Fig 3
Contexts in source publication
Context 1
... proposed digital investigation steps carried upon de- vices with a suspected SMS-hijack, as shown in Figure 3, are based on the observations just made. They require the inspected device to be connected to an investigation worksta- tion over an Android Debug Bridge (adb) session. ...
Context 2
... points are instrumented with Dalvik heap-dumping bytecode (dalvik_dump_instr on lines 5-12) and pos- sibly also that of the native heap of the phone pro- cess (systemmem_dump_instr on lines 13-20). The latter relies on device rooting as well as the the in- stallation of nativeDump.apk and DumpCmd, as per step 3 of Figure 3. nativeDump.apk ...
Citations
... Furthermore, this level of stealth typically leads to victims raising the alarm and initiating an investigation process when the consequences of the attack are evident (e.g., missing funds), which occurs way after the attack steps have been carried out (late detection). Incident responders and security operations center (SOC) analysts investigating such incidents must derive the covert nature of these stealthy attacks from their deliberately small footprint [17,18]. Regardless of the stealthiness of an attack, however, its execution must occur in memory [19,20]. ...
... This functionality is not different from that typically offered by today's IM apps, other than that the initiator of these actions is a malicious actor, and the device owner is unaware of these events. This attack vector has been shown to enable stealthy living-off-the-land (LOtL) tactics [48], where key attack steps are delegated to benign apps, possibly only requiring the use of malware during an initial setup phase, to attain the maximum stealth [18]. Delegating an attack's core steps to benign apps has the consequence of bypassing malware detection mechanisms and making any follow-up threat detection and response more challenging, as reconstructing the attack steps distributed among trusted apps is not straightforward. ...
The ubiquity of Android smartphones makes them targets of sophisticated malware, which maintain long-term stealth, particularly by offloading attack steps to benign apps. Such malware leaves little to no trace in logs, and the attack steps become difficult to discern from benign app functionality. Endpoint detection and response (EDR) systems provide live forensic capabilities that enable anomaly detection techniques to detect anomalous behavior in application logs after an app hijack. However, this presents a challenge, as state-of-the-art EDRs rely on device and third-party application logs, which may not include evidence of attack steps, thus prohibiting anomaly detection techniques from exposing anomalous behavior. While, theoretically, all the evidence resides in volatile memory, its ephemerality necessitates timely collection, and its extraction requires device rooting or app repackaging. We present VEDRANDO, an enhanced EDR for Android that accomplishes (i) the challenge of timely collection of volatile memory artefacts and (ii) the detection of a class of stealthy attacks that hijack benign applications. VEDRANDO leverages memory forensics and app virtualization techniques to collect timely evidence from memory, which allows uncovering attack steps currently uncollected by the state-of-the-art EDRs. The results showed that, with less than 5% CPU overhead compared to normal usage, VEDRANDO could uniquely collect and fully reconstruct the stealthy attack steps of ten realistic messaging hijack attacks using standard anomaly detection techniques, without requiring device or app modification.
... Established stealthy attack vectors, such as accessibility [4] or app-level virtualisation misuse [5], and several others [6]- [8], have become increasingly popular among malware authors, with many recent incidents gaining worldwide reach, leaving devastating effects [9]- [12]. More seriously for incident response, the resulting reduced forensic footprint for any attack employing such attack vectors has also been demonstrated [13], [14]. Specifically, in this work, we focus on stealthy attacks which hijack the messaging functionality of benign apps on stock Android devices to hide compromising communication of a criminal nature behind victim devices or spy on target victims through unlawful interception of messages. ...
... This functionality is no different from that typically offered by today's messaging (Figure 2a) or SMSonPC apps that enable sending text messages directly from the convenience of one's PC (Figure 2b), other than the fact that the initiator of these actions is a malicious actor and the device owner is unaware of these events. This attack vector has been shown to enable stealthy Living-Off-the-Land (LOtL) tactics [29], where key attack steps are delegated to benign apps, possibly only requiring the use of malware during an initial setup phase to attain maximum stealth [14]. Delegating an attack's core steps to benign apps has the consequence of bypassing malware detection mechanisms and making any follow-up response more challenging as reconstructing the attack steps distributed among trusted apps is non-straightforward. ...
The increasing dominance of Android smartphones for everyday communication and data processing makes long-term stealthy malware an even more dangerous threat. Recent malware campaigns like Flubot demonstrate that by employing stealthy malware techniques even at minimal capacity, malware is highly effective in making its way to millions of devices with little resistance from existing detection mechanisms. Consequential late detection demands comprehensive forensic timelines to reconstruct all malicious activities. However, the reduced forensic footprint of stealthy attacks with minimal malware involvement leaves investigators little evidence to work with even when utilising state-of-the-art digital forensics tools. Volatile memory forensics can be effective in such scenarios since app execution of any form is always bound to leave a trail of evidence in memory, even if it is short-lived. In this work, we motivate the need for
JIT-MF
(Just-in-time Memory Forensics), a technique that aims to address the challenges that arise with timely collection of short-lived evidence in volatile memory to solve the stealthiest of Android attacks. By taking an incident-response-centric approach, focused on protecting stock Android device users rather than treating them as potential adversaries, we show that JIT-MF tools can collect elusive attack steps in volatile memory without requiring device rooting. Furthermore, we build
MobFor
, a JIT-MF based tool focusing on capturing evidence related to messaging hijack attacks. This tool provides a context to explore solutions for JIT-MF implementation challenges, aiming to render JIT-MF tools practical for real-world requirements. Finally, we demonstrate that when compared to state-of-the-art digital forensic tools Belkasoft and XRY in a realistic attack scenario involving an enhanced version of the WhatsApp Pink malware and stock Android devices, only MobFor can recover the contents of messages sent by the malware, hence decisively contributing to an enriched forensic timeline.
