AN INTEGRATED FRAMEWORK FOR ANDROID BASED MOBILE DEVICE MALWARE FORENSICS

Abstract

Malware targeting Linux-based operating systems has surged in recent years. One of the main factors driving this phenomenon is the proliferation of smart devices. This has exacerbated the need for the development of malware tools readily available in online markets. Due to the prevalent use of smartphones, mobile devices have attracted some of the most sophisticated mobile device malware in existence. Traditional forensics investigation tools and techniques have fallen short of successfully investigating mobile malware incidents. Consequently, the need for the design and development of specific mobile device malware tools and techniques has been raised in the literature. However, the type of operating systems used in mobile devices matter. For instance, forensics investigations of iOS, Microsoft, and Android-based mobile device forensics need to be taken into consideration. In addition, the difference between mocOS and iOS, Linux and Android, and Microsoft Windows and Windows Mobile need to be studied as well. This study, first, presents a comprehensive study of the differences between malware programs that target Linux-server operating systems and those that target Android mobile devices. By using the three most representative Linux-based malware samples collected by the forensics community to date, we demonstrated that Linux-server-based malware does not compromise an Android mobile device. Our process involved two steps: first, we executed the three malware samples on the Linux server that runs a WordPress-based web site; and, second, the three malware samples were executed on an Android device. We further investigated the devices one at a time. Two of the malware samples were detected by the security tools used with the Linux server. One malware sample was detected by the security tools used with the Android mobile device. The two malware samples detected in the Linux server were Linuxserver operating systems targeting malware programs, while the third malware sample was an Android-based malware program. Second, this study proposes a set of requirements that should be met by forensic models that are meant to be used when investigating security incidents involving mobile device malware. We have defined a sufficient number of requirements that take into consideration the characteristics of mobile devices and mobile malware as well. The requirements are designed iv as solutions for the limitations associated with existing conventional digital and malware forensic models. Third, this study proposes an Android malware forensics framework that aims to help forensic practitioners when conducting an investigation on Android-based mobile devices. The framework consists of three phases, each focused on the particular work of conducting Android malware forensics. Phase 1, concerns data acquisition, where infected files are isolated from the remaining files in the mobile device. This can be by a human activity or an activity that is initiated by an automatic process, such as an intrusion detection system. Phase 2 concerns the process of conducting detection and analysis on the files collected, which were infected by the malware in Phase 1. Finally, Phase 3 of the framework is about malware proliferation and storing this data in a database.