In the following figure, further details about Espionage Droidy project are provided. The client uses the UI to upload their .apk file, which the web server subsequently processes. Fingerprints for the file (SHA-256, SHA-1, MD5) are generated.
The web server then queries the database for existing analyses matching the fingerprints generated, and if any are found, they are displayed immediately to the user. If no existing analysis exists, the web server stores the new file in the database, and signals the analysis controller to process the file. The analysis controller performs a static analysis of the file, and queues the file for dynamic analysis. An inclusive feature set is captured for each .apk file, including continuous features (API calls, system calls, logs, network traffic) and discrete features (memory dump, permissions, memory usage, battery usage and network usage).
The Espionage Droidy Sandbox is able to activate malware, on one of the available real Android mobile devices, with an inherited activation scenario from its own category. Real-time updates about analysis status and gathered information are displayed on the user interface. This method is able to back track any discovered zero-day malware samples to the dataset.
Our datasets are available at CIC and you can find more details about them at OUR DATA SETS. We have profiled malware behavior to be used in our malware detection and classification tactics. We are proposing this system to release you from the risks associated with unknown application installation.