Exploring Memory Forensics of Android Banking Trojan
Primary Investigator:
Marcus Thompson
Szu Kai Yang
Abstract
The purpose of this study was to analyze memory of Android devices before and after infected by banking Trojan that attempts to steal user information. It is hypothesized that banking Trojan will generate process, particularly network process to transmit user information over the internet. The method that will be employed in understanding Android banking Trojan in memory shall also be helpful when it comes to understanding memory consuming while Trojan is running. The approach for the analysis is broken into four phases: acquire memory dump of uninfected Android device, install and trigger banking Trojan, acquire memory dump after infected, and comparison between memory dump before and after infected. This method of analyzing memory dump before and after infection addresses the research question by understanding running process including network activity that were created when infected.