SaTC: CORE: Small: A Transparent and Customizable Android Container-Based Virtualization Architecture for Dynamic Malware Analysis

With the success of Android mobile device markets, Android malicious software (malware) threatens billions of smartphone users. Driven by financial profit, malware authors are highly motivated to evade detection and to challenge forensics procedures. In the malware detection/evasion arms race, defenders apply analysis techniques that require a highly controlled environment to collect data about malware actions and gain insights into their intents, while still preventing malware from discovering that it is operating in an analysis environment.

The project introduces a novel and customizable malware analysis environment capable of handling evasive Android malware. The software artifacts generated and made publicly available to the open-source community have the potential to revolutionize the way analysts perform forensics tasks, thus protecting smartphone users and their Android devices against cyber-attacks.

Furthermore, this project, performed in a Hispanic-serving institution, involves recruitment of students from under-represented groups in computing.

This project innovatively applies container-based virtualization to address the long-standing challenge of efficiently analyzing evasive malware. Current Android malware dynamic analysis platforms (i.e., Android emulators and bare-metal machines) have limitations. Powered by the transparent and customizable virtual environment, this out-of-the-box malware analysis approach overcomes existing analysis techniques' limitations and amplifies their benefits.

This analysis environment is more resilient against evasive malware than standard Android emulators. Furthermore, the environment is stealthier and provides better flexibility and productivity for analysis than bare-metal machines. The novel Android container architecture has cross-disciplinary contributions: it improves resource utilization, reduces hardware costs, thus advancing automated malware analysis and streamlining the tasks of malware analysts.

Moreover, other researchers can develop new techniques to boost more powerful malware analysis methods, such as behavior-based malware clustering and evasive malware detection. The success of this research potentially revolutionizes dynamic malware analysis methods and tips the balance of the malware war toward the defender.

This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.