Michael Spreitzenbarth

Slicing droids: program slicing for smali code

The popularity of mobile devices like smartphones and tablets has increased significantly in the last few years with many millions of sold devices. This growth also has its drawbacks: attackers have realized that smartphones are an attractive target and in the last months many different kinds of malicious software (short: malware) for such devices have emerged. This worrisome development has the potential to hamper the prospering ecosystem of mobile devices and the potential for damage is huge. Considering these aspects, it is evident that malicious apps need to be detected early on in order to prevent further distribution and infections. This implies that it is necessary to develop techniques capable of detecting malicious apps in an automated way. In this paper, we present SAAF, a Static Android Analysis Framework for Android apps. SAAF analyzes smali code, a disassembled version of the DEX format used by Androids Java VM implementation. Our goal is to create program slices in order to perform data-flow analyses to backtrack parameters used by a given method. This helps us to identify suspicious code regions in an automated way. Several other analysis techniques such as visualization of control flow graphs or identification of ad-related code are also implemented in SAAF. In this paper, we report on program slicing for Android and present results obtained by using this technique to analyze more than 136,000 benign and about 6,100 malicious apps.

FROST: forensic recovery of scrambled telephones

At the end of 2011, Google released version 4.0 of its Android operating system for smartphones. For the first time, Android smartphone owners were supplied with a disk encryption feature that transparently encrypts user partitions. On the downside, encrypted smartphones are a nightmare for IT forensics and law enforcement, because brute force appears to be the only option to recover encrypted data by technical means. However, RAM contents are necessarily left unencrypted and, as we show, they can be acquired from live systems with physical access only. To this end, we present the data recovery tool Frost (Forensic Recovery of Scrambled Telephones). Using Galaxy Nexus devices from Samsung as an example, we show that it is possible to perform cold boot attacks against Android smartphones and to retrieve valuable information from RAM. This information includes personal messages, photos, passwords and the encryption key. Since smartphones get switched off only seldom, and since the tools that we provide must not be installed before the attack, our method can be applied in real cases.

Post-Mortem Memory Analysis of Cold-Booted Android Devices

As recently shown in 2013, Android-driven smartphones and tablet PCs are vulnerable to so-called cold boot attacks. With physical access to an Android device, forensic memory dumps can be acquired with tools like FROST that exploit the remanence effect of DRAM to read out what is left in memory after a short reboot. While FROST can in some configurations be deployed to break full disk encryption, encrypted user partitions are usually wiped during a cold boot attack, such that a post-mortem analysis of main memory remains the only source of digital evidence. Therefore, we provide an in-depth analysis of Androids memory structures for system and application level memory. To leverage FROST in the digital investigation process of Android cases, we provide open-source Volatility plugins to support an automated analysis and extraction of selected Dalvik VM memory structures.

Comparing Sources of Location Data from Android Smartphones

It is well-known that, for various reasons, smartphone operating systems persistently store location data in local storage. Less well-known is the fact that various network applications (apps) do this too. This paper considers the issue if location data extracted from mobile phones can replace or complement the location data obtained from network operators. Experiments with Android smartphones reveal that location data stored on the phones is often much more precise than the rather coarse-grained data stored by network operators. However, the availability of location data on smartphones varies considerably compared with the data stored by network operators.

Exploring the Landscape of Cybercrime

This document gives an overview over current research within the security group at Friedrich-Alexander-University Erlangen-Nuremberg, Germany, and attempts to describe the future research roadmap of the group. This roadmap is structured around the landscape of cyber crime with its three main groups of actors (attackers, users and investigators) and their main activities and deficits: attack and evasion for attackers, awareness and education for victims, evidence extraction and analysis for investigators.