Heuristic analysis is a method employed by many computer antivirus programs designed to detect previously unknown computer viruses, as well as new variants of viruses already in the “wild”. — wikipedia"Android anti-virus products lack the ability to analyze applications beyond the manifest.xml file’s declared permissions and whether it has a process running or not." — Chris Basinger
Heuristic evasion on Android is more about avoiding sand-boxing. In its’ simplest form a sandbox environment in mobile is nothing more than an emulator or a virtual machine as most people know it. This allows a cyber security analyst or whomever to analyze an application through log analysis. However, there are many other ways to analyze an application’s behaviour on Android which I will soon dive into explaining to you.
Aside from an emulator there are several more things to factor into your algorithm of safety. Although you would assume that any knowledgeable malware developer would suppress all logging calls, it is still a possibility that something could end up in the log files. So this leaves you with evading logging. Evading logging capabilities of a user of your software includes numerous checks. However, all of these checks stem from one thing and that is Android Debug Bridge or better known in its’ acronym form as ADB. One thing that is constant in the use of ADB is that it is accessed through a computer.
The most common way to enable ADB on an Android device is to connect it to a computer with a USB cord. By checking whether the device has any devices connected to it before running any malicious code allows us to avoid the user from accessing the log files through this method. Android provides developers with a class named USBManager. This class has a method that allows for you to find out whether there are any devices connected to this device through USB but not what type of device. Another way of preventing ADB through a USB connection is checking whether the Android device is charging. By checking whether it is charging it allows for you to be even safer.
Another way of enabling ADB on an Android device is through a WiFi connection on a local area network. The way this works is to connect your Android device to the computer with a USB cord using one of the numerous apps available on the play store for this purpose. Upon doing this you have the ability to connect to your phone over WiFi using your computer as long the ADB WiFi app is running on your phone. The most important thing to note is that this always opens up port 5555 on your Android phone. This is one important fact about ADB over WiFi. This fact in particular allows us to detect the use of this kind of technology. The way we do this is to check whether port 5555 is open on the wireless network interface card. If this port is open then it is not safe to run any malicious code.
Network analysis is also a major topic in heuristic evasion on Android. There are several ways of analyzing an Android device’s network traffic. One way is to use a firewall which logs IP addresses and port numbers for all applications. A second one is any port scanning or networking utility apps that are available on the Google Play Store. In order to evade this type of networking analysis through apps you must check the installed apps on the Android device. This simply involves querying the package manager on the device and checking whether any apps contain the word firewall in their titles. You would also check for names like networking utility, port scan, and etcetera. In the near future this will be a problem for the malware developer as Google has patched this in their upcoming Android 11 release. They have removed the ability to query the package manager without declaring what you are looking for in your manifest file which means that this type of evasion will soon be deprecated.
The final way to analyze network traffic on an Android device is through a proxy server using a VPN. Luckily for the malware developer it is possible to detect this. Android’s API provides the developer with the ability to check the networking capabilities of all network interfaces. By iterating through the available network interfaces you can simply check each one for an active VPN connection running through it.
Another thing to avoid when developing your malware is a rooted device. A a rooted device allows you many advantages from the perspective of the malware developer leaving this type of evasion’s advantage to speculation. For example, rooted devices allow you to enable an accessibility service for an application without the user’s knowledge or permission. The reason behind root evasion is one of the most debatable ones. How can you trust whether you’ll be safe knowing that the device’s owner has super user?
Now last but not least were going to go back to the start and discuss sand-boxing. In simple terms, we need to check whether the device is an emulator or not. Android has a Build class with many different properties involving the hardware on the device. By checking manufacturer names and other product identifiers regarding the phone you can find out whether it is indeed a real device.
I have created an Android library that allows you to perform all of these checks before running any code. This will prevent your software from testing and behaviour analysis. Of course there is always static code analysis tactics through reverse engineering. Obviously, I cannot protect your code from this type of analysis from within your code. However, I have released a library called EvadeMe for avoiding detection.
Originally published at http://github.com.