Hooking Android apps for just-in-time memory dumping

Abstract

Memory forensics tools allow investigators to extract and analyse digital evidence from volatile memory which has proven to be a relevant source of data in the case of analysing advanced malware infections. The sophistication of today’s malware has increased to a level where possibly the secondary storage is never even touched. The main advantages of memory forensics rest with the fact that it targets that source of evidence that malware absolutely cannot avoid: memory. In fact malware can hide but it has to execute in order to attain its objectives, and which in turn requires it to load into the device’s volatile memory. Moreover, the brief permanence in memory of relevant artefacts, which are indicators of suspicious activity, call for a just-in-time collection approach. A known enabler technique to achieve this is function hooking; which allows for interceptions of functions/events to be applied selectively. This however brings with it the additional requirement of having to work with a rooted device; or rather requires having root permissions on a device. By its own merits rooting a device makes it more vulnerable to security risks. In this talk we present two main approaches for function hooking and their optimal combination for Android device takeovers, in light of existing challenges. The motivation for this work arises from the fact that this technique has already been implemented to an extent and proven successful in the scope of memory forensics. Our aim now is to evolve this technique to be robust in the face of obfuscated malware by taking a dynamic binary instrumentation route and making the most strategic use of some of the methods mentioned.