Towards mining comprehensive android sandboxes

Tien-Duy B. Le, Lingfeng Bao, David Lo, Debin Gao, Li Li

Research output: Chapter in Book/Report/Conference proceedingConference PaperResearchpeer-review

5 Citations (Scopus)


Android is the most widely used mobile operating system with billions of users and devices. The popularity of Android apps have enticed malware writers to target them. Recently, Jamrozik et al. Proposed an approach, named Boxmate, to mine sandboxes to protect Android users from malicious behaviors. In a nutshell, Boxmate analyzes the execution of an app, and collects a list of sensitive APIs that are invoked by that app in a monitoring phase. Then, it constructs a sandbox that can restrict accesses to sensitive APIs not called by the app. In such a way, malicious behaviors that are not observed in the monitoring phase-occurring, for example, due to malicious code injection during an attack-can be prevented. Nevertheless, Boxmate only focuses on a specific API type (i.e., sensitive APIs); it also ignores parameter values of many API methods and requested permissions during the execution of a target app. As a result, Boxmate is not able to detect malicious behaviors in many cases. In this work, we address the limitation of Jamrozik et al.'s work by considering input parameters of many different types of API methods for mining a more comprehensive sandbox. Given a benign app, we first extract a list of Android permissions that the app may request during its execution. Next, we leverage an automated test case generation tool, named Droidbot, to generate a rich set of GUI test cases for exploring behaviors of the app. During the execution of these test cases, we analyze the execution of four different types of API methods. Furthermore, we record input parameters to these API methods, and classify those into four different categories. We leverage the collected parameter values, and the list of requested permissions to create a sandbox that can protect users from malicious behaviors. Our experiments on 25 pairs of real benign and malicious apps show that our approach is more effective than the coarse-and fine-grained variants of Boxmate by 267.37% and 81.64% in terms of F-measure respectively.

Original languageEnglish
Title of host publicationProceedings - 23rd IEEE International Conference on Engineering of Complex Computer Systems, ICECCS 2018
Subtitle of host publication12–14 December 2018 Melbourne, Australia
EditorsJun Sun, Anthony Widjaja Lin
Place of PublicationPiscataway NJ USA
PublisherIEEE, Institute of Electrical and Electronics Engineers
Number of pages10
ISBN (Electronic)9781538693414
ISBN (Print)9781538693421
Publication statusPublished - 2018
EventIEEE International Conference on Engineering of Complex Computer Systems 2018 - Melbourne, Australia
Duration: 12 Dec 201814 Dec 2018
Conference number: 23rd (Proceedings)


ConferenceIEEE International Conference on Engineering of Complex Computer Systems 2018
Abbreviated titleICECCS 2018
Internet address


  • Android security
  • Malicious behavior detection
  • Mining sandboxes

Cite this