Malware is defined as computer programs that are used by an attacker to execute maliciouscode on the computer of a victim. In today's Internet malware constitutes a major problem andeffective safety measures against this harassment are necessary. This problem looms as a new andfuture threat to smartphones, too. They contain many information which are of great interest forattackers. Several hundred different versions of malware for this type of device have already beennoticed and it is expected that this number will increase even further within next years. Thus,effective and efficient protection measures against malware on mobile devices (mobile malware)become necessary, in order to have procedures for detecting and repelling these threats right fromthe beginning. Moreover, todays there is almost no criminal action in which information technologydoes not play a role. Increasingly, mobile devices become an object of investigation in the contextof crime detection. Due to this reason two major research aspects have been defined within thescope of a BMBF project named 'MobWorm':Automated Malware Analyses: In the scope of this question a prototype will be further developed.Therefore it is investigated which information from a mobile sandbox need to be collected.Afterwards, the corresponding implementation is executed. Moreover, methods are investigated,in how far the mobile sandbox may be used as a security measure, e.g. as a reference monitorfor downloaded applications. Here, the mobile sandbox monitors activities of a program and terminatesit directly if an unauthorized sequence of action occurs (e.g. the opening of a permittednetwork connection or the dialing of an expensive service number).Mobile Phone Forensics: Within the frame of this research question we develop severalmethods to conduct forensic analysis on smart phones. In this context a major focus is put onGoogles Android platform. In a first step various methods are researched how to create a memorydump of a mobile phone (e.g. with the help of Twister-Box, via JTAG or with specific software).These are documented in forensic processes, i.e. in detailed and exact activity rules. In a second stepthe methods for analyzing memory dumps are developed. As a result the usability and effectivenessof standard procedures like file carving and hash-value databases in the area of mobile phonesshould be investigated. The focus of the application examples is always put to the correspondinginvestigation of malware-infections. The methods and tools developed within the scope of thisresearch question are intended to be an addition to already existing propriety systems and theirfunctions which are often not well documented. With respect to the development we put greatemphasis on the compliance with forensic principles and we gear to scientific standards in this areaof research. The developed prototype as well as the fundamental research is important in orderto understand the behavior of mobile devices and software in a detailed way in terms of malwareanalysis.10
展开▼
