VolMemDroid-Investigating android malware insights with volatile memory artifacts

Android based smartphones have become a top target for malware writers due to their widespread use. A number of malicious applications are present on play stores and downloaded on daily basis, posing a significant threat to users' personal and business data. As a result, the design of malware analysis frameworks is crucial in protecting the growing number of users who rely on their smart phones for routine and business tasks. The traditional signature based schemes for malware detection are unable to handle new and sophisticated malware. Furthermore, generic solutions based on static analysis schemes become less effective in the presence of obfuscated malware. In this study, a dynamic analysis based framework, VolMemDroid, for detecting malicious applications for Android is proposed. The framework extracts the volatile memory artifacts for profiling malicious Android applications. For this purpose, the memory forensic framework of volatility is utilized. A number of volatility plugins are analyzed for their compatibility w.r.t the Android platform and their ability in modeling the application's behavior. After testing a number of plugins, chosen plugins are further processed for extraction of features. A comprehensive feature set for Android malware detection and categorization is proposed. It has been found that the suggested framework is effective for detecting Android malicious applications with an F1 -score of 0.972, which is better than existing volatile memory based approaches for Android malware detection. The framework is also found to be effective in categorizing malicious Android applications into four distinct classes.