A Comparative Study of Android Malware Behavior in Different Contexts

Catherine Boileau, Francois Gagnon, Jérémie Poisson, Simon Frenette, Mohamed Mejri


One of the numerous ways of addressing the Android malware threat is to run malicious applications in a sandbox environment while monitoring metrics. However, dynamic malware analysis is usually concerned with a one-time execution of an application, and information about behaviour in different environments is lacking in the literature. We fill this gap with a fuzzy-like approach to the problem: by running the same malware multiple times in different environments, we gain insight on the malware behaviour and his peculiarities. To implement this approach, we leverage a client-server sandbox to run experiments, based on a common suit of actions. Scenarios are executed multiple times on a malware sample, each time with a different parameter, and results are compared to determine variation in observed behaviour. In our current experiment, variation was introduced by different levels of simulation, allowing us to compare metrics such as failure rate, data leakages, sending of SMS, and the number of HTTP and DNS requests. We find the behaviour is different for data leakages, which require no simulation to leak information, while all results for other metrics were higher when simulation was used in experiments. We expect that a fuzzing approach with others parameters will further our understanding of malware behaviour, particularly for malware bound to such parameters.


  1. Arp, D., Spreitzenbarth, M., Hubner, M., Gascon, H., and Rieck, K. (2014). DREBIN: Effective and Explainable Detection of Android Malware in Your Pocket. In Proceedings of the 2013 Network and Distributed System Security (NDSS) Symposium.
  2. Arzt, S., Rasthofer, S., Christian Fritz and, E. B., Bartel, A., Klein, J., Traon, Y. L., Octeau, D., and McDaniel, P. (2014). FlowDroid: Precise Context, Flow, Field, Object-Sensitive and Lifecyle-aware Taint Analysis for Android Apps. In Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation, pages 259- 269.
  3. Au, K. W. Y., Zhou, Y. F., Huang, Z., and Lie, D. (2012). Pscout: analyzing the android permission specification. In Proceedings of the 2012 ACM conference on Computer and communications security, pages 217- 228. ACM.
  4. Bayer, U., Habibi, I., Balzarotti, D., Kirda, E., and Kruegel, Bayer, U., Kruegel, C., and Kirda, E. (2006). TTAnalyze: A tool for analyzing malware. na.
  5. Burguera, I., Zurutuza, U., and Nadjm-Tehrani, S. (2011). CrowDroid: Behavior-Based Malware Detection System for Android. In Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices, pages 15-26.
  6. Dunham, K., Hartman, S., Morales, J. A., Quintans, M., and Strazzere, T. (2014). Android Malware And Analysis. Auerbach Publications.
  7. Eder, T., Rodler, M., Vymazal, D., and Zeilinger, M. (2013). Ananas-a framework for analyzing android applications. In Availability, Reliability and Security (ARES), 2013 Eighth International Conference on, pages 711- 719. IEEE.
  8. Enck, W., Gilbert, P., Chun, B.-G., Cox, L. P., Jung, J., McDaniel, P., and Sheth, A. N. (2014). TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones. ACM Transactions on Computer Systems (TOCS), 32(2).
  9. Gagnon, F., Lafrance, F., Frenette, S., and Hall, S. (2014a). AVP-An Android Virtual Playground. In DCNET, pages 13-20.
  10. Gagnon, F., Poisson, J., Frenette, S., Lafrance, F., Hall, S., and Michaud, F. (2014b). Blueprints of an Automated Android Test-Bed. In E-Business and Telecommunications, pages 3-25. Springer.
