ABSTRACT
Traditionally, Android malware is analyzed using static or dynamic analysis. Although static techniques are often fast; however, they cannot be applied to classify obfuscated samples or malware with a dynamic payload. In comparison, the dynamic approach can examine obfuscated variants but often incurs significant runtime overhead when collecting every important malware behavioral data. This paper conducts an exploratory analysis of memory forensics as an alternative technique for extracting feature vectors for an Android malware classifier. We utilized the reconstructed per-process object allocation network to identify distinguishable patterns in malware and benign application. Our evaluation results indicate the network structural features in the malware category are unique compared to the benign dataset, and thus features extracted from the remnant of in-memory allocated objects can be utilized for robust Android malware classification algorithm.
Supplemental Material
- Smartphone Market Share. Accessed: Apr. 30, 2020. [Online]. Available: https://www.idc.com/promo/smartphone-market-share/osGoogle Scholar
- G. Data Software, "G DATA Mobile Malware Report 2019: New high for malicious Android apps", [Online]. Available: https://www.gdata-software.com/news/gdata-mobile-malware-report-2019-new-high-for-malicious-android-appsGoogle Scholar
- A. Ali-Gombe, S. Sudhakaran, A. Case, and G. G. Richard, "DroidScraper: a tool for Android in-memory object recovery and reconstruction," in Proceedings of the International Symposium on Research in Attacks, Intrusions and Defenses, pp. 547--559, Beijing, China, October 2019.Google Scholar
- A. Ali-Gombe, A. Tambaoan, A. Gurfolino, and G. G. Richard, "App-Agnostic Post-Execution Semantic Analysis of Android In-Memory Forensics Artifacts, "In Annual Computer Security Applications Conference (ACSAC), Austin, USA, December 2020.Google Scholar
- Volatility Foundation. 2017. Volatility Command Reference. https://github.com/volatilityfoundation/volatility/wiki/Command-Reference. Available:accessed 21-March 2018].Google Scholar
- Google, 2016. Rekall. https://github.com/google/rekall.Google Scholar
- Michal Zalewski. 2003. Memfetch. https://github.com/citypw/lcamtuf-memfetch [Online; accessed 17-March 2018].Google Scholar
Index Terms
- Object Allocation Pattern as an Indicator for Maliciousness - An Exploratory Analysis
Recommendations
Analysis on Maliciousness for Mobile Applications
IMIS '12: Proceedings of the 2012 Sixth International Conference on Innovative Mobile and Internet Services in Ubiquitous ComputingThe rapid increase in smart phone users has enabled the application marketplace to grow dramatically. The black market presence has also grown rapidly, where paid applications are modified for free download. As a consequence, malicious applications are ...
JoKER: Trusted Detection of Kernel Rootkits in Android Devices via JTAG Interface
TRUSTCOM '15: Proceedings of the 2015 IEEE Trustcom/BigDataSE/ISPA - Volume 01Smartphones and tablets have become prime targets for malware, due to the valuable private and corporate information they hold. While Anti-Virus (AV) program may successfully detect malicious applications (apps), they remain ineffective against low-...
JoKER: Trusted Detection of Kernel Rootkits in Android Devices via JTAG Interface
TRUSTCOM '15: Proceedings of the 2015 IEEE Trustcom/BigDataSE/ISPA - Volume 01Smartphones and tablets have become prime targets for malware, due to the valuable private and corporate information they hold. While Anti-Virus (AV) program may successfully detect malicious applications (apps), they remain ineffective against low-...
Comments