Mark Guido (The MITRE Corporation)
Justin Grover (The MITRE Corporation)
Jared Ondricek
Dave Wilburn
Drew Hunt
Thanh Nguyen

Abstract

Increasingly, Android smartphones are becoming more pervasive within the government and

industry, despite the limited ways to detect malicious applications installed to these phones’

operating systems. Although enterprise security mechanisms are being developed for use on

Android devices, these methods cannot detect previously unknown malicious applications. As

moresensitiveenterpriseinformationbecomesavailableandaccessibleonthesesmartphones,

the risk of data loss inherently increases. A malicious application’s actions could potentially

leave sensitive data exposed with little recourse. Without an effective corporate monitoring

solution in place for these mobile devices, organizations will continue to lack the ability to

determine when a compromise has occurred. This paper presents research that applies

traditional digital forensic techniques to remotely monitor and audit Android smartphones.

The smartphone sends changed file system data to a remote server, allowing for expensive

forensic processing and the of fline application of traditional tools and techniques rarely applied

to the mobile environment. The research aims at ascertaining new ways of identifying

malicious Android applications and ultimately attempts to improve the state of enterprise

smartphone monitoring. An on-phone client, server, database, and analysis framework

was developed and tested using real mobile malware. The results are promising that

thedevelopeddetectiontechniquesidentifychangestoimportantsystempartitions;recognize

file system changes, including file deletions; and find persistence and triggering mechanisms

in newly installed applications. It is believed that these detection techniques should be per-formed

by enterprises to identify malicious applications affecting their phone infrastructure.