Affiliation:
1. Department of Computer Science, University of Malta, MSD 2080 Msida, Malta
2. Department of Mathematics, University of Padua, Via Trieste 63, 35121 Padua, Italy
Abstract
The ubiquity of Android smartphones makes them targets of sophisticated malware, which maintain long-term stealth, particularly by offloading attack steps to benign apps. Such malware leaves little to no trace in logs, and the attack steps become difficult to discern from benign app functionality. Endpoint detection and response (EDR) systems provide live forensic capabilities that enable anomaly detection techniques to detect anomalous behavior in application logs after an app hijack. However, this presents a challenge, as state-of-the-art EDRs rely on device and third-party application logs, which may not include evidence of attack steps, thus prohibiting anomaly detection techniques from exposing anomalous behavior. While, theoretically, all the evidence resides in volatile memory, its ephemerality necessitates timely collection, and its extraction requires device rooting or app repackaging. We present VEDRANDO, an enhanced EDR for Android that accomplishes (i) the challenge of timely collection of volatile memory artefacts and (ii) the detection of a class of stealthy attacks that hijack benign applications. VEDRANDO leverages memory forensics and app virtualization techniques to collect timely evidence from memory, which allows uncovering attack steps currently uncollected by the state-of-the-art EDRs. The results showed that, with less than 5% CPU overhead compared to normal usage, VEDRANDO could uniquely collect and fully reconstruct the stealthy attack steps of ten realistic messaging hijack attacks using standard anomaly detection techniques, without requiring device or app modification.
Funder
Malta Council for Science and Technology
Subject
General Earth and Planetary Sciences,General Environmental Science
Reference79 articles.
1. Kotzias, P., Caballero, J., and Bilge, L. (2021, January 24–27). How did that get in my phone? Unwanted app distribution on android devices. Proceedings of the 2021 IEEE Symposium on Security and Privacy (SP), San Francisco, CA, USA.
2. Collier, N. (2023, February 18). Malware on the Google Play Store Leads to Harmful Phishing Sites. Available online: https://www.malwarebytes.com/blog/news/2022/11/malware-on-the-google-play-store-leads-to-harmful-phishing-sites.
3. (2023, March 28). The Mobile Malware Threat Landscape in 2022. Available online: https://securelist.com/mobile-threat-report-2022/108844/.
4. (2023, March 03). BrasDex: A New Brazilian ATS Android Banker with Ties to Desktop Malware. Available online: https://www.threatfabric.com/blogs/brasdex-a-new-brazilian-ats-malware.html.
5. (2023, March 03). Look out for Octo’s Tentacles! A New On-Device Fraud Android Banking Trojan with a Rich Legacy. Available online: https://threatfabric.com/blogs/octo-new-odf-banking-trojan.html.