Rapid Android Parser for Investigating DEX Files (RAPID)

Android malware is a well-known challenging problem and many researchers/vendors/practitioners have tried to address this issue through application analysis techniques. In order to analyze Android applications, tools decompress APK files and extract relevant data from the Dalvik EXecutable (DEX) files. To acquire the data, investigators either use decompiled intermediate code generated by existing tools, e.g., Baksmali or Dex2jar or write their own parsers/dissemblers. Thus, they either need additional time because of decompiling the application into an intermediate representation and then parsing text files, or they reinvent the wheel by implementing their own parsers. In this article, we present Rapid Android Parser for Investigating DEX files (RAPID) which is an open source and easy-to-use JAVA library for parsing DEX files. RAPID comes with well-documented APIs which allow users to query data directly from the DEX binary files. Our experiments reveal that RAPID outperforms existing approaches in terms of runtime efficiency, provides better reliability (does not crash) and can support dynamic analysis by finding critical offsets. Notably, the processing time for our sample set of 22.35 GB was only 1.5 h with RAPID while the traditional approaches needed about 23 h (parsing and querying)

AndroParse - An Android Feature Extraction Framework & Dataset

Android malware has become a major challenge. As a consequence, practitioners and researchers spend a significant time analyzing Android applications (APK). A common procedure (especially for data scientists) is to extract features such as permissions, APIs or strings which can then be analyzed. Current state of the art tools have three major issues: (1) a single tool cannot extract all the significant features used by scientists and practitioners (2) Current tools are not designed to be extensible and (3) Existing parsers do not have runtime efficiency. Therefore, this work presents AndroParse which is an open-source Android parser written in Golang that currently extracts the four most common features: Permissions, APIs, Strings and Intents. AndroParse outputs JSON files as they can easily be used by most major programming languages. Constructing the parser allowed us to create an extensive feature dataset which can be accessed by our independent REST API. Our dataset currently has 67,703 benign and 46,683 malicious APK samples

Breaking Into the Vault: Privacy, Security and Forensic Analysis of Android Vault Applications

In this work we share the first account for the forensic analysis, security and privacy of Android vault applications. Vaults are designed to be privacy enhancing as they allow users to hide personal data but may also be misused to hide incriminating files. Our work has already helped law enforcement in the state of Connecticut to reconstruct 66 incriminating images and 18 videos in a single criminal case. We present case studies and results from analyzing 18 Android vault applications (accounting for nearly 220 million downloads from the Google Play store) by reverse engineering them and examining the forensic artifacts they produce. Our results showed that 12/18 obfuscated their code and 5/18 applications used native libraries hindering the reverse engineering process of these applications. However, we still recovered data from the applications without root access to the Android device as we were able to ascertain hidden data on the device without rooting for 10/18 of the applications. 6/18 of the vault applications were found to not encrypt photos they stored, and 8/18 were found to not encrypt videos. 7/18 of the applications were found to store passwords in cleartext. We were able to also implement a swap attack on 5/18 applications where we achieved unauthorized access to the data by swapping the files that contained the password with a self-created one. In some cases, our findings illustrate unfavorable security implementations of privacy enhancing applications, but also showcase practical mechanisms for investigators to gain access to data of evidentiary value. In essence, we broke into the vaults

Map My Murder: A Digital Forensic Study of Mobile Health and Fitness Applications

The ongoing popularity of health and fitness applications catalyzes the need for exploring forensic artifacts produced by them. Sensitive Personal Identifiable Information (PII) is requested by the applications during account creation. Augmenting that with ongoing user activities, such as the user’s walking paths, could potentially create exculpatory or inculpatory digital evidence. We conducted extensive manual analysis and explored forensic artifacts produced by (n = 13) popular Android mobile health and fitness applications. We also developed and implemented a tool that aided in the timely acquisition and identification of artifacts from the examined applications. Additionally, our work explored the type of data that may be collected from health and fitness web platforms, and Web Scraping mechanisms for data aggregation. The results clearly show that numerous artifacts may be recoverable, and that the tested web platforms pose serious privacy threats

