Morpheus: Automatically Generating Heuristics to Detect Android Emulators

Red pills that detect Android emulators can be useful for Android malware to evade dynamic analysis tools like Google Bouncer. To get an upper hand against malware developers, we have systematically discovered more than 10,000 red pills through our analysis on Android emulators and real devices.

Research Paper

Morpheus: Automatically Generating Heuristics to Detect Android Emulators
Yiming Jing, Ziming Zhao, Gail-Joon Ahn, and Hongxin Hu
Arizona State University and Clemson University
Proceedings of the 30th Annual Computer Security Applications Conference
CSAW 2015 Best Applied Security Paper Finalist


Emulator-based dynamic analysis has been widely deployed in Android application stores. While it has been proven effective in vetting applications on a large scale, it can be detected and evaded by recent Android malware strains that carry detection heuristics. Using such heuristics, an application can check the presence or contents of certain artifacts and infer the presence of emulators. However, there exists little work that systematically discovers those heuristics that would be eventually helpful to prevent malicious applications from bypassing emulator-based analysis. To cope with this challenge, we propose a framework called Morpheus that automatically generates such heuristics. Morpheus leverages our insight that an effective detection heuristic must exploit discrepancies observable by an application. To this end, Morpheus analyzes the application sandbox and retrieves observable artifacts from both Android emulators and real devices. Afterwards, Morpheus further analyzes the retrieved artifacts to extract and rank detection heuristics. The evaluation of our proof-of-concept implementation of Morpheus reveals more than 10,000 novel detection heuristics that can be utilized to detect existing emulator-based malware analysis tools. We also discuss the discrepancies in Android emulators and potential countermeasures.