Volatile memory-centric investigation of SMS-hijacked phones: a Pushbullet case study
Mark Vella, Vishwas Rudramurthy
DOI: http://dx.doi.org/10.15439/2018F11
Citation: Proceedings of the 2018 Federated Conference on Computer Science and Information Systems, M. Ganzha, L. Maciaszek, M. Paprzycki (eds). ACSIS, Vol. 15, pages 607–616 (2018)
Abstract. Cloak-and-Dagger attacks targeting Android devices can completely hijack the UI feedback loop, with one possible consequence being that of hijacking SMS functionality for cybercrime purposes. What is of particular concern is that attackers can decouple stealth activities from SMS hijacking. Consequently the latter could be pulled off using completely legitimate apps that normally would allow users to manage text messages from their personal computers (SMSonPC), but this time all hidden away under attacker control. This work proposes a digital investigation process aiming to uncover SMS-hijacked devices. It uses bytecode instrumentation in order to force the dumping of volatile memory areas where evidence for the hijack can be located. Eventually both the malware that conceals the SMS-hijacking and the compromised or smuggled SMSonPC app can be identified. Preliminary results are presented using a case study based on the popular SMSonPC app: Pushbullet.
References
- Y. Fratantonio, C. Qian, S. P. Chung, and W. Lee, “Cloak and Dagger: from two permissions to complete control of the UI feedback loop,” in Security and Privacy (SP), 2017 IEEE Symposium on. IEEE, 2017. http://dx.doi.org/10.1109/SP.2017.39 pp. 1041–1057.
- Y. Leguesse, C. Sidiropoulos, and L. Palkmets, Mobile Threats Incident Handling (Part II). enisa, 2015.
- C. Anglano, “Forensic analysis of WhatsApp Messenger on Android smartphones,” Digital Investigation, vol. 11, no. 3, pp. 201–213, 2014. http://dx.doi.org/10.1016/j.diin.2014.04.003
- J. Sylve, A. Case, L. Marziale, and G. G. Richard, “Acquisition and analysis of volatile memory from Android devices,” Digital Investigation, vol. 8, no. 3, pp. 175–184, 2012. http://dx.doi.org/10.1016/j.diin.2011.10.003
- A. Gargenta, “Deep dive into Android IPC/Binder framework,” in AnDevCon: The Android Developer Conference, 2012.
- A. Singh and A. Bhardwaj, “Android internals and telephony,” Int. J. Emerg. Technol. Adv. Eng, vol. 4, pp. 51–59, 2014.
- M. H. Ligh, A. Case, J. Levy, and A. Walters, The art of memory forensics: detecting malware and threats in Windows, Linux, and Mac memory. John Wiley & Sons, 2014.
- L. Weichselbaum, M. Neugschwandtner, M. Lindorfer, Y. Fratantonio, V. van der Veen, and C. Platzer, “Andrubis: Android malware under the magnifying glass,” Vienna University of Technology, Tech. Rep. TR-ISECLAB-0414-001, 2014.
- H. Ye, S. Cheng, L. Zhang, and F. Jiang, “Droidfuzzer: Fuzzing the android apps with intent-filter tag,” in Proceedings of International Conference on Advances in Mobile Computing & Multimedia. ACM, 2013. http://dx.doi.org/10.1145/2536853.2536881 p. 68.
- S. Pooryousef and M. Amini, “Enhancing accuracy of Android malware detection using intent instrumentation.” in ICISSP, 2017. http://dx.doi.org/10.5220/0006195803800388 pp. 380–388.
- S. Mutti, Y. Fratantonio, A. Bianchi, L. Invernizzi, J. Corbetta, D. Kirat, C. Kruegel, and G. Vigna, “BareDroid: Large-scale analysis of Android apps on real devices,” in Proceedings of the 31st Annual Computer Security Applications Conference. ACM, 2015. http://dx.doi.org/10.1145/2818000.2818036 pp. 71–80.
- J. Li, D. Gu, and Y. Luo, “Android malware forensics: Reconstruction of malicious events,” in Distributed Computing Systems Workshops (ICDCSW), 2012 32nd International Conference on. IEEE, 2012. http://dx.doi.org/10.1109/ICDCSW.2012.33 pp. 552–558.
- M. I. Husain and R. Sridhar, “iForensics: forensic analysis of instant messaging on smart phones,” in International Conference on Digital Forensics and Cyber Crime. Springer, 2009. http://dx.doi.org/10.1007/978-3-642-11534-9-2 pp. 9–18.
- I. Murynets and R. Piqueras Jover, “Crime scene investigation: SMS spam data analysis,” in Proceedings of the 2012 ACM conference on Internet measurement conference. ACM, 2012. http://dx.doi.org/10.1145/2398776.2398822 pp. 441–452.
- C. M. Steel, “Technical soddi defenses: The Trojan Horse defense revisited,” The Journal of Digital Forensics, Security and Law: JDFSL, vol. 9, no. 4, p. 49, 2014.