Abstract
Malware targeting mobile devices is an ever increasing threat. The most insidious type of malware resides entirely in volatile memory and does not leave a trail of persistent artifacts. Such malware requires novel detection and capture methods in order to be reliably identified, analyzed and mitigated. This chapter proposes malware categorization and detection techniques based on measurable system side-effects observed in an exploited mobile device. Using the Stagefright family of exploits as a case study, common system side-effects produced as a result of attempted exploitation are identified. These system side-effects are leveraged to trigger volatile memory (i.e., RAM) collection by memory acquisition tools (e.g., LiME) to enable analysis of the malware.
Chapter PDF
Similar content being viewed by others
References
Android Open Source Project, Security, May 22, 2017. source.android.com/security
Argyroudis, P., Karamitas, C.: Exploiting the jemalloc memory allocator: Owning Firefox’s heap. Presented at the Black Hat USA Conference (2012)
Be’er, H.: Metaphor: A (Real) Real-Life Stagefright Exploit, Revision 1.1, NorthBit, Herzliya, Israel (2016). raw.githubusercontent.com/NorthBit/Public/master/NorthBit-Metaphor.pdf
Brand, M.: Stagefrightened? Project Zero, Google, Mountain View, California, September 16, 2015. googleprojectzero.blogspot.com/2015/09/stagefrightened.html
Cova, M., Kruegel, C., Vigna, G.: Detection and analysis of drive-by-download attacks and malicious JavaScript code. In: Proceedings of the Nineteenth International Conference on World Wide Web, pp. 281–290 (2010)
Drake, J.: Stagefright: Scary code in the heart of Android. Presented at the Black Hat USA Conference (2015)
Edmonds, J.: Cell Phone Reverse Engineering and Malware Analysis, Ph.D. Dissertation, Tandy School of Computer Science, University of Tulsa, Tulsa, Oklahoma (2012)
Exodus Intelligence, Stagefright: Mission Accomplished? Austin, Texas, August 13, 2015. blog.exodusintel.com/2015/08/13/stagefright-mission-accomplished
G Data Software, G Data Mobile Malware Report, Threat Report: Q2/2015, Bochum, Germany (2015)
Ludwig, A., Rapaka, V.: An Update to Nexus Devices, Google, Mountain View, California, August 5, 2015. officialandroid.blogspot.com/2015/08/an-update-to-nexus-devices.html
Ratanaworabhan, P., Livshits, B., Zorn, B.: NOZZLE: a defense against heap-spraying code injection attacks. In: Proceedings of the Eighteenth USENIX Security Symposium, pp. 169–186 (2009)
Samsung Electronics, Samsung Announces an Android Security Update Process to Ensure Timely Protection from Security Vulnerabilities. Press Release, Suwon, South Korea, August 5, 2015
Scientific Working Group on Digital Evidence, SWGDE Best Practices for Mobile Phone Forensics, Version 2.0 (2013)
Serna, F.: The info leak era of software exploitation. Presented at the Black Hat USA Conference (2012)
Sotirov, A.: Heap feng shui in JavaScript. Presented at the Black Hat Europe Conference (2007)
Stuttgen, J., Cohen, M.: Robust Linux memory acquisition with minimal target impact. Digital Investigation 11(S1), S112–S119 (2014)
Sun, H., Sun, K., Wang, Y., Jing, J., Jajodia, S.: TrustDump: reliable memory acquisition on smartphones. In: Kutyłowski, M., Vaidya, J. (eds.) ESORICS 2014. LNCS, vol. 8712, pp. 202–218. Springer, Cham (2014). doi:10.1007/978-3-319-11203-9_12
Sylve, J., Case, A., Marziale, L., Richard, G.: Acquisition and analysis of volatile memory from Android devices. Digital Investigation 8(3–4), 175–184 (2012)
Thing, V., Ng, K., Chang, E.: Live memory forensics of mobile phones. Digital Investigation 7(S), S74–S82 (2010)
Zimperium zLabs, The Latest on Stagefright: CVE-2015-1538 Exploit is Now Available for Testing Purposes, San Francisco, California, September 9, 2015. blog.zimperium.com/the-latest-on-stagefright-cve-2015-1538-exploit-is-now-available-for-testing-purposes
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 IFIP International Federation for Information Processing
About this paper
Cite this paper
Grimmett, Z., Staggs, J., Shenoi, S. (2017). Categorizing Mobile Device Malware Based on System Side-Effects. In: Peterson, G., Shenoi, S. (eds) Advances in Digital Forensics XIII. DigitalForensics 2017. IFIP Advances in Information and Communication Technology, vol 511. Springer, Cham. https://doi.org/10.1007/978-3-319-67208-3_12
Download citation
DOI: https://doi.org/10.1007/978-3-319-67208-3_12
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-67207-6
Online ISBN: 978-3-319-67208-3
eBook Packages: Computer ScienceComputer Science (R0)