A5: Automated Analysis of Adversarial Android Applications (CMU-CyLab-13-009) (Revised June 3, 2014)

Mobile malware is growing – both in overall volume and in number of existing variants – at a pace rapid enough that systematic manual, human analysis is becoming increasingly difficult. As a result, there is a pressing need for techniques and tools that provide automated analysis of mobile malware samples. We present A5, an automated system to process Android malware. A5 is a hybrid system combining static and dynamic malware analysis techniques. Android’s architecture permits many different paths for malware to react to system events, any of which may result in malicious behavior. Key innovations in A5 consist in novel methods of interacting with mobile malware to better coerce malicious behavior, and in combining both virtual and physical pools of Android platforms to capture behavior that could otherwise be missed. The primary output of A5 is a set of network threat indicators and intrusion detection system signatures that can be used to detect and prevent malicious network activity. We detail A5’s distributed design and demonstrate applicability of our interaction techniques using examples from real malware. Additionally, we compare A5 with other automated systems and provide performance measurements of an implementation, using a published dataset of 1,260 unique malware samples, showing that A5 can quickly process large amounts of malware. We provide a public web interface to our implementation of A5 that allows third parties to use A5 as a web service.