Back To Schedule
Thursday, October 4 • 17:30 - 18:30
Hunting Android Malware: A novel runtime technique for identifying malicious applications

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
In this research, we propose a novel technique to identify malicious Android applications through the use of analyzing the HEAP of Android applications at runtime. 

Android malware is a continuing problem in the Android ecosystem, even after 8 major Android releases. Android currently relies on implicit and explicit user participation to identify malicious applications, both on the Playstore and on devices. Currently multiple techniques exist to identify malware such as code signatures, hashes, permission analysis and manual static analysis. These techniques rely on the premise that who or what is performing the analysis, is required to have access to the Android application (APK). However, performing these analysis techniques on devices is resource intensive, time consuming and also dependent on access to the APK. 

What if no access to the APK is required to identify if an application is malicious? Currently no capability exists to scan for malicious applications at runtime on Android devices, at best there is static analysis on the application and its permissions. Additionally there is the Android Attestation framework, which attempts to provide information on the state of the device but does not provide information on the state of running applications. 

In this research, we propose a novel technique to identify malicious Android applications through the use of analyzing the HEAP of Android applications at runtime. The technique proposed does not require access to the contents of the APK nor does it require write access to the application sandbox or memory, only read access to the process HEAP. The analysis of the HEAP allows for the proposed technique to identify the instantiated objects for a particular application. The indentification and analysis of instantiated objects for Android applications can be used to effectively identify applications that are making use of, and implementing dangerous functionality such as DexClass loaders and other well known objects that exhibit malicious behaviour. 

The results of this research are showcased as a PoC, which shows how the technique can be bundled into the Android ecosystem as part of the Android Attestation Framework. The inclusion of this research as a system service via the Attestation Framework can enable the Android operating system or user to identify malicious applications at runtime via any Android application.

avatar for Christopher Le Roy

Christopher Le Roy

Chris is a security researcher based in London. He has not had an unusual entrance to infosec coming from a Computer Science background which led him to dabble in software development for sometime. This resulted in Chris realising he is a terrible dev and prefers breaking things which... Read More →

Thursday October 4, 2018 17:30 - 18:30 CEST
01. Westvleteren University