Memory forensics of android backdooring based on App virtualization

Abstract

Smartphones have become ubiquitous in our daily lives, offering convenient access to our data, and making them an attractive target for cybercriminals. In fact, many different versions of Android backdoors have been developed and used to gain unauthorized access to users’ smartphones and their data. Although capable of detecting and defending against malware, mobile devices are limited in performing more advanced detection techniques due to their power constraints. As malware authors continue to use advanced evasion techniques, mobile devices have become increasingly vulnerable to sophisticated attacks. App virtualization is a technique that allows applications to run inside virtual environments created by other applications. In doing so, their visibility is hidden from other applications installed on the device. Such a technique can be potentially used by backdoors to evade detection and further enhance their stealth capabilities. By evading initial detection mechanisms, backdoors can more easily achieve objectives such as data exfiltration. In this paper, we propose VirtuSleuth, a tool in the form of an Android application that can detect virtualized applications and recover their code for analysis. Our tool analyses the running processes on the device, identifies those belonging to virtualized applications, and extracts their code from volatile memory. The proposed solution offers an effective approach for analysing virtualized applications as it targets the live memory where the virtualized application’s code must be loaded before it is executed. In doing so, we overcome app virtualization stealth and improve upon existing anti-malware solutions. We conduct experiments to compare the stealth level of Android backdoors when they are not virtualized versus when they are virtualized, using indicators of compromise as the measure. We also evaluate our tool to determine its level of accuracy in detecting virtualized applications and practicality in the time taken to detect virtualized applications and extract their code. Finally, we discuss the limitations of the tool and future work.