Abstract

Dynamic analysis technique has been widely used in Android malware detection. Previous works on evading dynamic analysis focus on discovering the fingerprints of emulators. However, such method has been challenged since the introduction of real devices in recent works. In this paper, we propose a new approach to evade automated runtime analysis through detecting programmed interactions. This approach, in essence, tries to tell the identity of the current app controller (human user or automated exploration tool), by finding intrinsic differences between human user and machine tester in interaction patterns. The effectiveness of our approach has been demonstrated through evaluation against 11 real-world online dynamic analysis services.