Malicious applications may attempt to detect their operating environment prior to fully executing their payloads. These checks are often used to ensure the application is not running within an analysis environment such as a sandbox used for application vetting, security research, or reverse engineering. Adversaries may use many different checks such as physical sensors, location, and system properties to fingerprint emulators and sandbox environments. Adversaries may access
android.os.SystemProperties via Java reflection to obtain specific system information. Standard values such as phone number, IMEI, IMSI, device IDs, and device drivers may be checked against default signatures of common sandboxes.
Android/AdDisplay.Ashas can check that the device IP is not in the range of known Google IP addresses before triggering the payload and can delay payload deployment to avoid detection during testing and avoid association with unwanted ads.
Mandrake can evade automated analysis environments by requiring a CAPTCHA on launch that will prevent the application from running if not passed. It also checks for indications that it is running in an emulator.
Applications attempting to get
Analysis Environment avoidance capabilities can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.