Syracuse University and Air Force Research Laboratory.

2 DroidScope is built on top of QEMU. They have three tools on top of the DroidScope: instruction tracer, interactions tracer, and taint tracker to analyze information leakage. Their slowdown: 11 to 34 times. They disable JIT in Dalvik! DroidScope can be used to analyze the Java and native components of Android apps. Event-based analysis—3 levels: Android device, hardware, Linux and Dalvik. Malware apps can detect JDWP using. The entire Android runs on top of an emulator. Android remains unchanged. It has ARM and x86 support. 4 Analysis tools: (1) API tracer—log interactions, (2, 3) native instruction tracer, Dalvik instruction tracer—log native and bytecode instructions, (4) taint tracker—taint analysis at the machine code level.

They rebuild at runtime information about processes, threads, memory mapping, system calls. The basic techniques for reconstructiong the OS-level view is vitrual machine instrospection (read about). They instrument code on TCG level (insert extra TCG code). OS-level knowledge is used for: (1) system calls: instrument special instructions for system calls, get function parameters, etc; (2) processes and threads; (3) memory map.

DroidScope structure

Sergey Vartanov, 2007–2020