The present disclosure relates to a mobile device for analyzing malicious code using a container platform, a system for analyzing malicious code in a mobile device, and a method for analyzing malicious code using a container platform, and more particularly, to a design for a mobile analysis using the Linux container technology. The “Linux,” as a well known trademark, refers to open-source software operating systems built around the Linux kernel.
Many bypass techniques using anti-emulator technology have been developed for Android malicious code analysis platforms, such as Android virtual device (AVD) that is a virtualization platform and Android X86 run in a quick emulator (QEMU)-based emulator. The “Android,” as a well known trademark, refers to a mobile operating system based on a modified version of the Linux kernel.
The anti-emulator technology does not only distinguish between actual mobile hardware and emulated hardware information but also determines whether eight sensor functions are provided for the distinguishment. In order to prevent such an anti-emulator, using an actual mobile device requires much cost to analyze a large amount of Android applications (apps) and also is inefficient.
Representatively, bare-metal, a real device with automation tools, an Intel-based Android version, and Virtualbox/VMware are being used.
Representative examples of bare-metal include AVD, Bluestack, AMIDuOS, Nox, and so on. QEMU is an emulator and a virtualization tool that may be used to virtualize hardware of an Android virtual device, and an emulator may configure a virtual environment through QEMU.
A real device with automation tools makes it possible to execute all application programs without a problem of compatibility and thus is an effective method of conducting an Android application analysis. Since technology for bypassing an emulator environment develops with intellectualization of malicious code, a real device with automation tools ensures a safest analysis. However, there is a drawback of degraded efficiency.
An Intel-based Android version may be executed not only in a mobile device but also in a laptop computer and a personal computer (PC). There is an Android-x86 type, such as RemixOS. An intel-based Android version is provided as an ISO file and may be executed in a virtualization tool, such as Virtualbox or VMware.
However, an existing Android malicious code analysis has the following problems.
Intelligent malicious code examines an emulator environment in various ways, such as a basic method of checking virtual environment information, a method of examining a build environment, equipment, and hardware information, and other methods (e.g., checking whether there is/dev/qemu_pipe or/dev/socket/qemud or checking qemu information using a getdrop command). Since some apps do not operate in a rooted environment, it is difficult to analyze the apps on the basis of QEMU.
Further, an app analysis in a real Android device provides better results, but it is difficult to automate pre-analysis and post-analysis processes. Also, since it is difficult to enhance expandability and flexibility by applying an app analysis in a real Android device to a cloud environment, an app analysis in a real Android device is not appropriate for an analysis environment.