The Android mining sandbox approach consists in running dynamic analysis
tools on a benign version of an Android app and recording every call to
sensitive APIs. Later, one can use this information to (a) prevent calls to
other sensitive APIs (those not previously recorded) or (b) run the dynamic
analysis tools again in a different version of the app — in order to identify
possible malicious behavior. Although the use of dynamic analysis for mining
Android sandboxes has been empirically investigated before, little is known
about the potential benefits of combining static analysis with the mining
sandbox approach for identifying malicious behavior. As such, in this paper we
present the results of two empirical studies: The first is a non-exact
replication of a previous research work from Bao et al., which compares the
performance of test case generation tools for mining Android sandboxes. The
second is a new experiment to investigate the implications of using taint
analysis algorithms to complement the mining sandbox approach in the task to
identify malicious behavior. Our study brings several findings. For instance,
the first study reveals that a static analysis component of DroidFax (a tool
used for instrumenting Android apps in the Bao et al. study) contributes
substantially to the performance of the dynamic analysis tools explored in the
previous work. The results of the second study show that taint analysis is also
practical to complement the mining sandboxes approach, improve the performance
of the later strategy in at most 28.57%.

By admin