Awesome
ReDroid
Introduction
ReDroid is a toolbox for automatically detecting and countering anti-sandbox behaviors in Android apps.
-
What is anti-sandbox behavior
Anti-sandbox behavior implies that an app would check whether it's being run on an real device or an emulator, and behave differently on them. This may be necessary for commercial apps to pretend malicious usage (like cheating in a game) and for malware to escape from dynamic app analysis and attack most valuable targets.
Known Android apps equipped with anti-sandbox techniques include Wechat (commercial app), Collapse Gakuen 2 (game) and DenDroid (malware).
-
How does ReDroid work
Given an Android app, ReDroid processes it in detecting phase and countering phase.
-
Detecting Phase: ReDroid runs it on both real and emulator platforms, collects runtime traces and compares the real traces against emulator traces. Apps equipped with anti-sandbox techniques would have (largely) different behaviors, thus different traces are generated on real and emulator platforms. From that ReDroid detect anti-sandbox behaviors.
-
Countering Phase: ReDroid replays the app with JDWP monitor enabled, collecting some critical methods' return values. Then corresponding DSM (dynamic state modification) rule is automatically generated and passed to Xposed, making what critical methods return in emulator the same as in real devices, neutralizing potential anti-sandbox behaviors.
-
Prerequisites
- Python version 2.7
- JDK version >= 1.7
- Android SDK with
platform_tools
andtools
directory added toPATH
- DroidBot installed to
PATH
- Oracle VM VirtualBox
Usage
Like mentioned in the introduction, ReDroid's workflow contains detecting and countering phases. The detecting part implementation is in anti_sandbox_detector
folder, and the countering part is in dsm_patcher
folder.
To launch a default workflow, just follow the following 5 steps:
-
Set up real device and emulator using prebuilt images. Detailed instructions can be found in
marshmallow_modifications/README.md
-
Enable ADB connection using
$ adb connect <vm_ip>:5555
One can get Android VM's ip by getting shell in VM using ALT+F7 and then using
ifconfig
command. -
Specify the following config values in
default_workflow/default_workflow_config.json
:- emulator_id: The emulator's device ID. The device ID's are the first-column items shown by
adb devices
. - real_device_id: The real device's device ID.
- apk_dir: The path of the folder containing apk files
- output_dir: The output folder path
- process_num: The number of processes that ReDroid can spawn for parallel jobs at most
- jdk_path: The path to JDK installation
- android_sdk_path: The path to Android SDK installation
See
default_workflow/default_workflow_config.json
for example anddefault_workflow/README.md
for details. Then run the default workflow by$ python default_workflow.py -c default_workflow_config.json
- emulator_id: The emulator's device ID. The device ID's are the first-column items shown by
-
Enable the
ReDroid
Xposed module in emulator and reboot the virtual machine. -
Now the anti-sandbox behaviors of apps specified in
apk_dir
are countered by ReDroid in the emulator.
Apart from the default workflow, the tools in each phase can be used separately. Detailed usage and specifications can be found in README.md
in corresponding folders.
Related Projects
- DroidBot: A lightweight test input generator for Android. Used in ReDroid for dynamic testing Android apps.
- anti-emulator (based on an origin version): An emulator detector. One of the sample apps.
- DenDroid: An Android Trojan equipped with anti-sandbox techniques. One of the sample apps.
- LibRadar: A detecting tool for 3rd-party libraries in Android apps. Its 3rd party library package detection results is used for trace comparing in ReDroid.
- AOSP: Android Open Source Project
- Android x86: A project to port Android open source project to x86 platform
- Xposed: Xposed is a framework for modules that can change the behavior of the system and apps without touching any APKs.