Evade Analysis Environment

Malicious applications may attempt to detect their operating environment prior to fully executing their payloads. These checks are often used to ensure the application is not running within an analysis environment such as a sandbox used for application vetting, security research, or reverse engineering. Adversaries may use many different checks such as physical sensors, location, and system properties to fingerprint emulators and sandbox environments.[1][2][3][4] Adversaries may access android.os.SystemProperties via Java reflection to obtain specific system information.[5] Standard values such as phone number, IMEI, IMSI, device IDs, and device drivers may be checked against default signatures of common sandboxes.[6]

ID: T1523
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Platforms: Android, iOS
Version: 1.0
Created: 02 October 2019
Last Modified: 11 October 2019

Procedure Examples

ID Name Description
S0525 Android/AdDisplay.Ashas

Android/AdDisplay.Ashas can check that the device IP is not in the range of known Google IP addresses before triggering the payload and can delay payload deployment to avoid detection during testing and avoid association with unwanted ads.[7]

S0422 Anubis

Anubis has used motion sensor data to attempt to determine if it is running in an emulator.[8]

S0480 Cerberus

Cerberus avoids being analyzed by only activating the malware after recording a certain number of steps from the accelerometer.[9]

S0301 Dendroid

Dendroid can detect if it is being ran on an emulator.[10]

S0509 FakeSpy

FakeSpy can detect if it is running in an emulator and adjust its behavior accordingly.[11]

S0423 Ginp

Ginp can determine if it is running in an emulator.[12]

S0544 HenBox

HenBox can detect if the app is running on an emulator.[13]

S0485 Mandrake

Mandrake can evade automated analysis environments by requiring a CAPTCHA on launch that will prevent the application from running if not passed. It also checks for indications that it is running in an emulator.[14]

S0411 Rotexy

Rotexy checks if it is running in an analysis environment.[15]

S0545 TERRACOTTA

TERRACOTTA checks whether its call stack has been modified, an indication that it is running in an analysis environment, and if so, does not decrypt its obfuscated strings[16].

S0427 TrickMo

TrickMo can detect if it is running on a rooted device or an emulator.[17]

G0112 Windshift

Windshift has deployed anti-analysis capabilities during their Operation BULL campaign.[18]

S0489 WolfRAT

WolfRAT can perform primitive emulation checks.[19]

Mitigations

ID Mitigation Description
M1005 Application Vetting

Applications attempting to get android.os.SystemProperties or getprop with the runtime exec() commands should be closely scrutinized. Google does not recommend the use of system properties within applications.

Detection

Analysis Environment avoidance capabilities can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.

References