  11. Gonzalez, H., Stakhanova, N., and Ghorbani, A. A. (2014). DroidKin: Lightweight Detection of Android Apps Similarity. In Proceedings of the 10th International Conference on Security and Privacy in Communication Networks.
  12. Neugschwandtner, M., Lindorder, M., Fratantonio, Y., Veen, V. v. d., and Platzer, C. (2014). ANDRUBIS - 1,000,000 Apps Later: A View on Current Android Malware Behaviors. In Proceedings of the 3rd International Workshop on Building Analysis Datasets and Gathering Experience Returns for Security, pages 161-190.
  13. PulseSecure (2015). 2015 Mobile Threat Report. Technical report, Pulse Secure Mobile Threat Center.
  14. Rastogi, V., Chen, Y., and Enck, W. (2013). AppsPlayground: Automatic Security Analysis of Smartphone Applications. In Proceedings of the ACM SIGSAC Conference on Computer And Communications Security, pages 209-220.
  15. Reina, A., Fattori, A., and Cavallaro, L. (2013). A System Call-Centric Analysis and Stimulation Technique to Automatically Reconstruct Android Malware Behaviors. In Proceedings of 6th European Workshop on Systems Security.
  16. Sasnauskas, R. and Regehr, J. (2014). Intent fuzzer: crafting intents of death. In Proceedings of the 2014 Joint International Workshop on Dynamic Analysis (WODA) and Software and System Performance Testing, Debugging, and Analytics (PERTEA), pages 1-5. ACM.
  17. Spreitzenbarth, M., Freiling, F., Echtler, F., Schreck, T., and Hoffmann, J. (2013). Mobile-Sandbox: Having a Deeper Look into Android Applications. In Proceedings of the 28th Symposium On Applied Computing, pages 1808-1815.
  18. van der Veen, V., Bos, H., and Rossow, C. (2013). Dynamic analysis of android malware. Internet & Web Technology Master thesis, VU University Amsterdam.
  19. Willems, C., Holz, T., and Freiling, F. (2007). Toward Automated Dynamic Malware Analysis Using CWSandbox. IEEE Security and Privacy, 5(2):32-39.
  20. Ye, H., Cheng, S., Zhang, L., and Jiang, F. (2013). Droidfuzzer: Fuzzing the android apps with intent-filter tag. In Proceedings of International Conference on Advances in Mobile Computing & Multimedia, page 68. ACM.
  21. Zheng, M. and Sun, M. (2013). DroidAnalytics: A Signature Based Analytic System to Collect, Extract, Analyze and Associate Android Malware. In Proceedings of 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), pages 163-171.
  22. Zhou, Y. and Jiang, X. (2012). Dissecting Android Malware: Characterization and Evolution. In Proceedings of the IEEE Symposium on Security and Privacy 2012, pages 95-109.
  23. Zhou, Y., Wang, Z., Zhou, W., and Jiang, X. (2012). Hey, You, Get Off of My Market: Detecting Malicious Apps in Official and Alternative Android Markets. In NDSS.

Paper Citation

in Harvard Style

Boileau C., Gagnon F., Poisson J., Frenette S. and Mejri M. (2016). A Comparative Study of Android Malware Behavior in Different Contexts . In Proceedings of the 13th International Joint Conference on e-Business and Telecommunications - Volume 1: DCNET, (ICETE 2016) ISBN 978-989-758-196-0, pages 47-54. DOI: 10.5220/0005997300470054

in Bibtex Style

author={Catherine Boileau and Francois Gagnon and Jérémie Poisson and Simon Frenette and Mohamed Mejri},
title={A Comparative Study of Android Malware Behavior in Different Contexts},
booktitle={Proceedings of the 13th International Joint Conference on e-Business and Telecommunications - Volume 1: DCNET, (ICETE 2016)},

in EndNote Style

JO - Proceedings of the 13th International Joint Conference on e-Business and Telecommunications - Volume 1: DCNET, (ICETE 2016)
TI - A Comparative Study of Android Malware Behavior in Different Contexts
SN - 978-989-758-196-0
AU - Boileau C.
AU - Gagnon F.
AU - Poisson J.
AU - Frenette S.
AU - Mejri M.
PY - 2016
SP - 47
EP - 54
DO - 10.5220/0005997300470054