A Comparative Study of Android Malware Behavior in Different Contexts

One of the numerous ways of addressing the Android malware threat is to run malicious applications in a sandbox environment while monitoring metrics. However, dynamic malware analysis is usually concerned with a one-time execution of an application, and information about behaviour in different environments is lacking in the literature. We fill this gap with a fuzzy-like approach to the problem: by running the same malware multiple times in different environments, we gain insight on the malware behaviour and his peculiarities. To implement this approach, we leverage a client-server sandbox to run experiments, based on a common suit of actions. Scenarios are executed multiple times on a malware sample, each time with a different parameter, and results are compared to determine variation in observed behaviour. In our current experiment, variation was introduced by different levels of simulation, allowing us to compare metrics such as failure rate, data leakages, sending of SMS, and the number of HTTP and DNS requests. We find the behaviour is different for data leakages, which require no simulation to leak information, while all results for other metrics were higher when simulation was used in experiments. We expect that a fuzzing approach with others parameters will further our understanding of malware behaviour, particularly for malware bound to such parameters.