JoKER: Trusted Detection of Kernel Rootkits in Android Devices via JTAG Interface

In collaboration with

M Guri, Y Poliak, B Shapira, Y Elovici

Trustcom/BigDataSE/ISPA, 2015 IEEE 1, 65-73

Link to document

Smartphones and tablets have become primetargets for malware, due to the valuable private and corporateinformation they hold. While Anti-Virus (AV) program maysuccessfully detect malicious applications (apps), they remainineffective against low-level rootkits that evade detectionmechanisms by masking their own presence. Furthermore, anydetection mechanism run on the same physical device as themonitored OS can be compromised via application, kernel orboot-loader vulnerabilities. Consequentially, trusted detection ofkernel rootkits in mobile devices is a challenging task in practice.In this paper we present ‘JoKER’ – a system which aims atdetecting rootkits in the Android kernel by utilizing thehardware’s Joint Test Action Group (JTAG) interface fortrusted memory forensics. Our framework consists ofcomponents that extract areas of a kernel’s memory andreconstruct it for further analysis. We present the overallarchitecture along with its implementation, and demonstrate thatthe system can successfully detect the presence of stealthyrootkits in the kernel. The results show that although JTAG’smain purpose is system testing, it can also be used for malwaredetection where traditional methods fail.

Skip to content