The sub-techniques beta is now live! Read the release blog post for more info.

Evade Analysis Environment

Malicious applications may attempt to detect their operating environment prior to fully executing their payloads. These checks are often used to ensure the application is not running within an analysis environment such as a sandbox used for application vetting, security research, or reverse engineering. Adversaries may use many different checks such as physical sensors, location, and system properties to fingerprint emulators and sandbox environments.[1][2][3][4] Adversaries may access android.os.SystemProperties via Java reflection to obtain specific system information.[5] Standard values such as phone number, IMEI, IMSI, device IDs, and device drivers may be checked against default signatures of common sandboxes.[6]

ID: T1523
Tactic Type: Post-Adversary Device Access
Tactic: Defense Evasion, Discovery
Platform: Android, iOS
Version: 1.0
Created: 02 October 2019
Last Modified: 11 October 2019

Procedure Examples

Name Description
Rotexy

Rotexy checks if it is running in an analysis environment. [7]

Mitigations

Mitigation Description
Application Vetting

Applications attempting to get android.os.SystemProperties or getprop with the runtime exec() commands should be closely scrutinized. Google does not recommend the use of system properties within applications.

Detection

Analysis Environment avoidance capabilities can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.

References