Automatically triggering malicious behaviors is an essential step to understand malware for developing effective solutions. Existing automated dynamic analysis approaches usually try to trigger the malicious behaviors by relying on simple fuzzing or complex input generation techniques (e.g., concolic execution). However, advanced malware often adopt various evasion techniques to hide malicious behaviors, e.g., by introducing complex condition checks which are very hard to trigger. In this paper, we propose a new approach named DirectDroid, which bypasses related checks through on-demand forced execution while adopting fuzzing to feed the necessary program input. In this way, many hidden malicious behaviors can be successfully triggered. To ensure the normal execution towards the malicious behaviors, DirectDroid also largely handles potential program crashes caused by forced execution. Finally, we implement a prototype of DirectDroid and evaluate it against 951 recent malware samples. Our experiment results show that DirectDroid can trigger many more malicious behaviors than several previous works, even when crashes happened. Our further analysis shows that DirectDroid has a low false positive rate even though it adopts forced execution.
All Science Journal Classification (ASJC) codes
- Computer Networks and Communications
- Electrical and Electronic Engineering