Pierluigi Paganini April 06, 2018

VirusTotal announced on Thursday the launch of a new Android sandbox, named Droidy sandbox, that will replace the previous one that was designed in 2013.

“Recently we called out Additional crispinness on the MacOS box of apples sandbox, continuing with our effort to improve our malware behavior analysis infrastructure we are happy to announce the deployment of a new Android sandbox that replaces the existing system that was developed back in 2013.” reads the announcement published by Virus Total.

The Droidy sandbox was specifically designed to analyzed mobile threats, it can be used to obtain information on network communications and SMS-related activities, file system interactions, SQLite database usage, permissions, Java reflection calls, process and service actions, registered receivers, and crypto-related activity.

The Droidy sandbox is integrated with other services, such as VirusTotal Graph and VirusTotal Intelligence, the company aims to create a complete environment for malware analysis that helps professionals to analyzed the threats.

If you are interested in more info about the new Droidy sandbox just select it from the drop-down menu in the  Behavior section, it also includes the Tencent HABO analysis system.

It is an important improvement for the VirusTotal platform, data from Droidy sandbox are complementary to the Tencent HABO.

The two sandboxes are part of a multisandbox project that aims to aggregate malware analysis sandbox reports.

“VirusTotal is much more than just an antivirus aggregator; we run all sorts of open source/private/in-house tools to further characterize files, URLs, IP addresses and domains in order to highlight suspicious signals.” states VirusTotal.

“Similarly, we execute a variety of backend processes to build relationships between the items that we store in the dataset, for instance, all the URLs from which we have downloaded a given piece of malware.“

Selecting Droidy sandbox from the behavior menu it is possible to see general information about the analyzed sample. Users can also go deeper in their analysis and “dig into the hooked calls and take a look at the screenshots generated when running the apps.”

“To understand the extent to which this is an improvement with respect to the 2013 setup, you can take a look at the following report. It displays by default the output of the old sandbox. Use the selector to see the new report with VirusTotal Droidy:

https://www.virustotal.com/#/file/f1475147b50a2cc868e308d87457cebd35fd6443ef27adce67a6bb3e8b865073/behavior” continues VirusTotal.

“Wrapping up, don’t think of this as just new functionality to dissect individual threats. All of this data contributes to the bigger picture and increases the power of our telescope lens that sheds light into malicious behaviors on the Internet.” concluded VirusTotal.

Pierluigi Paganini

(Security Affairs – Android, Droidy sandbox)

[adrotate banner=”5″]

[adrotate banner=”13″]