Please use this identifier to cite or link to this item:
Title: Hooking Android apps for just-in-time memory dumping
Other Titles: Computer science annual workshop
Authors: Bellizzi, Jennifer
Vella, Mark Joseph
Colombo, Christian
Keywords: Memory -- Computer simulation
Malware (Computer software)
Issue Date: 2019
Publisher: University of Malta. Department of Computer Science
Citation: Bellizzi, J., Vella, M., & Colombo, C. (2019). Hooking Android apps for just-in-time memory dumping. Computer Science Annual Workshop (No. CS-2019-03). University of Malta
Abstract: Memory forensics tools allow investigators to extract and analyse digital evidence from volatile memory which has proven to be a relevant source of data in the case of analysing advanced malware infections. The sophistication of today’s malware has increased to a level where possibly the secondary storage is never even touched. The main advantages of memory forensics rest with the fact that it targets that source of evidence that malware absolutely cannot avoid: memory. In fact malware can hide but it has to execute in order to attain its objectives, and which in turn requires it to load into the device’s volatile memory. Moreover, the brief permanence in memory of relevant artefacts, which are indicators of suspicious activity, call for a just-in-time collection approach. A known enabler technique to achieve this is function hooking; which allows for interceptions of functions/events to be applied selectively. This however brings with it the additional requirement of having to work with a rooted device; or rather requires having root permissions on a device. By its own merits rooting a device makes it more vulnerable to security risks. In this talk we present two main approaches for function hooking and their optimal combination for Android device takeovers, in light of existing challenges. The motivation for this work arises from the fact that this technique has already been implemented to an extent and proven successful in the scope of memory forensics. Our aim now is to evolve this technique to be robust in the face of obfuscated malware by taking a dynamic binary instrumentation route and making the most strategic use of some of the methods mentioned.
Appears in Collections:Scholarly Works - FacICTCS

Files in This Item:
File Description SizeFormat 
  Restricted Access
152.34 kBAdobe PDFView/Open Request a copy

Items in OAR@UM are protected by copyright, with all rights reserved, unless otherwise indicated.