ReDroid is a toolbox for detecting and countering anti-sandbox behaviors in Android apps.
-
What is anti-sandbox behavior
Anti-sandbox behavior implies that an app would check whether it's being run on an real device or an emulator, and have different behaviors on both kinds of platforms. This may be necessary for commercial apps to pretend malicious usage (like cheating in a game) and for malware to escape automatic app analysis and attack most valuable targets.
Known Android apps equipped with anti-sandbox techniques include Collapse Gakuen 2 (game) and DenDroid (malware).
-
How does ReDroid work
Given an Android app, ReDroid runs it on both real and emulator platforms, collects runtime traces and compares the real traces against emulator traces. Apps equipped with anti-sandbox techniques would have (largely) different behaviors, thus different traces are generated on real and emulator platforms. From that ReDroid detect anti-sandbox behaviors.
-
Runtime
- Python version 2.7
- JDK version >= 1.7
- Android SDK with
platform_tools
andtools
directory added toPATH
- DroidBot installed to
PATH
- (Optional) Android Studio to compile sample apps in
app_samples
-
Source Code
- AOSP branch
android-6.0.1_r77
- Android x86 branch
android-x86-6.0-r3
- AOSP branch
- DroidBot: A lightweight test input generator for Android. Used in ReDroid for dynamic testing Android apps.
- anti-emulator: An emulator detector. One of the sample apps.
- DenDroid: An Android Trojan equipped with anti-sandbox techniques. One of the sample apps.
- LibRadar: A detecting tool for 3rd-party libraries in Android apps. Its 3rd party library package detection results is used for trace comparing in ReDroid.
There are mainly three modules in ReDroid: anti_sandbox_detector
, app_samples
and marshmallow_modifications
.
- To simply run dynamic tests and get trace comparing results, one needs
anti_sandbox_detector
only. - To collect more complete runtime traces and speed up emulator testings, one has to apply modifications specified in
marshmallow_modifications
to AOSP and Android x86 source code, and build custom ROMs for emulator and real device. - To use sample apps, one has to pull git submodules in
app_samples
and build APKs.
NOTE: Do check config json contents before using
-
Run testing script to collect runtime traces on emulator and real device:
$ python scripts/trace_collector.py -c configs/trace_collector_config.json
-
Run analysis script to compare runtime trace collected
$ python scripts/trace_comparator.py -c configs/trace_comparator_config.json
This module contains some modifications (mainly the expansion of trace log buffer) on original Android system, providing more complete trace generated while testing. There are modifications for real device and emulator.
To simplify usage, prebuilt images are available. Please follow README in it.
-
Real Device
- Apply patches in
aosp
folder to AOSP source branchandroid-6.0.1_r77
- Select the build target as
user
mode on real device, e.g.aosp_hammerhead-userdebug
- Build the ROM
- Flash the ROM into your device
- Apply patches in
-
Emulator
-
Apply patches in
android-x86
folder to Android x86 source branchandroid-x86-6.0-r3
-
Select the build target as
android_x86-eng
-
Build the ISO
-
Create a new Virtual Machine in VirtualBox according to the official documents, and do some more settings:
$ VBoxManage setextradata <your_vm_name> "CustomVideoMode1" "768x1280x32"
$ VBoxManage modifyvm <your_vm_name> --natpf1 adb,tcp,*,5555,*,5555
-
Boot from the ISO in VirtualBox. To enable ADB connection, use
$ adb connect localhost:5555
-
Enable
App Compatibility
in settings -
Push the
houdini.sfs
inlibs
onto/sdcard/
folder in the VM. Then in ADB shell, run$ enable_nativebridges
This is to enable ARM native code support on x86 VM.
-
Build them and use them. For anti-emulator
sample, NDK is necessary.