CopperDroid: Automatic Reconstruction of Android Malware Behaviors

Kimberly Tam, Salahuddin Khan, Aristide Fattori, Lorenzo Cavallaro

Research output: Chapter in Book/Report/Conference proceedingConference contribution

231 Downloads (Pure)


Mobile devices and their application marketplaces drive the entire economy of the today’s mobile landscape. Android platforms alone have produced staggering revenues, exceeding five billion USD, which has attracted cybercriminals and increased malware in Android markets at an alarming rate. To better understand this slew of threats, we present CopperDroid, an automatic VMI-based dynamic analysis system to reconstruct the behaviors of Android malware. The novelty of CopperDroid liesin its agnostic approach to identify interesting OS- and high-level Android-specific behaviors. It reconstructs these behaviors by observing and dissecting system calls and, therefore, is resistant to the multitude of alterations the Android runtime is subjected to over its life-cycle. CopperDroid automatically and accurately reconstructs events of interest that describe, not only well-known process-OS interactions (e.g., file and process creation), but also complex intra- and inter-process communications (e.g., SMS reception), whose semantics are typically contextualized through complex Android objects. Because CopperDroid’s reconstruction
mechanisms are agnostic to the underlying action invocation methods, it is able to capture actions initiated both from Java and native code execution. CopperDroid’s analysis generates detailed behavioral profiles that abstract a large stream of low-level—often uninteresting—events into concise, high-level semantics, which are well-suited to provide insightful behavioral traits and open the possibility to further research directions. We carried out an extensive evaluation to assess the capabilities and performance of CopperDroid on more than 2,900 Android malware samples. Our experiments show that CopperDroid faithfully reconstructs OSand Android-specific behaviors. Additionally, we demonstrate how CopperDroid can be leveraged to disclose additional behaviors through the use of a simple, yet effective, app stimulation technique. Using this technique, we successfully triggered and disclosed additional behaviors on more than 60% of the analyzed malware samples. This qualitatively demonstrates the versatility of CopperDroid’s ability to improve dynamic-based code coverage.
Original languageEnglish
Title of host publicationNDSS Symposium 2015
Number of pages15
Publication statusPublished - 7 Feb 2015
EventAnnual Network and Distributed System Security Symposium (NDSS) - San Diego, United States
Duration: 8 Feb 201511 Feb 2015


ConferenceAnnual Network and Distributed System Security Symposium (NDSS)
Country/TerritoryUnited States
CitySan Diego


  • Android malware
  • Behavior reconstruction
  • Dynamic analysis

Cite this