Please log in to watch this conference skillscast.
Currently, multiple techniques exist to identify malware such as code signatures, hashes, permission analysis and manual static analysis. These techniques rely on the premise that who or what is performing the analysis, is required to have access to the Android application (APK). However, performing these analysis techniques on devices is resource intensive, time consuming and also dependent on access to the APK.
What if no access to the APK is required to identify if an application is malicious? Currently, no capability exists to scan for malicious applications at runtime on Android devices, at best there is static analysis on the application and its permissions. Additionally, there is the Android Attestation framework, which attempts to provide information on the state of the device but does not provide information on the state of running applications
In this talk, Chris will explore a novel technique to identify malicious Android applications through the use of analyzing the HEAP of Android applications at runtime. The identification and analysis of instantiated objects for Android applications from the HEAP can be used to effectively identify applications that are making use of, and implementing dangerous functionality such as Class loaders and other well known objects that exhibit malicious behaviour.
Chris will also share how this technique was built and implemented on Android using Android awesomeness and how it can be implemented by the operating system or 3rd party applications to effectively scan application memory for malicious behaviour.
YOU MAY ALSO LIKE:
- Android Attacks and Defences: A Snapshot of Current Attacks and Mitigations (SkillsCast recorded in January 2018)
- Headless Flipper - embeddable mobile devtools for your CI and beyond (SkillsCast recorded in July 2022)
- Headless Flipper: Embeddable Mobile Devtools for Your CI and Beyond (SkillsCast recorded in July 2022)