... Accessibility services misuse in Android has emerged as a predominant stealth technique in recent years, primarily adopted by accessibility trojans pulling off phishing attacks in a particularly stealthy manner [2,3,6]. While initially proposed as a way to maliciously interact with victim apps in a stealthy way requiring only accessibility and overlay-related permissions [12], more recent work suggested that the level of stealth can be increased further by offloading most or all of the attack steps to benign apps [22]. In this setting, any classifierbased malware detector is fooled since critical attack steps are executed solely via white-listed victim apps. ...
... Evidence collected from volatile memory becomes essential. While forensics tools that operate similarly have shown promise within very narrow domains, one cannot underestimate the significant challenge of dealing with short-lived evidence [15,21,22]. ...
... For instance, attackers who are motivated to create a malicious app to send SMSs via another phone to hide their identity (SMS crime-proxy), may exploit accessibility to silently install a benign legitimate SMSonPC app, e.g. Pushbullet [22], whose normal usage involves proxying sent/received SMSs through a remote PC. By signing up with phished credentials, as part of the setting up (step 1 of Fig. 1b) on the installed app, attackers gain full control over every SMS that is received and can send SMS remotely through a benign app, hiding its tracks and increasing the stealth level of the attackers' subsequent steps. ...
Attackers regularly target Android phones and come up with new ways to bypass detection mechanisms to achieve long-term stealth on a victim’s phone. One way attackers do this is by leveraging critical benign app functionality to carry out specific attacks.
In this paper, we present a novel generalised framework, JIT-MF ( Just-in-time Memory Forensics ), which aims to address the problem of timely collection of short-lived evidence in volatile memory to solve the stealthiest of Android attacks. The main components of this framework are i) Identification of critical data objects in memory linked with critical benign application steps that may be misused by an attacker; and ii) Careful selection of trigger points, which identify when memory dumps should be taken during benign app execution.
The effectiveness and cost of trigger point selection, a cornerstone of this framework, are evaluated in a preliminary qualitative study using Telegram and Pushbullet as the victim apps targeted by stealthy malware. Our study identifies that JIT-MF is successful in dumping critical data objects on time, providing evidence that eludes all other forensic sources. Experimentation offers insight into identifying categories of trigger points that can strike a balance between the effort required for selection and the resulting effectiveness and storage costs. Several optimisation measures for the JIT-MF tools are presented, considering the typical resource constraints of Android devices.
... Artifacts from HPROF dumps are suitable for the purpose of capturing individual app behaviour, yet challenges abound. While classic memory forensics focuses on long-lived kernel-level dumps, heap objects may be short-lived [26], and therefore it may be the case that a substantial portion of app execution residue is lost by the time an HPROF dump is taken. Therefore, the timing of dump triggers is critical. ...
In recent years the PC has been replaced by mobile devices for many security sensitive operations, both from a privacy and a financial standpoint. While security mechanisms are deployed at various levels, these are frequently put under strain by previously unseen malware. An additional protection layer capable of novelty detection is therefore needed. In this work we propose SpotCheck, an anomaly detector intended to run on Android devices. It samples app executions and submits suspicious apps to more thorough processing by malware sandboxes. We compare Kernel Principal Component Analysis (KPCA) and Variational Autoencoders (VAE) on app execution representations based on the well-known system call traces, as well as a novel approach based on memory dumps. Results show that when using VAE, SpotCheck attains a level of effectiveness comparable to what has been previously achieved for network anomaly detection. Interestingly this is also true for the memory dump approach, relinquishing the need for continuous app monitoring.
... However, it cannot avoid leaving marks on volatile memory at one point or another. The likely brief presence in memory of relevant artefacts, which could be indicators of compromise, call for a just-in-time collection approach [30]. The challenges with this strategy are, nevertheless, many. ...
Android accessibility features include a robust set of tools allowing developers to create apps for assisting people with disabilities. Unfortunately, this useful set of tools can also be abused and turned into an attack vector, providing malware with the ability to interact and read content from third-party apps.
In this work, we are the first to study the impact that the stealthy exploitation of Android accessibility services can have on significantly reducing the forensic footprint of malware attacks, thus hindering both live and post-incident forensic investigations. We show that through Living off the Land (LotL) tactics, or by offering a malware-only substitute for attacks typically requiring more elaborate schemes, accessibility-based malware can be rendered virtually undetectable.
In the LotL approach, we demonstrate accessibility-enabled SMS and command and control (C2) capabilities. As for the latter, we show a complete cryptocurrency wallet theft, whereby the accessibility trojan can hijack the entire withdrawal process of a widely used app, including two-factor authentication (2FA). In both cases, we demonstrate how the attacks result in significantly diminished forensic evidence when compared to similar attacks not employing accessibility tools, even to the extent of maintaining device take-over without requiring malware persistence.
