Professional Documents
Culture Documents
Platform
1st Khireddine Garri 2nd Tayeb Kenaza 3rd Mohamed Aissani
Institut National de Criminalistique et de Criminologie Ecole Militaire Polytechnique Ecole Militaire Polytechnique
Universitdes Sciences Technologie Houari Boumediene Algiers, Algeria Algiers, Algeria
Algiers, Algeria ken.tayeb@gmail.com mohamed.aissani@gmail.com
dine.garri@gmail.com
Abstract—Detection of Malware in Android is already a of native code that runs the VM. The Virtual Machine intro-
challenging task, even worse Bootkits add more complexity and spection Based on Malware Behaviour [13] should overcome
because it shifts the infection to the early stage of system’s this limitation but, unfortunately, malware is executed in
booting, it makes it more stealthy and by far more persistent.
In this paper, we discuss the challenge of malware analysis and simulated environments. Today most serious malware such as
detection in Android mobile phones platforms, especially at the Zeus, SpyEyec, and their variation families Kazy, Dromedan,
boot and Kernel levels. To deal with this problem, we present a detect easily the use of the VM and emulator environment
new approach for Bootkit detection based on malicious behaviour and use advanced techniques to disrupt their use [14]. These
characterisation. Firstly, we identify and extract files from both malware families are able to implement different complex anti-
the boot and the system partition from 3897 different firmware,
then we establish a correlation mechanism for each sample. forensic techniques to hide illegal behaviours.
Secondly, we define the main characteristics vector of a normal In summary, the high-risk of these new threats is mainly
booting stage behaviours, then a second characterisation vector the result of the early stage malicious code injection, at the
for malicious boot behaviour. The experiment is performed on boot/kernel. The Bootloader is the lowest level of the mobile
7794 boot files from 87 different vendors and we show that our phone design, it is inherently a root of trust, therefore any
approach can successfully detect malicious data manipulation.
Also, we highlight and give details about several key challenges vulnerability or malicious code in these components will lead
that need to be addressed in future research. to a disastrous scenario.
Index Terms—Malware, SoCs, forensic, embedded system, IoT, This work aims to build platform for malware code detection
android, bootkit, bootloader. at the boot sequence. To do so, we start by evaluating the
use of the two main approaches and their variation, static
I. I NTRODUCTION and dynamic approach as they were successfully used on the
Android platform has been the most targeted one by mal- PC platform. As we will see later in this paper, the dynamic
ware in 2017 compered to others mobile platform(Windows, approach was promising but it suffers from multiple drawbacks
IOS) [1]. The main reason, aside from its popularity [2], especially due to the hardware diversity as it needs Multi-SoCs
is the long-system patch update cycle caused by the highly emulator, which does not exist. The static approach showed
fragmented Android ecosystem [3]. In general, developing its limitations, especially for analysing an early stage code, to
and deploying a patch for a vulnerability can take months, overcome its limitations, we adopted a new approach based
because it needs the co-operation of multiple actors, such as on several steps, to highlight this challenge and give the key
OS vendors, device vendors, carriers, even SoC chipset makers steps of the solution. We have prepared and used a specific
such as Qualcomm, MediaTek. Such delays in security patch dataset in our experimentation, we use it to define a normal
and update deployment, often leave a large number of devices boot behaviour, and manually analysis all documented bootkit
vulnerable to attacks. as well Android custom image to define a malicious boot
Therefore, thousands of anti-virus applications based on behaviour, the approach has shown promising results. The
innovative detection techniques [4] [5] [6] [7] [8] have been platform was successfully tested on (30) different firmware
built. However, several studies such as in [9] and more and can efficiently detect security breaches like rooted device
recently in [10] show the emergence of more serious threats. or pre-charged application with superuser privileges.
Also, the study in [11] have shown the limits of the static anal- This paper is organised as follows. Section II introduces
ysis and the need for dynamic approach, but some constraints the Kernel malware injection mechanism and gives a set of
such as mobility, limited resources (energy and calculation) concepts definitions necessary for the other sections. Also,
limit the possibility of monitoring applications at run-time examples of a major attacks case are exposed. In Section III,
level. Before being replaced by the ART runtime [12], the we present the challenge of malware analysis regarding SoCs
Dalvik VM was introduced to offer portability for codes in general and Android specifically. In this section, we also
written in Java, so by design, any dynamic analysis methods present the adopted strategy. In section IV, we present our
built on Dalvik virtual machines cannot disclose the behaviour data set. Section V introduces our proposed solution as well