SMS Observer: A dynamic mechanism to analyze the behavior of SMS-based malware

Abstract

Nowadays smartphones become an indispensable tool in many people's everyday life that makes themselves attractive targets for attackers. Among various malware targeting at smartphones, SMS-based malware is one of the most notorious ones. Though a number of Android dynamic analysis frameworks have been proposed to analyze SMS-based malware, most of these frameworks or some Android tools, such as Google Android Emulator, do not support an app or malware to send SMS messages to a real smartphone; hence, security researchers cannot use them directly to analyze the behavior of SMS-based malware. In our previous work, SMS Helper, we designed an application layer tool to allow an app or malware in an Android emulator to send and receive SMS messages to or from a real smartphone. Based on SMS Helper, this paper proposes an Android dynamic analysis framework, called SMS Observer, to assist security researchers to analyze SMS-based malware. SMS Observer integrates SMS Helper into it as a client agent, meanwhile, and it maintains the integrity of system logs. This paper also figures out a way to detect whether an app is executed in an emulator and describes how to use SMS Observer to prevent such evasion. Experimental results using real-world malware samples show SMS Observer is much more effective in detecting SMS-related behavior of SMS-based malware than existing frameworks, such as Google Android Emulator, Andrubis, CopperDroid, and DroidBox. SMS Observer can analyze sophisticated SMS-based malware samples and provide a comprehensive view of malicious behavior.