Android emulated environment for malware testing

Discussion in 'Malware Analysis' started by LabZero, Jan 27, 2016.

  1. LabZero

    LabZero Guest

    #1 LabZero, Jan 27, 2016
    Last edited by a moderator: Jan 27, 2016
    Hello everyone

    Today there are more and more issues concerning the mobile security, in addition to the growing number of smartphone purchased, grow the number of apps downloaded by each user, and the possibility of downloading apps infected with malwares or viruses. In particular, the Android malwares are the subject of several studies by researchers, but have not yet generated proper attention in the users. Users are not aware of the risks related to the installation of applications and don’t pay attention to the permissions they require. Malicious applications developers take advantage of various social engineering techniques to be able to install malware on users' devices. The most common technique is to distribute free versions of popular apps usually supplied with a fee on alternative Android markets that will certainly entice users that don't pay attention to security. Another technique is to leverage the update of an application initially not malicious including in it an update component that will download the malicious payload at runtime. The main goals of criminals that design these malwares ranges from "privilege escalation", trying to get administrative rights on the device, remote control, financial charge by sending SMS to premium numbers or the collection of personal information.

    So I thought of introducing another level of analysis in our Malware Hub: the installation of an Android emulator to test specific APK malware for Android antivirus testing, so it is possible to test malware and Android antivirus in specific and better conditions.

    Anyone who wants to test Android malware in emulated environment can install MEmu

    The MEmu emulator needs the user's current Windows platform, which can start running Android on your desktop with internet connection (shared).
    Users can also customize certain details such as CPU, root mode, display resolution, memory size and a whole lot more.
    Other highlights include file sharing between Android and Windows and quick APK installation through dropping and dragging for our purpose.

    I then installed MEmu on my Windows 7 x64bit on Shadow Defender without problems and I downloaded and installed an APK malware, testing it with Avast Mobile Security.

    I highly recommend the installation of MEmu in a VM because it's known that Android malware could infect Windows and on MEmu interface you can see shared folders.

    Everyone can decide whether to use MEmu or install another emulator of your choice and I hope this thread will be useful for our malware/anti-malware testers.

    MEmu installation and UI



    Import APK in MEmu


    APK malware and Avast MS detection

    Antivirus scan for 80612fe193401626268553c54a865e67b76311e782005ede2ba7a87a5d637420 at 2016-01-27 17:24:57 UTC - VirusTotal



    Of course feel free to add suggestions and improvements in this thread! :)
    P0stmaN, ebfe, cheburash and 20 others like this.
  2. DracusNarcrym

    DracusNarcrym Level 19

    Oct 16, 2015
    Windows 10
    Excellent tutorial! It outlines every necessary step required for anyone to begin malware testing on Android!

    A little note, though, Bluestacks is supposed to emulate the Android runtime environment to run Android apps on PC - it is not designed to emulate an entire Android OS.
    Logethica, davisd, DardiM and 8 others like this.
  3. LabZero

    LabZero Guest

    Good point, but I think it's enough for our purposes.:)
    Logethica, davisd, DardiM and 7 others like this.
  4. TheSuperGeek

    TheSuperGeek Guest

    Emulate something inside a VM ?
    @Klipsch: Are you using a Nuclear-powered computer ?
    Logethica, davisd, DardiM and 5 others like this.
  5. DracusNarcrym

    DracusNarcrym Level 19

    Oct 16, 2015
    Windows 10
    Android is not really that heavy to emulate, even from within a VM.
    If you have capable hardware, you can also do a GPU passthrough for optimal native performance output from the VM, so it feels like it's a physical machine. :p
    Logethica, davisd, DardiM and 5 others like this.
  6. LabZero

    LabZero Guest

    I have tested MEmu on Shadow Defender with no slowdown, unfortunately I can not say about the VM.
    Can you try it ?
    Logethica, davisd, DardiM and 6 others like this.
  7. TheSuperGeek

    TheSuperGeek Guest

    Not now sorry, I haven't got a Windows VM.
    Logethica, davisd, DardiM and 4 others like this.
  8. Rishi

    Rishi Level 19

    Dec 3, 2015
    Windows 10
    #8 Rishi, Jan 27, 2016
    Last edited: Jan 27, 2016
    I am running 2 emulators BlueStacks and Andy on another machine and tried the new Remix OS, unfortunately didnt work.. now remix OS inside a VM would not be a big deal if it can just boot..memu looks greats though.
    Logethica, davisd, DardiM and 4 others like this.
  9. JM Security

    JM Security Level 28

    Apr 12, 2015
    SecureMyBit Developer
    Great thread, well explained :)
    Logethica, davisd, DardiM and 3 others like this.
  10. KenYang

    KenYang New Member

    Mar 10, 2016
    Is the Android emulated have suppot snapshot or Restore the original status?
  11. DardiM

    DardiM Level 26
    Trusted AV Tester

    May 14, 2016
    Windows 10
    Thanks for your great post :)
    I enjoyed to read it :)
    Logethica, davisd and LabZero like this.
  12. LabZero

    LabZero Guest

    #12 LabZero, Aug 3, 2016
    Last edited by a moderator: Aug 3, 2016
    I don't remember, because this is an old thread and I have not used MEmu recently. However, you have to run it in a VM, so you can easily use VM snapshots.
  13. davidp

    davidp Level 1

    Aug 16, 2016
    Bay Area
    Thanks for sharing! Wasn't aware of MEmu before.
    LabZero, Solarquest and Logethica like this.
Similar Threads Forum Date
Update Norton Mobile Security for Android Norton (Symantec) Yesterday at 1:12 AM
GhostTeam Android Malware Can Steal Facebook Credentials (53 apps removed from official Play Store) Security News Thursday at 9:34 AM
Update Norton Family 4.5 for Android is now available! Norton (Symantec) Thursday at 12:52 AM