Detecting android kernel rootkits via JTAG memory introspection

Smartphones and tablets have become prime targets for malware, due to the valuable personal and corporate information they hold. While antivirus (AV) programs may successfully detect malicious applications (apps), they remain ineffective against low-level rootkits that are able to evade detection mechanisms by masking their own presence. Furthermore, any detection mechanism running on the same physical device as the monitored OS can be compromised via application, kernel, or bootloader vulnerabilities. Consequentially, trusted detection of kernel rootkits in mobile devices is a challenging task. We present a system aimed at detecting rootkits in the Android kernel, utilizing the hardware’s Joint Test Action Group (JTAG) interface for trusted memory forensics and OS introspection. Our framework consists of components that extract areas of a kernel’s memory and reconstruct it for further analysis. We present the overall architecture, along with its implementation, and demonstrate that the system can successfully detect the presence of stealthy rootkits in the kernel. The results show that although JTAG’s main purpose is system testing, it can also be used for malware detection where traditional methods fail.