Document Type : Research Article


Faculty of Computer Engineering, University of Isfahan


Dynamic analysis is a prominent approach in analyzing the behavior of Android apps. To perform dynamic analysis, we need an event generator to provide proper environment for executing the app in an emulator. Monkey is the most popular event generator for Android apps in general, and is used in dynamic analysis of Android malware as well. Monkey provides high code coverage and yet high speed in generating events. However, in the case of malware analysis, Monkey suffers from several limitations. It only considers UI events but no system events, and because of random behavior in generating UI events, it may lose dropping the connectivity of the test environment during the analysis process. Moreover, it provides no defense against malware evasion techniques. In this paper, we try to enhance Monkey by reducing its limitations while preserving its advantages. The proposed approach has been implemented as an extended version of Monkey, named Curious-Monkey. Curious-Monkey provides facilities for handling system events, handling evasion techniques, and keeping the test environment's connectivity up during the analysis process. We conducted many experiments to evaluate the effectiveness of the proposed tool regarding two important criteria in dynamic malware analysis: the ability to trigger malicious payloads and the code coverage. In the evaluation process, we used the Evadroid benchmark and the AMD malware dataset. Moreover, we compared Curious-Monkey with Monkey and Ares tools. The results show that the Curious-Monkey provides better results in case of triggering malicious payloads, as well as better code coverage.


