绕过分析环境

恶意应用程序可能会在完全执行有效负载之前尝试检测其运行环境。这些检查通常用于确保应用程序不在分析环境（例如用于应用程序审查，安全性研究或逆向工程的沙箱）中运行。对手可能会对指纹仿真器和沙盒环境使用许多不同的检查方法，例如物理传感器，位置和系统属性。对手可以android.os.SystemProperties通过Java反射访问以获得特定的系统信息。可以根据公共沙箱的默认签名检查诸如电话号码，IMEI，IMSI，设备ID和设备驱动程序之类的标准值。

Evade Analysis Environment

Malicious applications may attempt to detect their operating environment prior to fully executing their payloads. These checks are often used to ensure the application is not running within an analysis environment such as a sandbox used for application vetting, security research, or reverse engineering. Adversaries may use many different checks such as physical sensors, location, and system properties to fingerprint emulators and sandbox environments.Adversaries may access android.os.SystemProperties via Java reflection to obtain specific system information.Standard values such as phone number, IMEI, IMSI, device IDs, and device drivers may be checked against default signatures of common sandboxes

标签

ID编号： T1523

战术类型： 事后访问设备

策略： 绕过防御，披露

平台： Android，iOS

程序示例

名称	描述
Rotexy(S0411)	Rotexy(S0411)检查它是否在分析环境中运行。

Name	Description
Rotexy(S0411)	Rotexy(S0411)checks if it is running in an analysis environment

缓解措施

缓解	描述
应用审查(M1005)	尝试获取android.os.SystemProperties或getprop使用运行时exec()命令的应用程序应仔细检查。Google不建议在应用程序中使用系统属性。

Mitigation	Description
Application Vetting(M1005)	Applications attempting to get android.os.SystemProperties or getprop with the runtime exec() commands should be closely scrutinized. Google does not recommend the use of system properties within applications.

检测

分析环境绕过能力可能难以检测，因此，在对抗行为的其他阶段重点关注检测可能会为企业提供更好的服务。

Analysis Environment avoidance capabilities can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.

- 译者: 林妙倩、戴亦仑 . source:cve.scap.org.cn