Abstract
Sophisticated memory-resident malware that target mobile phone platforms can be extremely difficult to detect and capture. However, triggering volatile memory captures based on observable system side-effects exhibited by malware can harvest live memory that contains memory-resident malware. This chapter describes a novel approach for capturing memory-resident malware on an Android device for future analysis. The approach is demonstrated by making modifications to the Android debuggerd daemon to capture memory while a vulnerable process is being exploited on a Google Nexus 5 phone. The implementation employs an external hardware device to store a memory capture after successful exfiltration from the compromised mobile device.
Chapter PDF
Similar content being viewed by others
References
H. Be’er, Metaphor: A (Real) Real-Life Stagefright Exploit, Revision 1.1, NorthBit, Herzliya, Israel (raw.githubusercontent.com/NorthBit/Public/master/NorthBit-Metaphor.pdf), 2016.
R. Bejtlich, The Tao of Network Security Monitoring: Beyond Intrusion Detection, Addison-Wesley, Boston, Massachusetts, 2004.
M. Brand, Stagefrightened? Project Zero, Google, Mountain View, California (googleprojectzero.blogspot.com/2015/09/stagefrightened.html), September 16, 2015.
J. Drake, Stagefright: Scary code in the heart of Android, presented at the Black Hat USA Conference, 2015.
G Data Software, G Data Mobile Malware Report, Threat Report: Q2/2015, Bochum, Germany, 2015.
Z. Grimmett, J. Staggs and S. Shenoi, Categorizing mobile device malware based on system side-effects, in Advances in Digital Forensics XIII, G. Peterson and S. Shenoi (Eds.), Springer, Cham, Switzerland, pp. 203–219, 2017.
C. Pfleeger and S. Lawrence-Pfleeger, Security in Computing, Prentice Hall, Upper Saddle River, New Jersey, 2007.
Scientific Working Group on Digital Evidence, SWGDE Best Practices for Mobile Phone Forensics, Version 2.0, 2013.
H. Sun, K. Sun, Y. Wang, J. Jing and S. Jajodia, TrustDump: Reliable memory acquisition from smartphones, Proceedings of the Nineteenth European Symposium on Research in Computer Security, part I, pp. 202–218, 2014.
J. Sylve, A. Case, L. Marziale and G. Richard, Acquisition and analysis of volatile memory from Android devices, Digital Investigation, vol. 8(3-4), pp. 175–184, 2012.
V. Thing, K. Ng and E. Chang, Live memory forensics of mobile phones, Digital Investigation, vol. 7(S), pp. S74–S82, 2010.
Zimperium zLabs, The Latest on Stagefright: CVE-2015-1538 Exploit is Now Available for Testing Purposes, San Francisco, California (blog.zimperium.com/the-latest-on-stagefright-cve-2015-1538-exploit-is-now-available-for-testing-purposes), September 9, 2015.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 IFIP International Federation for Information Processing
About this paper
Cite this paper
Grimmett, Z., Staggs, J., Shenoi, S. (2019). Retrofitting Mobile Devices for Capturing Memory-Resident Malware Based on System Side-Effects. In: Peterson, G., Shenoi, S. (eds) Advances in Digital Forensics XV. DigitalForensics 2019. IFIP Advances in Information and Communication Technology, vol 569. Springer, Cham. https://doi.org/10.1007/978-3-030-28752-8_4
Download citation
DOI: https://doi.org/10.1007/978-3-030-28752-8_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-28751-1
Online ISBN: 978-3-030-28752-8
eBook Packages: Computer ScienceComputer Science (R0)