android-sandbox-malware-analysis

One of the biggest and most popular multi-antivirus scanning engine service has today launched a new Android sandbox service, dubbed VirusTotal Droidy, to help security researchers detect malicious apps based on behavioral analysis.

VirusTotal, owned by Google, is a free online service that allows anyone to upload files to check them for viruses against dozens of antivirus engines simultaneously.

Android Sandbox performs both static and dynamic analysis to automatically detect suspicious applications by executing and monitoring applications in a simulated Android OS environment.

Behavioral reports for Android applications (APKs) is not new to VirusTotal, as the website already had service since 2013 that worked based on Cuckoo Sandbox, an open source automated malware analysis system.

Replacing this existing system, VirusTotal Droidy has been integrated in the context of the multi-sandbox project and can extract “juicy” details, such as:

  • Network communications and SMS-related activity
  • Java reflection calls
  • Filesystem interactions
  • SQLite database usage
  • Services started, stopped
  • Permissions checked
  • Registered receivers
  • Crypto-related activity

Here below you can check behavioral analysis reports of some malicious Android apps, showcasing new functionalities of VirusTotal Droidy:

How “VirusTotal Droidy” Is Better Than Older “VirusTotal Sandbox”

VirusTotal also shared another sample report generated using the older version of VirusTotal Sandbox. You can simply click select “VirusTotal Droidy” to see new report for the same sample and compare both technologies at the same time.

For many samples, VirusTotal also offers reports from multiple sandboxes, including Tencent HABO, a service independently developed by Chinese Antivirus firm Tencent.

“The richer the information that we generate for individual data set items, the greater the telescopic capabilities of VirusTotal,” the company said. “This is how we manage to fill in the dots and quickly see all activity tied to certain resources that often show up in malware investigations.”

Report generated using new VirusTotal Droidy Android sandbox technology also includes interactive data from other services such as VirusTotal Intelligence and VirusTotal Graph.