Nowadays smartphones become an indispensable tool in many people's everyday life that makes themselves attractive targets for attackers. Among various malware targeting at smartphones, SMS-based malware is one of the most notorious ones. Though a number of Android dynamic analysis frameworks have been proposed to analyze SMS-based malware, most of these frameworks or some Android tools, such as Google Android Emulator, do not support an app or malware to send SMS messages to a real smartphone; hence, security researchers cannot use them directly to analyze the behavior of SMS-based malware. In our previous work, SMS Helper, we designed an application layer tool to allow an app or malware in an Android emulator to send and receive SMS messages to or from a real smartphone. Based on SMS Helper, this paper proposes an Android dynamic analysis framework, called SMS Observer, to assist security researchers to analyze SMS-based malware. SMS Observer integrates SMS Helper into it as a client agent, meanwhile, and it maintains the integrity of system logs. This paper also figures out a way to detect whether an app is executed in an emulator and describes how to use SMS Observer to prevent such evasion. Experimental results using real-world malware samples show SMS Observer is much more effective in detecting SMS-related behavior of SMS-based malware than existing frameworks, such as Google Android Emulator, Andrubis, CopperDroid, and DroidBox. SMS Observer can analyze sophisticated SMS-based malware samples and provide a comprehensive view of malicious behavior.

如今，智能手机已成为许多人日常生活中不可或缺的工具，使其成为攻击者的诱人目标。在针对智能手机的各种恶意软件中，基于短信的恶意软件是最臭名昭著的恶意软件之一。尽管已经提出了许多Android动态分析框架来分析基于短信的恶意软件，但这些框架中的大多数或一些Android工具，如谷歌Android模拟器，不支持应用程序或恶意软件向真正的智能手机发送短信；因此，安全研究人员不能直接使用它们来分析基于 SMS 的恶意软件的行为。在我们之前的工作中，SMS Helper，我们设计了一个应用程序层工具，以允许 Android 模拟器中的应用程序或恶意软件向真实智能手机发送或从真实智能手机接收 SMS 消息。本文基于SMS Helper，提出了一种Android动态分析框架，称为SMS Observer，协助安全研究人员分析基于 SMS 的恶意软件。SMS Observer 将 SMS Helper 集成到其中作为客户端代理，同时维护系统日志的完整性。本文还提出了一种检测应用程序是否在模拟器中执行的方法，并描述了如何使用 SMS Observer 来防止此类逃避。使用真实恶意软件样本的实验结果表明，SMS Observer 在检测基于 SMS 的恶意软件的 SMS 相关行为方面比现有框架（如 Google Android Emulator、Andrubis、CopperDroid 和 DroidBox）更有效。SMS Observer 可以分析复杂的基于 SMS 的恶意软件样本，并提供恶意行为的综合视图。