Responding to targeted stealthy attacks on android using timely-captured memory dumps

Abstract

The increasing dominance of Android smartphones for everyday communication and data processing makes long-term stealthy malware an even more dangerous threat. Recent malware campaigns like Flubot demonstrate that by employing stealthy malware techniques even at minimal capacity, malware is highly effective in making its way to millions of devices with little resistance from existing detection mechanisms. Consequential late detection demands comprehensive forensic timelines to reconstruct all malicious activities. However, the reduced forensic footprint of stealthy attacks with minimal malware involvement leaves investigators little evidence to work with even when utilising state-of-the-art digital forensics tools. Volatile memory forensics can be effective in such scenarios since app execution of any form is always bound to leave a trail of evidence in memory, even if it is short-lived. In this work, we motivate the need for JIT-MF (Just-in-time Memory Forensics), a technique that aims to address the challenges that arise with timely collection of short-lived evidence in volatile memory to solve the stealthiest of Android attacks. By taking an incident-response-centric approach, focused on protecting stock Android device users rather than treating them as potential adversaries, we show that JIT-MF tools can collect elusive attack steps in volatile memory without requiring device rooting. Furthermore, we build MobFor, a JIT-MF based tool focusing on capturing evidence related to messaging hijack attacks. This tool provides a context to explore solutions for JIT-MF implementation challenges, aiming to render JIT-MF tools practical for real-world requirements. Finally, we demonstrate that when compared to state-of-the-art digital forensic tools Belkasoft and XRY in a realistic attack scenario involving an enhanced version of the WhatsApp Pink malware and stock Android devices, only MobFor can recover the contents of messages sent by the malware, hence decisively contributing to an enriched forensic timeline.