TraceDroid: A Fast and Complete Android Method Tracer presented at HITBSecConf Malaysia 2013

by Victor Veen,

Summary : Recent reports show that Android is responsible for 92% of all known mobile malware. From March 2012 to March 2013, the number of mobile malware grew with 614 percent to 276,259 detected apps [1]. While expecting a shipment of a billion Android-based devices in 2017 [2], we need to be able to quickly detect and quarantine these malicious applications.
Tools have been proposed to ease analysis of unknown applications. Projects like AndroGuard, APKinspector and Dexter or Dex2Jar/JD-Gui are excellent tools to perform static analysis on Android apps and dissect potential malicious code. Statical analysis on obfuscated apps, however, can be a very complex and time consuming process, as was shown recently with the discovery of the ‘most sophisticated Android Trojan’ (Backdoor.AndroidOS.Obad.a) which uses reflection and encryption to obfuscate its functionality.
To overcome these problems, dynamic analysis platforms have been implemented, including Mobile-Sandbox, CopperDroid, Joe Security, Andrubis, and DroidBox. Except DroidBox, these platforms provide a web interface where users can submit Android packages (APK files) for inspection. The result is a detailed report containing detected, suspicious behavior. However, the definition of suspicious behavior is always solely set by the platform’s developers.
We think that it is essential for malware researchers to have a complete overview of an app’s invoked methods. Such fine grain information will give a much better insight in how the app’s components interact and how it is implemented. These insights can complement the overview of the app’s capabilities as provided by existing frameworks.