https://www.um.edu.mt/library/oar/handle/123456789/112828 Mon, 13 Apr 2026 00:39:27 GMT 2026-04-13T00:39:27Z https://www.um.edu.mt/library/oar/handle/123456789/119420 Title: Responding to stealthy attacks on android using timely-captured memory dumps Abstract: In recent years, several attack vectors have emerged which enable malware to hijack the functionality of targeted, benign apps. Some of these attack vectors have nearly been fully realised and give rise to a threat model where malware offloads key attack steps to the hijacked benign app functionality. In the process, attacks following this threat model evade malware detection that assumes malware to be self-contained. Moreover, through the same hijacked functionality, any attack traces can also be erased, rendering log-based attack investigation tools ineffective. This app hijack threat model needs anticipating through defensive measures before it manifests into an unmitigated threat. Regardless of the stealthiness of an attack, any evidence must reside in volatile memory during its execution. However, collecting in-memory evidence associated with the app-specific hijacked functionality on Android devices is challenging. Current Android memory forensics methods for app analysis involve using devices which are custom or whose default security has been compromised. Moreover, randomly obtained memory dumps overlook the ephemeral nature of memory, which requires timely collection. Additionally, for the app hijack threat model, identifying app-specific artefacts in memory linked to hijacked functionality and extracting meaningful information from them necessitates an app-centric approach. This in-depth analysis of individual apps is infeasible and may require sacrificing default app protections. This thesis aims to determine how attack steps offloaded to benign apps can be recovered from volatile memory in a timely and minimally invasive manner with respect to devices and apps. The proposed approach uses process memory introspection to collect real-time evidence from app memory, reducing reliance on app-specific logic. The study introduces Just-in-Time Memory Forensics (JIT-MF), a framework designed to explore this proposed approach within the constraints of stock Android devices and apps. JIT-MF consists of drivers that timely capture app specific artefacts from memory through trigger points, a driver runtime supporting driver functionality, and produces JIT-MF logs containing app-specific evidence from memory. The experiments conducted and described in this thesis demonstrate the feasibility of real-time app-specific evidence collection from the memory of Android stock devices using the JIT-MF framework. Results reveal that leveraging widely-used codebases for trigger point selection and app-specific artefact dumping avoids app and device-invasive methods while maintaining accuracy. JIT-MF trigger-based memory dumping improves state-of-the-practice by producing forensic timeline sequences that accurately reconstruct app-specific attack steps for this threat model. Description: Ph.D.(Melit.) Sun, 01 Jan 2023 00:00:00 GMT https://www.um.edu.mt/library/oar/handle/123456789/119420 2023-01-01T00:00:00Z https://www.um.edu.mt/library/oar/handle/123456789/119039 Title: A framework for the automated distribution and execution of tests on mobile devices Abstract: Software testing of mobile applications is challenging due to the inherent peculiarities of mobile devices and their adaptability to diverse context execution environments. Factors such as variations in operating systems, hardware specifications, connectivity options, user interfaces, and context‐sensitive capabilities can potentially lead to deviations from the expected behaviour of an application. The different permutations of these factors gives rise to what is referred to as the Test Scenario Explosion Problem, making it unfeasible and cost‐prohibitive for mobile testing teams to test every possible scenario to which a mobile app may be subjected. Furthermore, current mobile testing approaches, including the uses of emulators, on‐premise device labs, beta testing methodologies, and cloud device farms, exhibit limitations in terms of diversity, replication of context‐sensitive scenarios, cost‐effectiveness, and representation of realistic deployment environments. In response to these challenges, our study introduces TestMate, an Android mobile testing framework designed to investigate how the Test Scenario Explosion Problem can be mitigated through the distribution and execution of automated tests on remotely connected devices. Our approach capitalises on in‐the‐field testing, leveraging the com‐ munity as a large‐scale, diverse, and authentic testing environment. Our evaluation affirms that the developed domain‐specific language, providing the ability to define the complex configuration space, and its seamless integration with the TestMate framework fulfils most of the functional requirements crucial for an effective mobile test distribution and execution framework. The system’s usability assessment yielded an above‐average SUS score of 81.88, underscoring the implementation of streamlined approach and well‐integrated solution. However, experimental results re‐ veal challenges in efficiently managing an increasing number of parallel test executions, while user study participants emphasised the risks associated with security and data privacy aspects. Overall, our study presents a promising stride toward in‐vivo testing of mobile applications. While we acknowledge the limitations of our work, addressing these constraints could contribute to the release of higher quality mobile apps. Description: M.Sc.