Abstract : Sophisticated memory-resident malware that target mobile phone platforms can be extremely difficult to detect and capture. However, triggering volatile memory captures based on observable system side-effects exhibited by malware can harvest live memory that contains memory-resident malware. This chapter describes a novel approach for capturing memory-resident malware on an Android device for future analysis. The approach is demonstrated by making modifications to the Android debuggerd daemon to capture memory while a vulnerable process is being exploited on a Google Nexus 5 phone. The implementation employs an external hardware device to store a memory capture after successful exfiltration from the compromised mobile device.
https://hal.inria.fr/hal-02534602 Contributor : Hal IfipConnect in order to contact the contributor Submitted on : Tuesday, April 7, 2020 - 10:37:00 AM Last modification on : Tuesday, April 7, 2020 - 10:42:41 AM
Zachary Grimmett, Jason Staggs, Sujeet Shenoi. Retrofitting Mobile Devices for Capturing Memory-Resident Malware Based on System Side-Effects. 15th IFIP International Conference on Digital Forensics (DigitalForensics), Jan 2019, Orlando, FL, United States. pp.59-72, ⟨10.1007/978-3-030-28752-8_4⟩. ⟨hal-02534602⟩