Detecting android kernel rootkits via JTAG memory introspection

Research output: Chapter in Book/Report/Conference proceedingChapterpeer-review

1 Scopus citations

Abstract

Smartphones and tablets have become prime targets for malware, due to the valuable personal and corporate information they hold. While antivirus (AV) programs may successfully detect malicious applications (apps), they remain ineffective against low-level rootkits that are able to evade detection mechanisms by masking their own presence. Furthermore, any detection mechanism running on the same physical device as the monitored OS can be compromised via application, kernel, or bootloader vulnerabilities. Consequentially, trusted detection of kernel rootkits in mobile devices is a challenging task. We present a system aimed at detecting rootkits in the Android kernel, utilizing the hardware’s Joint Test Action Group (JTAG) interface for trusted memory forensics and OS introspection. Our framework consists of components that extract areas of a kernel’s memory and reconstruct it for further analysis. We present the overall architecture, along with its implementation, and demonstrate that the system can successfully detect the presence of stealthy rootkits in the kernel. The results show that although JTAG’s main purpose is system testing, it can also be used for malware detection where traditional methods fail.

Original languageEnglish
Title of host publicationIntrusion Detection and Prevention for Mobile Ecosystems
PublisherCRC Press
Pages165-186
Number of pages22
ISBN (Electronic)9781315305820
ISBN (Print)9781138033573
DOIs
StatePublished - 1 Jan 2017

Fingerprint

Dive into the research topics of 'Detecting android kernel rootkits via JTAG memory introspection'. Together they form a unique fingerprint.

Cite this