MIME: A Formal Approach to (Android) Emulation Malware Analysis

  • Fabio Bellini
  • Roberto Chiodi
  • Isabella MastroeniEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9482)


In this paper, we propose a new dynamic and configurable approach to anti-emulation malware analysis, aiming at improving transparency of existing analyses techniques. We test the effectiveness of existing widespread free analyzers and we observe that the main problem of these analyses is that they provide static and immutable values to the parameter used in anti-emulation tests. Our approach aims at overcoming these limitations by providing an abstract non-interference-based approach modeling the fact that parameters can be modified dynamically, and the corresponding executions compared.


Anti-emulation malware Abstract non-interference Program analysis 


  1. 1.
    Bellini, F., Chiodi, R., Mastroeni, I.: Mime: a formal approach for multiple investigation in (android) malware emulation analysis. Technical report RR 97/2015 (2015).
  2. 2.
    Cousot, P., Cousot, R.: Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: Conference Record of POPL 1977, pp. 238–252. ACM (1977)Google Scholar
  3. 3.
    Dinaburg, A., Royal, P., Sharif, M., Lee, W.: Ether: malware analysis via hardware virtualization extensions. In: Proceedings of CCS 2008, pp. 51–62. ACM (2008)Google Scholar
  4. 4.
    P. Ferrie. Attacks on virtual machine emulators. Symantec Corporation, Mountain View (2007)Google Scholar
  5. 5.
    Giacobazzi, R., Mastroeni, I.: Abstract non-interference: parameterizing non-interference by abstract interpretation. In: Proceedings of POPL 2004, pp. 186–197. ACM (2004)Google Scholar
  6. 6.
    Kang, M.G., Yin, H., Hanna, S., McCamant, S., Song, D.: Emulating emulation-resistant malware. In: Proceedings of VMSec 2009, pp. 11–22. ACM (2009)Google Scholar
  7. 7.
    Lindorfer, M., Kolbitsch, C., Milani Comparetti, P.: Detecting environment-sensitive malware. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 338–357. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  8. 8.
    Liston, T., Skoudis, E., On the cutting edge: Thwarting virtual machine detection (2006).
  9. 9.
    Mastroeni, I.: On the rôle of abstract non-interference in language-based security. In: Yi, K. (ed.) APLAS 2005. LNCS, vol. 3780, pp. 418–433. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  10. 10.
    Mastroeni, I.: Abstract interpretation-based approaches to security - A survey on abstract non-interference, its challenging applications. In: Semantics, Abstract Interpretation, Reasoning about Programs: Essays Dedicated to David A. Schmidt on the Occasion of his 60th Birthday, pp. 41–65 (2013)Google Scholar
  11. 11.
    Paleari, R., Martignoni, L., Fresi Roglia, G., Bruschi, D.: A fistful of red-pills: how to automatically generate procedures to detect cpu emulators. In: Procedings of WOOT 2009, p. 2. USENIX Association (2009)Google Scholar
  12. 12.
    Petsas, T., Voyatzis, G., Athanasopoulos, E., Polychronakis, M., Ioannidis, S.: Rage against the virtual machine: hindering dynamic analysis of android malware. In Proceedings of EuroSec 2014, pp. 5:1–5:6. ACM (2014)Google Scholar
  13. 13.
    D. Quist, V. Smith. Detecting the presence of virtual machines using the local data table. Offensive Computing (2006).
  14. 14.
    Raffetseder, T., Kruegel, C., Kirda, E.: Detecting system emulators. In: Garay, J.A., Lenstra, A.K., Mambo, M., Peralta, R. (eds.) ISC 2007. LNCS, vol. 4779, pp. 1–18. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  15. 15.
    Rutkowska, J.: Red pill... or how to detect vmm using (almost) one cpu instruction (2004).
  16. 16.
    Vishnani, K., Pais, A.R., Mohandas, R.: Detecting & defeating split personality malware. In: Proceedings of SECURWARE 2011, pp. 7–13 (2011)Google Scholar
  17. 17.
    Yan, L.K., Jayachandra, M., Zhang, M., Yin, H.: V2e: combining hardware virtualization and software emulation for transparent and extensible malware analysis. Sigplan Not. 47(7), 227–238 (2012)CrossRefGoogle Scholar
  18. 18.
    Zhou, Y., Jiang, X.: Dissecting android malware: characterization and evolution. In: Proceedings of SP 2012, pp. 95–109. IEEE Computer Society (2012)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  • Fabio Bellini
    • 1
  • Roberto Chiodi
    • 1
  • Isabella Mastroeni
    • 1
    Email author
  1. 1.Dipartimento di InformaticaUniversità di VeronaVeronaItaly

Personalised recommendations