Detection of emulators in malware analysis on Android
To prevent malware from spreading, applications are examined before they are published in app stores. Dynamic analysis, in which the application is executed, plays an important role here. For practical reasons, Android emulators are often used instead of real devices for this purpose. However, small differences between emulators and real devices potentially allow malicious applications to detect the analysis and thus hide their malicious behaviour throughout the analysis. This report addresses what differences have been found in the literature to distinguish emulators from real devices. Furthermore, an experiment is conducted to see what differences can be found using the programming interface between real devices and the emulator.