Automatic Dynamic Analysis

[jpcarneiro]

Hi all,
I want to perform automatic android dynamic malware analysis
I prepared a setup with droidbox where continuously an emulator is launched and an apk installed and run for 50s.

SETUP
Do you have similar setups?
How long do you perform analysis, is 50s enough, any data on optimal run time?

PATTERNS
Do you have yara-rules/patterns to identify malware activity or what is your strategy?
What is your approach to finding new rules? Manually, ML, other? What features are you looking at?

EMULATOR
I have multiple apks that fail to run or the emulator restarts, any ideas?
Following the instructions, I am using arm, Nexus4 android jelly, any problem in using a different AVD?

Sorry for such a big list of questions and thanks in advance.
Chrs,
Joao

[eclipse95]

Hi @jpcarneiro,
I will try to give you some hints.

• Concerning the time of analysis, it's depending of your tested app.
• Droidbox wasn't made for malware analysis. Don't expect find yara-rules or others. Others tools can do it (Cuckoodroid for example).
• The instrumentation is made by monkeyrunner (Android SDK). I don't if it follows a specific scheme.
• Each Android API have a specific "mapping". That why you can try to use another Android 4+ but the result may be incorrect.