OS and Dalvik Semantic Views for Dynamic Android Malware Analysis: Seamlessly Reconstructing the
Syracuse University and Air Force Research Laboratory.
2 DroidScope is built on top of . They have three tools on top of the DroidScope: instruction tracer, interactions tracer, and taint tracker to analyze information leakage. Their slowdown: 11 to 34 times. They disable JIT in Dalvik! DroidScope can be used to analyze the Java and native components of Android apps. Event-based analysis—3 levels: Android device, hardware, Linux and Dalvik. Malware apps can detect JDWP using. The entire Android runs on top of an emulator. Android remains unchanged. It has ARM and x86 support. 4 Analysis tools: (1) API tracer—log interactions, (2, 3) native instruction tracer, Dalvik instruction tracer—log native and bytecode instructions, (4) taint tracker—taint analysis at the machine code level.
They rebuild at runtime information about processes, threads, memory mapping, system calls. The basic techniques for reconstructiong the OS-level view is vitrual machine instrospection (read about). They instrument code on level (insert extra TCG code). OS-level knowledge is used for: (1) system calls: instrument special instructions for system calls, get function parameters, etc; (2) processes and threads; (3) memory map.
Sergey Vartanov, 2007–2020