample app using those techniques.
  2. Implementing a detection-aware system, which can identify whether an Android app has sandbox-detection techniques inside.
  3. Implementing an undetectable system. Such undetectable system is able to automatically find the detection activities inside an Android app, and convey countermeasures for them using data collected from 2). In such a system, an app would believe that it’s running on as a real device.

What I have done

Tasks     Status     Comments

Investigating and collecting sandbox-detection techniques used in Android app

Done

Investigated anti-emulator, DenDroid and a malware dataset provided by contagiominidump.blogspot.com

Implementing a detection-aware system

Done

Modified Android source to enable robust and automatic trace collection; Implemented a runtime trace collecting system based on DroidBot and a heuristic trace difference detection system

Implementing an undetectable system

Partly
Done

Implemented a dynamic control flow correction system based on JDWP and Xposed, which is capable for modifying method return values; Modified Android source to enable dynamic control flow correction without known by apps


For more details, please visit this page

What I haven’t done yet & future work

  1. Support more complex method return types: currently ReDroid only supports return values of primitive types and String type.
  2. Support more advanced method hooking: currently ReDroid only supports hacking methods according to stack trace, and the methods hacked can have only one return value.
  3. Wrap ReDroid to make it usable for most people: to run ReDroid, one has to configure real device and emulators, which is much too complicated for normal users. ReDroid can be wrapped into a cloud service in the future.