Forensic Analysis of Spy Applications in Android Devices

Smartphones with Google\u27s Android operating system are becoming more and more popular each year, and with this increased user base, comes increased opportunities to collect more of these users\u27 private data. There have been several instances of malware being made available via the Google Play Store, which is one of the predominant means for users to download applications. One effective way of collecting users\u27 private data is by using Android Spyware. In this paper, we conduct a forensic analysis of a malicious Android spyware application and present our findings. We also highlight what information the application accesses and what it does with that information. We then provide our findings on how Google\u27s Play Protect service handles this spyware application. Lastly, we offer a simple framework that forensic investigators can follow for performing mobile application analysis

Android Security: A Survey of Issues, Malware Penetration, and Defenses

Smartphones have become pervasive due to the availability of office applications, Internet, games, vehicle guidance using location-based services apart from conventional services such as voice calls, SMSes, and multimedia services. Android devices have gained huge market share due to the open architecture of Android and the popularity of its application programming interface (APIs) in the developer community. Increased popularity of the Android devices and associated monetary benefits attracted the malware developers, resulting in big rise of the Android malware apps between 2010 and 2014. Academic researchers and commercial antimalware companies have realized that the conventional signature-based and static analysis methods are vulnerable. In particular, the prevalent stealth techniques, such as encryption, code transformation, and environment-aware approaches, are capable of generating variants of known malware. This has led to the use of behavior-, anomaly-, and dynamic-analysis-based methods. Since a single approach may be ineffective against the advanced techniques, multiple complementary approaches can be used in tandem for effective malware detection. The existing reviews extensively cover the smartphone OS security. However, we believe that the security of Android, with particular focus on malware growth, study of antianalysis techniques, and existing detection methodologies, needs an extensive coverage. In this survey, we discuss the Android security enforcement mechanisms, threats to the existing security enforcements and related issues, malware growth timeline between 2010 and 2014, and stealth techniques employed by the malware authors, in addition to the existing detection methods. This review gives an insight into the strengths and shortcomings of the known research methodologies and provides a platform, to the researchers and practitioners, toward proposing the next-generation Android security, analysis, and malware detection techniques

EviHunter: Identifying Digital Evidence in the Permanent Storage of Android Devices via Static Analysis

Crimes, both physical and cyber, increasingly involve smartphones due to their ubiquity. Therefore, digital evidence on smartphones plays an increasingly important role in crime investigations. Digital evidence could reside in the memory and permanent storage of a smartphone. While we have witnessed significant progresses on memory forensics recently, identifying evidence in the permanent storage is still an underdeveloped research area. Most existing studies on permanent-storage forensics rely on manual analysis or keyword-based scanning of the permanent storage. Manual analysis is costly, while keyword matching often misses the evidentiary data that do not have interesting keywords. In this work, we develop a tool called EviHunter to automatically identify evidentiary data in the permanent storage of an Android device. There could be thousands of files on the permanent storage of a smartphone. A basic question a forensic investigator often faces is which files could store evidentiary data. EviHunter aims to answer this question. Our intuition is that the evidentiary data were produced by apps; and an app's code has rich information about the types of data the app may write to a permanent storage and the files the data are written to. Therefore, EviHunter first pre-computes an App Evidence Database (AED) via static analysis of a large number of apps. The AED includes the types of evidentiary data and files that store them for each app. Then, EviHunter matches the files on a smartphone's permanent storage against the AED to identify the files that could store evidentiary data. We evaluate EviHunter on benchmark apps and 8,690 real-world apps. Our results show that EviHunter can precisely identify both the types of evidentiary data and the files that store them

Forensic Analysis of Smartphone Applications for Privacy Leakage

Smartphone and tablets are personal devices that have diffused to near universal ubiquity in recent years. As Smartphone users become more privacy-aware and -conscious, research is needed to understand how “leakage” of private information (personally identifiable information – PII) occurs. This study explores how leakage studies in Droid devices should be adapted to Apple iOS devices. The OWASP Zed Attack Proxy (ZAP) is examined for 50 apps in various categories. This study confirms that: (1) most apps transmit unencrypted sensitive PII, (2) SSL is used by some recipient websites, but without corresponding app compliance with SSL, and (3) most apps in iOS environments reveal (leak) smartphone version. The paper concludes that much additional work is needed to assess the privacy dominance between platforms and to raise user awareness of smartphone privacy intrusions. Keywords: mobile forensics, ZAP, privacy leakage, metadata, securit

Android Encrypted Network Traffic to Identify User Actions

Network forensics is a sub-branch of digital forensics relating to the monitoring and analysis of computer network traffic for the purposes of information gathering, legal evidence. Unlike other areas of digital forensics, network investigations deal with volatile and dynamic information. Network traffic is transmitted and then lost, so network forensics is often a pro-active investigation. Network forensics generally has two uses. The first, relating to security, involves monitoring a network for anomalous traffic and identifying intrusions. The second form relates to law enforcement. In this case analysis of captured network traffic can include tasks such as reassembling transferred files, searching for keywords and parsing human communication such as emails or chat sessions. Nowadays use of mobile apps to communicate with friends. Not only communication purpose it gets information about sensitive topics such as diseases, sexual or religious preferences, etc. Numerous worries have been raised about the capabilities of these portable devices to occupy the privacy of users actually becoming “tracking devices”. Above problem they influence in our work to find solution using machine learning techniques. It is used to protect the content of a packet. Our framework analyzes the network communications and leverages information available in TCP/IP packets like IP addresses and ports, together with other information like the size, the direction, and the timing. Our system, for each app they ?rst pre-process a dataset of network packets labeled with the user actions that originated them, they cluster them in ?ow typologies that represent recurrent network ?ows, and ?nally it analyze them in order to create a training set that will be used to feed a classi?er. The trained classi?er will then be able to classify new traf?c traced. Our approach results shows it accuracy and precision more than 95% for most of the considered actions

Android application forensics: A survey of obfuscation, obfuscation detection and deobfuscation techniques and their impact on investigations

Android obfuscation techniques include not only classic code obfuscation techniques that were adapted to Android, but also obfuscation methods that target the Android platform specifically. This work examines the status-quo of Android obfuscation, obfuscation detection and deobfuscation. Specifically, it first summarizes obfuscation approaches that are commonly used by app developers for code optimization, to protect their software against code theft and code tampering but are also frequently misused by malware developers to circumvent anti-malware products. Secondly, the article focuses on obfuscation detection techniques and presents various available tools and current research. Thirdly, deobfuscation (which aims at reinstating the original state before obfuscation) is discussed followed by a brief discussion how this impacts forensic investigation. We conclude that although obfuscation is widely used in Android app development (benign and malicious), available tools and the practices on how to deal with obfuscation are not standardized, and so are inherently lacking from a forensic standpoint