A Domain Specific Language for Digital Forensics and Incident Response Analysis

One of the longstanding conceptual problems in digital forensics is the dichotomy between the need for verifiable and reproducible forensic investigations, and the lack of practical mechanisms to accomplish them. With nearly four decades of professional digital forensic practice, investigator notes are still the primary source of reproducibility information, and much of it is tied to the functions of specific, often proprietary, tools. The lack of a formal means of specification for digital forensic operations results in three major problems. Specifically, there is a critical lack of: a) standardized and automated means to scientifically verify accuracy of digital forensic tools; b) methods to reliably reproduce forensic computations (their results); and c) framework for inter-operability among forensic tools. Additionally, there is no standardized means for communicating software requirements between users, researchers and developers, resulting in a mismatch in expectations. Combined with the exponential growth in data volume and complexity of applications and systems to be investigated, all of these concerns result in major case backlogs and inherently reduce the reliability of the digital forensic analyses. This work proposes a new approach to the specification of forensic computations, such that the above concerns can be addressed on a scientific basis with a new domain specific language (DSL) called nugget. DSLs are specialized languages that aim to address the concerns of particular domains by providing practical abstractions. Successful DSLs, such as SQL, can transform an application domain by providing a standardized way for users to communicate what they need without specifying how the computation should be performed. This is the first effort to build a DSL for (digital) forensic computations with the following research goals: 1) provide an intuitive formal specification language that covers core types of forensic computations and common data types; 2) provide a mechanism to extend the language that can incorporate arbitrary computations; 3) provide a prototype execution environment that allows the fully automatic execution of the computation; 4) provide a complete, formal, and auditable log of computations that can be used to reproduce an investigation; 5) demonstrate cloud-ready processing that can match the growth in data volumes and complexity

FORENSIC ANALYSIS OF THE GARMIN CONNECT ANDROID APPLICATION

Wearable smart devices are becoming more prevalent in our lives. These tiny devices read various health signals such as heart rate and pulse and also serve as companion devices that store sports activities and even their coordinates. This data is typically sent to the smartphone via a companion application installed. These applications hold a high forensic value because of the users’ private information they store. They can be crucial in a criminal investigation to understand what happened or where that person was during a given period. They also need to guarantee that the data is secure and that the application is not vulnerable to any attack that can lead to data leaks. The present work aims to do a complete forensic analysis of the companion application Garmin Connect for Android devices. We used a Garmin Smartband to generate data and test the application with a rooted Android device. This analysis is split into two parts. The first part will be a traditional Post Mortem analysis where we will present the application, data generation process, acquisition process, tools, and methodologies. Lastly, we analyzed the data extracted and studied what can be considered a forensic artifact. In the second part of this analysis, we performed a dynamic analysis. We used various offensive security techniques and methods to find vulnerabilities in the application code and network protocol to obtain data in transit. Besides completing the Garmin Connect application analysis, we contributed various modules and new features for the tool Android Logs Events And Protobuf Parser (ALEAPP) to help forensic practitioners analyze the application and to improve the open-source digital forensics landscape. We also used this analysis as a blueprint to explore six other fitness applications that can receive data from Garmin Connect. With this work, we could conclude that Garmin Connect stores a large quantity of private data in its device, making it of great importance in case of a forensic investigation. We also studied its robustness and could conclude that the application is not vulnerable to the tested scenarios. Nevertheless, we found a weakness in their communication methods that lets us obtain any data from the user even if it was not stored in the device. This fact increased its forensic importance even more

A Survey and Evaluation of Android-Based Malware Evasion Techniques and Detection Frameworks

Android platform security is an active area of research where malware detection techniques continuously evolve to identify novel malware and improve the timely and accurate detection of existing malware. Adversaries are constantly in charge of employing innovative techniques to avoid or prolong malware detection effectively. Past studies have shown that malware detection systems are susceptible to evasion attacks where adversaries can successfully bypass the existing security defenses and deliver the malware to the target system without being detected. The evolution of escape-resistant systems is an open research problem. This paper presents a detailed taxonomy and evaluation of Android-based malware evasion techniques deployed to circumvent malware detection. The study characterizes such evasion techniques into two broad categories, polymorphism and metamorphism, and analyses techniques used for stealth malware detection based on the malware’s unique characteristics. Furthermore, the article also presents a qualitative and systematic comparison of evasion detection frameworks and their detection methodologies for Android-based malware. Finally, the survey discusses open-ended questions and potential future directions for continued research in mobile malware detection

Analysis of Android malware detection techniques: a systematic review

The emergence and rapid development in complexity and popularity of Android mobile phones has created proportionate destructive effects from the world of cyber-attack. Android based device platform is experiencing great threats from different attack angles such as DoS, Botnets, phishing, social engineering, malware and others. Among these threats, malware attacks on android phones has become a daily occurrence. This is due to the fact that Android has millions of user, high computational abilities, popularity, and other essential attributes. These factors influence cybercriminals (especially malware writers) to focus on Android for financial gain, political interest, and revenge. This calls for effective techniques that could detect these malicious applications on android devices. The aim of this paper is to provide a systematic review of the malware detection techniques used for android devices. The results show that most detection techniques are not very effective to detect zero-day malware and other variants that deploy obfuscation to evade detection. The critical appraisal of the study identified some of the limitations in the detection techniques that need improvement for better detection