Attackers regularly target Android phones and come up withnew ways to bypass detection mechanisms to achieve long-term stealth on a victim's phone. One way attackers do this is by leveraging critical benign app functionality to carry out specific attacks. In this paper, we present a novel generalised framework, JIT-MF (Just-in-time Memory Forensics), which aims to address the problem of timely collection of short-lived evidence in volatile memory to solve the stealthiest of Android attacks. The main components of this framework are i) Identification of critical data objects in memory linked with critical benign application steps that may be misused by an attacker; and ii) Careful selection of trigger points, which identify when memory dumpsshould be taken during benign app execution.The effectiveness and cost of trigger point selection, a corner stone of this framework, are evaluated in a preliminary qualitative study using Telegram and Pushbullet as the victim apps targeted by stealthy malware.Our study identifies that JIT-MF is successful in dumping critical dataobjects on time, providing evidence that eludes all other forensic sources.Experimentation offers insight into identifying categories of trigger points that can strike a balance between the effort required for selection andthe resulting effectiveness and storage costs. Several optimisation mea-sures for the JIT-MF tools are presented, considering the typical resource constraints of Android devices.
Authors: Jennifer Bellizzi; Mark Vella; Christian Colombo; Mark Vella; Christian Colombo; Julio Hernandez-Castro.
Conference: 25th Nordic Conference on Secure IT Systems
Date of Publication: November 2020.