Review of Wong and Lie, IntelliDroid: A Targeted Input Generator for the Dynamic Analysis of Android Malware

Topic: Security

In this paper, the authors draw attention to the drawbacks of dynamic malware analysis which can only detect malicious behavior if it is executed during analysis. Though all current methods, such as hard-coded tests, random fuzzing, and concolic testing, can provide good coverage but are inefficient because they are unaware of the specific capabilities of the dynamic analysis tool. Therefore they introduce IntelliDroid.



IntelliDroid is a generic Android input generator that can be configured to produce inputs specific to a dynamic analysis tool, for the analysis of any Android application. IntelliDroid is a tool aimed to extract call paths leading to a specific behavior in an Android application and to execute these paths precisely during run time. When given a set of targeted behaviors, the static analysis traverses the application’s call graph to find paths to these behaviors. It then extracts path constraints, which are used to determine the input values that trigger these paths. The dynamic client takes the extracted paths and path constraints and injects inputs into the Android device that will trigger the targeted behaviors.




IntelliDroid is capable of determining the precise order that the inputs that must be injected, and injects them at what we call the device framework to interface such that system fidelity is preserved. This enables it to be paired with full-system dynamic analysis tools such as TaintDroid. IntelliDroid using TaintDroid can trigger and detect all privacy leaks when run on a corpus of malware. IntelliDroid is cheap and fast, requiring only 138.4 seconds of analysis time on average to successfully generate inputs to trigger targeted APIs on a corpus of malicious and benign applications during dynamic analysis. Intellidroid has good usability.




IntelliDroid is not resilient to code obfuscation. It might not process complex inputs like encryption or hashing also in addition to that graphs are really difficult to extract. It might prevent the solving of path constraints. Dealing with Android malware requires IntelliDroid to handle a broad range of behavior such as interevent handler execution flow, inter-procedural communication, multiple interactions with the Android OS, and dependencies on external network components. IntelliDroid coupling with TaintDroid may inherit the limitation of Taintdroid. It traces the dependency of one event on the other event and not multiple events.


Future Work


Intellidroid uses concolic execution for dynamic analysis of apps. They should consider using capability analysis in future work.