Challenges in emulating sensor and resource-based state changes for Android malware detection

The increasing prevalence of mobile malware has driven the need for emulated, dynamic analysis techniques. Unfortunately, emulating mobile devices is nontrivial because of the different types of hardware features onboard (e.g., sensors) and the manner in which users interact with their devices as compared to traditional computing platforms. To evaluate this, our research focuses on the enumeration and comparison of multiple attributes and event values from sensors and dynamic resources on Android runtime environments, both from physical devices and online analysis services. Utilizing our results from enumeration, we develop two different Android applications that are successful in detecting and evading the emulated environments utilized by those mobile analysis services during execution. When ran on physical devices, the same applications successfully perform a pseudo-malware action and send device identifying information to our server.