(Melit.) Sun, 01 Jan 2023 00:00:00 GMT https://www.um.edu.mt/library/oar/handle/123456789/119039 2023-01-01T00:00:00Z https://www.um.edu.mt/library/oar/handle/123456789/119035 Title: The impact of Android UI attacks on malware forensic footprints Abstract: Detection evasion techniques aim to increase stealth to evade malware detection mechanisms. This dissertation explores how cross-app WebView navigation can be a viable attack surface to obscure application communication mechanisms to increase the stealth of Android RATs containing backdoors. This work also proposes a new detection technique that leverages volatile memory to expose the post-exploit attack steps and thus making the stealth technique less effective. Experiments have shown that the new attacks successfully increase the stealth of the backdoor, bypassing several current detectors. In addition, the newly proposed technique successfully repealed stealth efforts, uncovering previously hidden traces of malicious activity. Description: M.Sc.(Melit.) Sun, 01 Jan 2023 00:00:00 GMT https://www.um.edu.mt/library/oar/handle/123456789/119035 2023-01-01T00:00:00Z https://www.um.edu.mt/library/oar/handle/123456789/117964 Title: Runtime monitoring for asynchronous reactive components Abstract: Modern software is built on reactive principles, where systems are responsive, resilient, elastic, and message-driven. Despite the benefits they beget, these aspects make the correctness of reactive systems in terms of their expected behaviour hard to ascertain. This thesis investigates how the correctness of reactive systems can be ascertained at runtime. It considers a lightweight monitoring technique, called runtime verification, that circumvents the issues associated with traditional pre-deployment techniques. One major challenge of runtime verification lies in choosing a monitoring approach that does not impinge on the reactive aspects of the system under scrutiny. Such a goal is met only if the monitoring system is itself reactive. We propose a novel monitoring approach grounded on this precept. It treats the system as a black box, instrumenting monitors dynamically and in asynchronous fashion, which is in tune with the requirements of reactive architectures. Our development approach is systematic, permitting us to directly map the constituent parts of our formal model to implementable modules. This gives assurances that the results obtained in the theory are preserved in the implementation. The first part of the thesis builds on established theoretical results. It lifts these results to a first-order setting to accommodate scenarios where systems manipulate data. We define an asynchronous instrumentation relation that decouples the operation of system from that of its monitors. This definition forms the basis of our decentralised outline monitoring algorithm presented in the second part of the thesis. Our algorithm employs a tracing infrastructure to collect trace events as the system executes, and uses key events as cues to instrument new monitors or terminate redundant ones dynamically. It also accounts for the interleaving of events that arises from the asynchronous execution of the system and monitors, guaranteeing that events are analysed by monitors in the correct sequence and without gaps. Part three develops a runtime veri!cation benchmarking framework that is tailored for reactive systems. The framework can generate models that faithfully capture the realistic behaviour of master-worker systems under typical load characteristics. Our tool collects di,erent performance metrics suited to reactive applications, to give a multi-faceted depiction of the overhead induced by runtime monitoring tools. Part four of this thesis embarks on an extensive evaluation of our decentralised outline monitoring algorithm using the benchmarking tool developed in part three. The algorithm is compared against our implementation of inline and centralised monitoring—two prevalent methods used in state-of-the-art runtime veri!cation tools. Apart from demonstrating that our monitoring algorithm is reactive, the experiments we conduct testify that it induces acceptable overhead that, in typical cases, is comparable to that of inlining. These results also con!rm that centralised monitoring is prone to scalability issues, poor performance, and failure, making it generally inapplicable to reactive system settings. We are unaware of other comprehensive empirical runtime veri!cation studies such as ours that compare decentralised, centralised, and inline monitoring. Description: Ph.D.(Melit.) Sun, 01 Jan 2023 00:00:00 GMT https://www.um.edu.mt/library/oar/handle/123456789/117964 2023-01-01T00:00:00Z