In collaboration with

JoKER: Trusted Detection of Kernel Rootkits in Android Devices via JTAG Interface

M Guri, Y Poliak, B Shapira, Y Elovici

Trustcom/BigDataSE/ISPA, 2015 IEEE 1, 65-73

Smartphones and tablets have become prime
targets for malware, due to the valuable private and corporate
information they hold. While Anti-Virus (AV) program may
successfully detect malicious applications (apps), they remain
ineffective against low-level rootkits that evade detection
mechanisms by masking their own presence. Furthermore, any
detection mechanism run on the same physical device as the
monitored OS can be compromised via application, kernel or
boot-loader vulnerabilities. Consequentially, trusted detection of
kernel rootkits in mobile devices is a challenging task in practice.
In this paper we present ‘JoKER’ – a system which aims at
detecting rootkits in the Android kernel by utilizing the
hardware’s Joint Test Action Group (JTAG) interface for
trusted memory forensics. Our framework consists of
components that extract areas of a kernel’s memory and
reconstruct it for further analysis. We present the overall
architecture along with its implementation, and demonstrate that
the system can successfully detect the presence of stealthy
rootkits in the kernel. The results show that although JTAG’s
main purpose is system testing, it can also be used for malware
detection where traditional methods fail.