Detecting android kernel rootkits via JTAG memory introspection

Mordechai Guri, Yuri Poliak, Bracha Shapira, Yuval Elovici

Intrusion Detection and Prevention for Mobile Ecosystems, 165-186, 2017

Over the past few years, mobile devices have emerged as a preferred target for cyber criminals. This trend is fueled by the valuable personal and organizational information stored on those devices. Android is by far the most popular mobile operating system (OS); its numerous vulnerabilities, coupled with the ease of distributing malicious code through its popular app market, have made this OS a favorite target of attackers [1]. For example, the DroidDream attack [2] was distributed through legitimate applications on the Android market and infected about 50,000 mobile devices in the course of a few days. More recently, an Android “bootkit,” that is, a rootkit that modifies the device’s boot partition and boot script (codenamed “Oldboot”) infected over 500,000 mobile devices within a period of 6 months in China alone [3]. In 2015, researchers have uncovered a rootkit that resides deep inside Android devices, while receiving commands from its operator across the internet [4]. In 2016, a rootkit-level backdoor was found preinstalled on 3 million Android phones, many of them used by people in the United States [5].