Habo SecBox: run and monitor malware on real Android device (sponsor presentation)

Thursday 5 October 16:30 - 17:00, Red room

Song Lanqi (Tencent)
Wang Bin (Tencent)

Malware attacks have become a serious threat due to the harm of privacy leakage and loss of digital assets. Current mobile security software usually detects malware through a remote cloud database after collecting its static characteristics. Under this anti-virus architecture, criminals who make malware can easily bypass security software and prevent the processes from being killed through code encryption, social engineering and so on. In this case, security vendors and users are always in a passive position.

This paper proposes an innovative solution, as follows: it provides an isolated execution environment for suspicious samples on a real Android device. The environment is able to execute malware independently, monitor behaviour dynamically, and provide fake privacy data. Once a dangerous behaviour is triggered, it will be blocked or 'virtually executed', and the user will receive a friendly alert. Instead of analysing malware in emulators on a computer, the solution executes malware in a real Android device where a variety of test scenarios exist, and the user can participate in monitoring the malware and getting more detail in the white-box. There is a notable advantage to digging into hidden malware, such as those malicious programs which pretend to be harmless apps, or which perform malicious behaviours only at specific times or under certain circumstances. Generally, the solution focuses on dynamic behaviour analysis, which is least affected by code encryption and virus variation.

Based on the solution mentioned above, Tencent Anti-virus Laboratory has developed a tool named Habo SecBox. By means of simulating the core services in the Android framework, Habo SecBox isolates the data and code execution of malware from other apps and the Android system, so that the malware can only run in a limited-access sandbox. Then, the tool monitors the malware behaviour in real time by hooking some pivotal APIs of the Android system. Finally, a set of appropriate defence strategies are developed for different levels of risky behaviours with the help of our policy library.

Following a series of optimizations and adaptations, Habo SecBox is compatible with Android 2.x - 7.0 without root privilege. Over 60 different kinds of malware on the Android platform were collected, and 90% of malicious behaviours can be detected and blocked.



Song Lanqi

Song Lanqi is a senior security engineer at Tencent. He joined Tencent in 2010, and has focused on the field of Windows and Android security during the past seven years. Song is the Major Designer of Habo Android Analysis Environment, a behaviour analysis honeypot for suspected samples. He is interested in honeypot system building and malicious behaviour mining.



Wang Bin

Wang Bin is a security engineer in Tencent's anti-virus laboratory, and currently focuses on Android internal security (especially Android Framework and kernel) and Android malware analysis. Habo SecBox is one of his recent projects, which is an innovative Android anti-virus framework that can run and monitor malware on a real Android device.






Other VB2017 papers

Mariachis and jackpotting: ATM malware from Latin America

Thiago Marques (Kaspersky Lab)

Fabio Assolini (Kaspersky Lab)

Of all the forms of attack against financial institutions in the world, the ones that are most likely to combine traditional…

The state of cybersecurity in Africa: Kenya

Tyrus Kamau (Euclid Consultancy)

The cyber threats Kenya faces range from basic hacking such as website defacements, financial fraud, social media account…

Walking in your enemy's shadow: when fourth-party collection becomes attribution hell

Juan Andres Guerrero-Saade (Kaspersky Lab)
Costin Raiu (Kaspersky Lab)

Attribution is complicated under the best of circumstances. Sparse attributory indicators and the possibility of overt…

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.