Responding to stealthy attacks on android using timely-captured memory dumps

Abstract

In recent years, several attack vectors have emerged which enable malware to hijack the functionality of targeted, benign apps. Some of these attack vectors have nearly been fully realised and give rise to a threat model where malware offloads key attack steps to the hijacked benign app functionality. In the process, attacks following this threat model evade malware detection that assumes malware to be self-contained. Moreover, through the same hijacked functionality, any attack traces can also be erased, rendering log-based attack investigation tools ineffective. This app hijack threat model needs anticipating through defensive measures before it manifests into an unmitigated threat. Regardless of the stealthiness of an attack, any evidence must reside in volatile memory during its execution. However, collecting in-memory evidence associated with the app-specific hijacked functionality on Android devices is challenging. Current Android memory forensics methods for app analysis involve using devices which are custom or whose default security has been compromised. Moreover, randomly obtained memory dumps overlook the ephemeral nature of memory, which requires timely collection. Additionally, for the app hijack threat model, identifying app-specific artefacts in memory linked to hijacked functionality and extracting meaningful information from them necessitates an app-centric approach. This in-depth analysis of individual apps is infeasible and may require sacrificing default app protections. This thesis aims to determine how attack steps offloaded to benign apps can be recovered from volatile memory in a timely and minimally invasive manner with respect to devices and apps. The proposed approach uses process memory introspection to collect real-time evidence from app memory, reducing reliance on app-specific logic. The study introduces Just-in-Time Memory Forensics (JIT-MF), a framework designed to explore this proposed approach within the constraints of stock Android devices and apps. JIT-MF consists of drivers that timely capture app specific artefacts from memory through trigger points, a driver runtime supporting driver functionality, and produces JIT-MF logs containing app-specific evidence from memory. The experiments conducted and described in this thesis demonstrate the feasibility of real-time app-specific evidence collection from the memory of Android stock devices using the JIT-MF framework. Results reveal that leveraging widely-used codebases for trigger point selection and app-specific artefact dumping avoids app and device-invasive methods while maintaining accuracy. JIT-MF trigger-based memory dumping improves state-of-the-practice by producing forensic timeline sequences that accurately reconstruct app-specific attack steps for this threat model.