Andrubis gives us an insight into various behavioral aspects and properties of a submitted app by employing both static and dynamic analysis approaches. During the dynamic analysis part an app is installed and run in an emulator – the Dalvik VM. In addition to the normal tracking of open, read and write events, network traffic operations and detection of dynamically registered broadcast receivers , taint analysis is also carried out to report on leakage of important data such as the IMEI. Not only that, cellphone specific events, such as phone calls and short messages sent are also captured by the Andrubis service.

Information is also obtained statically, without actually executing the Android application. Information related to the intent-filters declared by these components is also included.

In short, like the core-Anubis does for Windows PE executable’s, Andrubis executes Android apps in a sandbox and provides a detailed report on their behavior, including file access, network access, cryptographic operations, dynamic code loading and information leaks. An Andrubis static analysis yields information on e.g. the app’s activities, services, required external libraries and actually required permissions.

In order not to reinvent the wheel, Andrubis leverages several existing open source projects in addition to the Android SDK, such as:

To see how effective it is, an example report of the DroidKongFu.A Android malware, scanned via the Andrubis can be found here.

Subscribe Top Hacker Stories via email