64 COMPUTER WWW.COMPUTER.ORG/COMPUTER
RESEARCH FEATURE
the other implemented functions were
unstable and slow.
Because of these shortcomings, we
decided to build and implement our own
test automation library. Andro Pilot is the
rst Android AV-application- automation
library written solely in Python that sup-
ports all the functionalities needed to
conduct AV application tests.
To build AndroPilot, which became
the foundation of AndroTotal’s scal-
able architecture, we extended Apk-
view-tracer by reimplementing part
of the existing code to improve stabil-
ity, xing several bugs and correcting
sub optimal design choices. We also
enhanced the library speed.
To correct the design choices, we
leveraged Android’s ViewServer com-
ponent and introduced new proce-
dures to properly manage application
synchronization during testing stages,
including functions that wait for an
arbitrary view, text, or notication to
appear on the screen. We also improved
view management to correctly report
when a view is shown on the running
Android instance and implemented a
new function to retrieve the screenshot
from an attached device or emulator.
Creating an AndroPilot adapter
module for an AV application was
straightforward and took little coding
eort. For the 10 adapters currently
implemented, our libraries enabled
adapter implementation with an aver-
age of 36 lines of Python code per adap-
tor (as measured with count lines of
code; http://cloc.sourceforge.net).
Figure 2 shows the code for two of
these adapter implementations.
Architecture
AndroTotal’s workow begins when a
user submits an Android application
(APK package) to AndroTotal’s Web
interface. If AndroTotal has not yet ana-
lyzed the application, it pushes the appli-
cation to the analysis queue as a series
of tasks (one for each AV application
or submitted application pair). Worker
servers execute the tasks, each of which
is treated as an execution unit, using
concurrent multiprocessing. When a
worker server receives a task, it starts
an emulator with a clean image, installs
the application sample, performs the
required tests, and stores the results in
a database.
A test is essentially a Python script
written on top of AndroPilot, which
runs a given AV application either in
on-demand or on-install mode and
retrieves the results through GUI
scraping. AndroTotal then stores the
results in its database and returns
them to the user. It also exposes a Rep-
resentational State Transfer (REST)
API, which ensures interoperability
with external services.
Ensuring scalability. We ensure
AndroTotal’s scalability by making
each testing procedure self-contained
so that a single worker server can per
-
form each test job (task) independently.
By leveraging the Android emulator’s
snapshot function, AndroTotal can run
a test in an average of 1 to 3 minutes. To
store the Android image and run the
emulator, each test requires 50 to 250
Mbytes of temporary disk space and
1 to 2 Gbytes of RAM. Once the test ter-
minates, the worker server will clear
the temporary les and ensure that the
emulator has correctly terminated and
freed the used resources. The time to
scan an application or malware sam
-
ple against a set of AV applications
grows linearly with the number of AV
applications, ensuring that paralleliza
-
tion can provide scalability.
Supporting multiple application ver
-
sions. Unlike similar services such as
VirusTotal, AndroTotal maintains mul
-
tiple versions of the same AV applica-
tion over time. In this way, it allows the
testing of new samples against older
versions as well as the computing of
evolution statistics. By accessing scan
results such as logcat, network dumps,
and screenshots, users can visualize
and download the data associated with
each AV application test. By aggregat
-
ing data from various reports, Andro-
Total also provides insight into why a
sample might be malicious.
AndroTotal adapters contain an
automated function that checks for AV
signature updates and automatically
performs them, modifying the image
as needed. These tasks are asynchro-
nous and do not aect AndroTotal’s
throughput.
New application versions are han-
dled through a semiautomated proce-
dure. AndroTotal monitors Google Play
Store each day for new AV application
releases and noties the AndroTotal
maintainers when one is found. The
maintainers use an automated script
to initialize a clean image of the new
AV release, manually test the current
AV adapter and adjust it to deal with
any changes in the application’s user
interface, and plug the new image and
adapter into the AndroTotal system.
EVALUATION
As of early October 2015, 2,491 users
have requested access to and are
actively using AndroTotal. This has
enabled us to collect 85,677 distinct
samples of malicious and benign