Nytro Posted December 4, 2014 Report Posted December 4, 2014 Android Malware Evasion Techniques - Emulator Detection Most of the modern malware try to escape from being analysed and one of the first thing they do is to check if they are running on a controlled environment. The controlled environment refers to an emulator in the world of Android malware. If the malware runs on an emulator, that means it is most probably being investigated by a researcher. There are various methods that malware writers use to detect the emulated environment. 1.) Check Product Name: In Android emulator, product name of the device contains "sdk" string so it is a useful clue to detect if the app is running on an emulator. In order to check the product name, you can use the following code snippet: 2.) Check Model Name: The default product name of the Android emulator contains "sdk" string. So it is worth to check model name in order to detect emulator use. 3.) Check SIM Operator Name: In Android emulators, the SIM operator name comes with the default "Android" string. It is not the case that you can see in regular physical devices even there is no SIM card installed in the device. 4.) Check Network Operator Name: Similar to the SIM Operator Name, the network operator name also comes with the default "Android" string. It is a good idea to check network operator name in order to decide if the app is running on an emulator. By combining these 4 techniques mentioned above, you can write a basic Android app that shows these values. In order to compare if they are really work, you can install the app both to the emulator and a real device. The picture on the left hand side is the screenshot taken from Samsung Galaxy S4 phone and the one on the right is the screenshot of an emulator. You can see the difference clearly.5.) Check ro.kernel.qemu and ro.secure Property: Additionally you can check the Android system properties to detect emulated environment. There are various property files in Android filesystem:/default.prop /system/build.prop /data/local.prop Properties are stored in a key value pair format in these property files. You can see the values of the properties by typing adb shell getprop <key>command. There are some critical properties indicating the emulator environment. ro.secure ro.kernel.qemu If the value of ro.secure is "0", or the value of ro.kernel.qemu is 1, ADB shell runs as root and that means the environment which, the app is running is an emulator. Because in a physical device ADB shell runs in a regular user right, not the root. In order to check these properties you can use the code snippets below. I uploaded a sample detecttion code to my Github page that combines all the methods above: https://github.com/oguzhantopgul/Android-Emulator-DetectionIn this blog post i tried to mention about my favourite Android Emulator detection methods. If you know much better techniques please send me a comment. Edit: I've just noticed the Tim Strazzere's (@timstrazz) Android Project on emulator detection. You can find it in his github repo link below: https://github.com/strazzere/anti-emulator Yesterday, Oguzhan Topgul taraf?ndan yay?nland? Sursa: {ouz}: Android Malware Evasion Techniques - Emulator Detection Quote
