Volatile memory-centric investigation of SMS-hijacked phones : a Pushbullet case study

Abstract

Cloak-and-Dagger attacks targeting Android devices can completely hijack the UI feedback loop, with one possible consequence being that of hijacking SMS functionality for cybercrime purposes. What is of particular concern is that attackers can decouple stealth activities from SMS hijacking. Consequently the latter could be pulled off using completely legitimate apps that normally would allow users to manage text messages from their personal computers (SMSonPC), but this time all hidden away under attacker control. This work proposes a digital investigation process aiming to uncover SMS-hijacked devices. It uses bytecode instrumentation in order to force the dumping of volatile memory areas where evidence for the hijack can be located. Eventually both the malware that conceals the SMS-hijacking and the compromised or smuggled SMSonPC app can be identified. Preliminary results are presented using a case study based on the popular SMSonPC app: Pushbullet.