针对恶意软件利用环境感知能力来逃避分析系统检测的现状,深入研究基于系统应用程序接口(Application Program Interface,API)的环境感知技术,并实现全面检测环境感知API的自动化工具EAF inder(Environment-A ware API Finder)o EAFinder能够枚举所有的系统API,并在真机和模拟器中进行自动化调用,最终通过比较API在不同环境中的可访问性和返回值的差异,检测出环境感知API.实验结果显示EAFinder在Android 9至13上共检测出344个API,排除误报后得到323个可用于环境感知的API.将其按使用方式分为独立使用、基于阈值使用和组合使用三类,并抽样测试了各类API的有效性,结果显示利用这些API能以97%的准确率区分真实设备和模拟器.
An Automatic Detection Scheme for Android Environment-Aware API
To address the challenge of malware leveraging environment-aware capabilities to evade detection systems,this study explores environment-aware techniques based on system Application Programming Interfaces(APIs),and implemented an auto-mated tool called Environment-Aware API Finder(EAFinder)for comprehensively identifying environment-aware APIs.EAFinder can enumerate system APIs and automatically invoke them in real devices and emulators.It can then detect environment-aware APIs by analyzing the discrepancies in accessibility and return values across different environments.Experimental results show that EAFinder detected 344 APIs across Android versions 9 to 13,with 323 APIs confirmed as environment-aware after eliminating false positives.This paper categorized them into three classes:independent usage,threshold-based usage,and composite usage.Sampling tests of each API category demonstrated that these APIs could distinguish real devices from emulators with an accuracy rate of 97%.
mobile securityenvironment-awareemulator detectionsystem Application Program Interface(API)
万方数据
