부산대학교 도서관

In order to effectively detect malware in Android, dynamic analysis techniques with Android emulators are widely adopted. Emulators can be deployed for large-scale malware detection and restored to an ensured clean state in a short period after each app analysis process such that dynamic analysis upon emulators can effectively detect malware. Moreover, emulators significantly reduce the detection cost compared to real devices. However, emulator-based analysis has limited capability in detecting evasive malware that can detect the presence of the emulator-based environment and hide its malicious behaviors. In this paper, we propose RealDroid, a dynamic and emulator-based analysis system that can capture Android evasive malware and is capable of large-scale malware detection. RealDroid completely simulates a real device such that it can't be identified by evasive malware. Thereby, evasive malware can exhibit its malicious behaviors in RealDroid. Moreover, we propose an automated exploration mechanism, i.e., Android Test Engine (ATE), to improve the code coverage of dynamic analysis in RealDroid, such that it provides efficient and effective automatic detection of large-scale apps. Our experimental results demonstrate that ATE in RealDroid achieves much better exploration effects compared with state-of-the-art automatic exploration tools in large-scale malware detection. In particular, it can successfully detect evasive malware.