Android malware anti-emulation techniques

The following report is by SophosLabs Android specialist Chen Yu, with support from Android team members William Lee, Jagadeesh Chandraiah and Ferenc László Nagy.

As the amount of Android malware grows, it follows every step of its Windows counterparts when it comes to techniques used to evade emulators used for dynamic analysis.

In this blog post, we’ll show some of those anti-emulator techniques.

An emulator is hardware or software that allows one computer (the host) to imitate another computer (the guest). It typically allows the host system to run software or use peripheral devices designed for the guest system. In security, it’s a handy way to test malware behavior — which is why the malware creators want to disrupt it.

Anti-emulation techniques are found in many different Android malware families, one being the recent Android Adload adware found in Google Play.

With that, here are six common anti-emulator techniques SophosLabs discovered:

1. Check telephony services information

Emulator detecting is all about spotting the difference between the environment that the emulator and real device provide. Firstly, the deviceID, phone number, IMEI, and IMSI would be different on an emulator than on a real device. The Android.os.TelephonyManager class provides methods to get the information. Applications can use the methods Read more

Leave a Reply