The future is mobile. Few experts doubt this conclusion these days. The accelerating proliferation of smartphones and other devices powered by the Android operating system throughout the world has created a corresponding increase in mobile apps – especially malicious mobile apps. This relatively new, but rapidly evolving, type of malware poses previously unseen dangers.
As part of Check Point’s continuous efforts against the rising tide of mobile dangers, we, the Malware Research Team, want to learn as much as we can about the constantly shifting Android malware landscape – which means understanding the internal operation of as many malicious apps as we can. Manual malware analysis has always been a slow process – taking days and even weeks per sample – rendering the task impractical even for a small sample pool.
Our solution is to automate as much of the analysis process as possible – following the success of this approach for PC malware. The goal was to create a system that would take an app and produce a report describing exactly what it does when it’s run, specifically pointing out anything “fishy”, which allows us to perform an initial analysis with no human intervention – which is exactly what Idan Revivo and Ofer Caspi from Check Point’s Malware Research Team have built.
Meet CuckooDroid: an automated, cross-platform, emulation and analysis framework based on the popular Cuckoo sandbox and several other open source projects – providing both static and dynamic APK inspection, as well as evading certain VM-detection techniques, encryption key extraction, SSL inspection, API call trace, basic behavioral signatures and many other features. The framework is highly customizable and extensible – leveraging the power of the large existing Cuckoo community.
Below you can see a (very) small part of the final report generated by CuckooDroid – showing the “fishy” traits (color coded by severity) this sample exhibits:
A full report can be found here
We believe fighting the growing threat of Android malware should be an industry-wide effort – so we are contributing CuckooDroid and all its logic and components into the open source realm – so that everyone may reap the benefits of its power. For the code and full technical documentation see: https://github.com/idanr1986/cuckoo-droid
If you get the chance, make sure you see Idan and Ofer at BlackHat Asia in the Check Point booth, where they will be teaching about the system and demonstrating its capabilities on real-world Android malware.