[1] Fengguo Wei, Sankardas Roy, and Xinming Ou. Amandroid: A precise and general intercomponent data flow analysis framework for security vetting of android apps. ACM Transactions on Privacy and Security (TOPS), 21(3): 1–32, 2018.
[2] Lingru Cai, Yao Li, and Zhi Xiong. Jowmdroid: Android malware detection based on feature weighting with joint optimization of weightmapping and classifier parameters. Computers & Security, 100:102086, 2021.
[3] Jafar Alqatawna, Al-Zoubi AlaM, Mohammad A Hassonah, Hossam Faris, et al. Android botnet detection using machine learning models based on a comprehensive static analysis approach. Journal of Information Security and Applications, 58:102735, 2021.
[4] Che-Chun Hu, Tzung-Han Jeng, and Yi-Ming Chen. Dynamic android malware analysis with de-identification of personal identifiable information. In 2020 the 3rd International Conference on Computing and Big Data, pages 30–36, 2020.
[5] Andrea De Lorenzo, Fabio Martinelli, Eric Medvet, Francesco Mercaldo, and Antonella Santone. Visualizing the outcome of dynamic analysis of android malware with vizmal. Journal of Information Security and Applications, 50:102423, 2020.
[6] Chani Jindal, Christopher Salls, Hojjat Aghakhani, Keith Long, Christopher Kruegel, and Giovanni Vigna. Neurlux: dynamic malware analysis without feature engineering. In Proceedings of the 35th Annual Computer Security Applications Conference, pages 444–455, 2019.
[7] Latika Singh and Markus Hofmann. Dynamic behavior analysis of android applications for malware detection. In 2017 International Conference on Intelligent Communication and Computational Techniques (ICCT), pages 1–7. IEEE, 2017.
[8] Raden Budiarto Hadiprakoso, Herman Kabetta, and I Komang Setia Buana. Hybrid-based malware analysis for effective and efficiency android malware detection. In 2020 International Conference on Informatics, Multimedia, Cyber and In formation System (ICIMCIS), pages 8–12. IEEE, 2020.
[9] Yung-Ching Shyong, Tzung-Han Jeng, and YiMing Chen. Combining static permissions and dynamic packet analysis to improve android malware detection. In 2020 2nd International Conference on Computer Communication and the Internet (ICCCI), pages 75–81. IEEE, 2020.
[10] H. Lockheimer. Android and Security. [Online; accessed 30-May-2020].
[11] Android Developers. Ui/application exerciser Monkey., 2012. [Online; accessed 10-March-2020].
[12] Sebastian Neuner, Victor Van der Veen, Martina Lindorfer, Markus Huber, Georg Merzdovnik, Martin Mulazzani, and Edgar Weippl. Enter sandbox: Android sandbox comparison. arXiv preprint arXiv:1410.7749, 2014.
[13] Yuanchun Li, Ziyue Yang, Yao Guo, and Xiangqun Chen. Droidbot: a lightweight uiguided test input generator for android. In 2017 IEEE/ACM 39th International Conference on Software Engineering Companion (ICSE-C), pages 23–26. IEEE, 2017.
[14] Xiaolei Wang, Yuexiang Yang, and Sencun Zhu. Automated hybrid analysis of android malware through augmenting fuzzing with forced execution. IEEE Transactions on Mobile Computing, 18(12):2768–2782, 2018.
[15] Mohammed K Alzaylaee, Suleiman Y Yerima, and Sakir Sezer. Improving dynamic analysis of android apps using hybrid test input generation. In 2017 International Conference on Cyber Security And Protection Of Digital Services (Cyber Security), pages 1–8. IEEE, 2017.
[16] Adrien Abraham, Radoniaina Andriatsimandefitra, Adrien Brunelat, J-F Lalande, and V Viet Triem Tong. Grodddroid: a gorilla for triggering malicious behaviors. In 2015 10th international conference on malicious and unwanted software (MALWARE), pages 119–127. IEEE, 2015.
[17] Siegfried Rasthofer, Steven Arzt, Stefan Triller,and Michael Pradel. Making malory behave maliciously: Targeted fuzzing of android execution environments. In 2017 IEEE/ACM 39th International Conference on Software Engineering(ICSE), pages 300–311. IEEE, 2017.
[18] Android Developers. Curious-Monkey., .[Online; accessed 16-March-2021].
[19] Luciano Bello and Marco Pistoia. Ares: triggering payload of evasive android malware. In 2018 IEEE/ACM 5th International Conference on Mobile Software Engineering and Systems(MOBILESoft), pages 2–12. IEEE, 2018.
[20] Fengguo Wei, Yuping Li, Sankardas Roy, Xinming Ou, and Wu Zhou. Deep ground truth analysis of current android malware. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pages
252–276. Springer, 2017.
[21] Yuping Li, Jiyong Jang, Xin Hu, and Xinming Ou. Android malware clustering through malicious payload mining. In International symposium on research in attacks, intrusions, and defenses, pages 192–214. Springer, 2017.
[22] Android Developers. Droidmon., . [Online;
accessed 30-May-2020].
[23] Aleksandr Pilgun, Olga Gadyatskaya, Stanislav Dashevskyi, Yury Zhauniarovich, and Artsiom Kushniarou. An effective android code coverage tool. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications
Security, pages 2189–2191, 2018.
[24] Android Developers. Contagio Mobile Malware. http://contagiomobile.deependresearch.
org/index.html/, . [Online; accessed 5-March2020].
[25] Patrick Carter, Collin Mulliner, Martina Lindorfer, William Robertson, and Engin Kirda. Curiousdroid: automated user interface interaction for android application analysis sandboxes. In International Conference on Financial Cryptography and Data Security, pages 231–249. Springer,2016.
[26] Hayyan Hasan, Behrouz Tork Ladani, and Bahman Zamani. Megdroid: A model-driven event generation framework for dynamic android malware analysis. Information and Software Technology, page 106569, 2021.
[27] Michelle Y Wong and David Lie. Intellidroid: A targeted input generator for the dynamic analysis of android malware. In NDSS, volume 16,pages 21–24, 2016.
[28] Hayyan Hasan, Behrouz Tork Ladani, and Bahman Zamani. Enhancing monkey to trigger malicious payloads in android malware. In 2020 17th International ISC Conference on Information Security and Cryptology (ISCISC), pages 65–72. IEEE, 2020.
[29] Guozhu Meng. A semantic-based analysis of android malware for detection, generation, and trend analysis. Ph. D. dissertation, 2017.
[30] Android Developers. Xposed Framwork., . [Online; accessed 30-
[31] Android Developers. Logcat commandline tool., . [Online; accessed 30-May-2020].