Towards Transparent and Stealthy Android OS Sandboxing via Customizable Container-Based Virtualization

Abstract

A fast-growing demand from smartphone users is mobile virtualization.This technique supports running separate instances of virtual phone environments on the same device. In this way, users can run multiple copies of the same app simultaneously,and they can also run an untrusted app in an isolated virtual phone without causing damages to other apps. Traditional hypervisor-based virtualization is impractical to resource-constrained mobile devices.Recent app-level virtualization efforts suffer from the weak isolation mechanism. In contrast, container-based virtualization offers an isolated virtual environment with superior performance.However, existing Android containers do not meet the anti-evasion requirement for security applications: their designs are inherently incapable of providing transparency or stealthiness. In this paper, we present VPBox, a novel Android OS-level sandbox framework via container-based virtualization. We integrate the principle of anti-virtual-machine detection into VPBox's design from two aspects.First, we improve the state-of-the-art Android container work significantly for transparency.We are the first to offer complete device virtualization on mainstream Android versions.To minimize the fingerprints of VPBox's presence, we enable all virtualization components (i.e., kernel-level device and user level device virtualization) to be executed outside of virtual phones (VPs).Second, we offer new functionality that security analysts can customize device artifacts (e.g., phone model, kernel version, and hardware profiles) without user-level hooking. This capability prevents the tested apps from detecting the particular mobile device (e.g., Google Pixel phone) that runs an Android container.Our performance evaluation on five VPs shows that VPBox runs different benchmark apps at native speed.Compared with other Android sandboxes, VPBox is the only one that can bypass a set of virtual environment detection heuristics. At last, we demonstrate VPBox's flexibility in testing environment-sensitive malware that tries to evade sandboxes.