ReDroid is a toolbox for automatically detecting and countering anti-sandbox behaviors in Android apps.
What is anti-sandbox behavior
Anti-sandbox behavior implies that an app would check whether it's being run on an real device or an emulator, and behave differently on them. This may be necessary for commercial apps to pretend malicious usage (like cheating in a game) and for malware to escape from dynamic app analysis and attack most valuable targets.
Known Android apps equipped with anti-sandbox techniques include Wechat (commercial app), Collapse Gakuen 2 (game) and DenDroid (malware).
How does ReDroid work
Given an Android app, ReDroid processes it in detecting phase and countering phase.
Detecting Phase: ReDroid runs it on both real and emulator platforms, collects runtime traces and compares the real traces against emulator traces. Apps equipped with anti-sandbox techniques would have (largely) different behaviors, thus different traces are generated on real and emulator platforms. From that ReDroid detect anti-sandbox behaviors.
Countering Phase: ReDroid replays the app with JDWP monitor enabled, collecting some critical methods' return values. Then corresponding DSM (dynamic state modification) rule is automatically generated and passed to Xposed, making what critical methods return in emulator the same as in real devices, neutralizing potential anti-sandbox behaviors.
platform_tools
and tools
directory added to PATH
PATH
Like mentioned in the introduction, ReDroid's workflow contains detecting and countering phases. The detecting part implementation is in anti_sandbox_detector
folder, and the countering part is in dsm_patcher
folder.
To launch a default workflow, just follow the following 5 steps:
marshmallow_modifications/README.md
Enable ADB connection using
$ adb connect <vm_ip>:5555
One can get Android VM's ip by getting shell in VM using ALT+F7 and then using ifconfig
command.
Specify the following config values in default_workflow/default_workflow_config.json
:
adb devices
.See default_workflow/default_workflow_config.json
for example and default_workflow/README.md
for details. Then run the default workflow by
$ python default_workflow.py -c default_workflow_config.json
ReDroid
Xposed module in emulator and reboot the virtual machine.apk_dir
are countered by ReDroid in the emulator.Apart from the default workflow, the tools in each phase can be used separately. Detailed usage and specifications can be found in README.md
in corresponding folders.