Please log in to watch this conference skillscast.
Android malware is a continuing problem in the Android ecosystem, even after 9 major Android releases. Android currently relies on implicit and explicit user participation to identify malicious applications, both on the Playstore and on devices.
Currently, multiple techniques exist to identify malware such as code signatures, hashes, permission analysis and manual static analysis. These techniques rely on the premise that who or what is performing the analysis, is required to have access to the Android application (APK). However, performing these analysis techniques on devices is resource intensive, time consuming and also dependent on access to the APK.
What if no access to the APK is required to identify if an application is malicious? Currently, no capability exists to scan for malicious applications at runtime on Android devices, at best there is static analysis on the application and its permissions. Additionally, there is the Android Attestation framework, which attempts to provide information on the state of the device but does not provide information on the state of running applications
In this talk, Chris will explore a novel technique to identify malicious Android applications through the use of analyzing the HEAP of Android applications at runtime. The identification and analysis of instantiated objects for Android applications from the HEAP can be used to effectively identify applications that are making use of, and implementing dangerous functionality such as Class loaders and other well known objects that exhibit malicious behaviour.
Chris will also share how this technique was built and implemented on Android using Android awesomeness and how it can be implemented by the operating system or 3rd party applications to effectively scan application memory for malicious behaviour.
YOU MAY ALSO LIKE: