Lumus: Dynamically Uncovering Evasive Android Applications

Afonso V, Kalysch A, Müller T, Oliveira D, Grégio A, De Geus PL (2018)

Publication Language: English

Publication Type: Conference contribution, Conference Contribution

Publication year: 2018

Publisher: Springer

City/Town: Guildford, UK

Pages Range: 47-66

Conference Proceedings Title: Information Security - 21th International Conference

Event location: Guildford, UK

ISBN: 978-3-319-99136-8


DOI: 10.1007/978-3-319-99136-8_3


Dynamic analysis of Android malware suffers from techniques that identify the analysis environment and prevent the malicious behavior from being observed. While there are many analysis solutions that can thwart evasive malware on Windows, the application of similar techniques for Android has not been studied in-depth. In this paper, we present Lumus, a novel technique to uncover evasive malware on Android. Lumus compares the execution traces of malware on bare metal and emulated environments. We used Lumus to analyze 1,470 Android malware samples and were able to uncover 192 evasive samples. Comparing our approach with other solutions yields better results in terms of accuracy and false positives. We discuss which information are typically used by evasive malware for detecting emulated environments, and conclude on how analysis sandboxes can be strengthened in the future.

Authors with CRIS profile

How to cite


Afonso, V., Kalysch, A., Müller, T., Oliveira, D., Grégio, A., & De Geus, P.L. (2018). Lumus: Dynamically Uncovering Evasive Android Applications. In Liqun Chen, Mark Manulis, Steve Schneider (Eds.), Information Security - 21th International Conference (pp. 47-66). Guildford, UK: Guildford, UK: Springer.


Afonso, Vitor, et al. "Lumus: Dynamically Uncovering Evasive Android Applications." Proceedings of the ISC 2018, Guildford, UK Ed. Liqun Chen, Mark Manulis, Steve Schneider, Guildford, UK: Springer, 2018. 47-66.

BibTeX: Download