apps to develop infrastructure-based logging agents
that remain prevalent across app versions and func-
tional across three different applications. In doing
so, we considerably reduce the reverse engineering
effort while increasing compatibility across applica-
tions and their versions.
Coverage analysis based on data from AppBrain
also shows that potentially, using this approach, 95%
of most downloaded apps on Google Playstore can
be forensically enhanced using at most two storage-
related infrastructure-based forensic logging agents.
This significantly reduces the number of agents that
need to be developed and the individual apps that
would need to be reverse-engineered. This result
bodes well for JIT-MF and any other forensic logging
enhancement technique aiming to provide deeper
visibility through a third-party application-specific
forensic logging agent.
ACKNOWLEDGEMENTS
This work is supported by the DETECTIF (Digi-
tal Evidence Targeting covErt Cyberattacks through
Timely Information Forensics) project. DETECTIF
is funded by the Malta Council for Science and Tech-
nology (MCST) under the FUSION R&I: Research
Excellence Programme, Grant Agreement No. REP-
2022-007.
REFERENCES
Amer Owaida (2021). Wormable android malware spreads
via whatsapp messages. https://www.welivesecurity.c
om/2021/01/26/wormable-android-malware-spreads
-whatsapp-messages. Accessed: 9.11.2021.
Ammann, P., Jajodia, S., and Liu, P. (2002). Recovery from
malicious transactions. IEEE transactions on knowl-
edge and data engineering, 14(5):1167–1185.
AppBrain (2022). Appbrain: Monetize, advertise and ana-
lyze android apps. https://www.appbrain.com/stats/l
ibraries. Accessed: 23.08.2022.
AppBrain API (2022). https://api.appbrain.com/v2/info/b
rowse. Accessed: 20.10.2022.
Bellizzi, J., Vella, M., Colombo, C., and Hernandez-Castro,
J. (2020). Real-time triggering of android memory
dumps for stealthy attack investigation. In NordSec,
pages 20–36.
Bellizzi., J., Vella., M., Colombo., C., and Hernandez-
Castro., J. (2021). Responding to living-off-the-land
tactics using just-in-time memory forensics (jit-mf)
for android. In SECRYPT, pages 356–369.
Bellizzi, J., Vella, M., Colombo, C., and Hernandez-Castro,
J. (2022). Responding to targeted stealthy attacks on
android using timely-captured memory dumps. IEEE
Access, 10:35172–35218.
Cohen, M. I., Bilby, D., and Caronni, G. (2011). Distributed
forensics and incident response in the enterprise. dig-
ital investigation, 8:S101–S110.
Flubot (2021). Flubot malware – all you need to know & to
act now. https://www.threatmark.com/flubot-bankin
g-malware/. Accessed: 6.03.2021.
Google (2022). File-based encryption. https://source.and
roid.com/security/encryption/file-based Accessed:
22.10.2022.
Jon Russell (2012). Stealth sms payment malware iden-
tified in chinese android app stores, 500,000 devices
infected. https://thenextweb.com/news/stealth-sms-
payment-malware-identified-chinese-app-stores-500
000-android-devices-infected. Accessed: 2.10.2022.
King, S. T. and Chen, P. M. (2003). Backtracking intrusions.
In ACM SOSP, pages 223–236.
King, S. T., Mao, Z. M., Lucchetti, D. G., and Chen, P. M.
(2005). Enriching intrusion alerts through multi-host
causality. In NDSS.
Lee, K. H., Zhang, X., and Xu, D. (2013). High accuracy at-
tack provenance via binary-based execution partition.
In NDSS, volume 16.
Ma, S., Lee, K. H., Kim, C. H., Rhee, J., Zhang, X., and Xu,
D. (2015). Accurate, low cost and instrumentation-
free security audit logging for windows. In ACSAC,
pages 401–410.
Ma, S., Zhang, X., Xu, D., et al. (2016). Protracer: Towards
practical provenance tracing by alternating between
logging and tainting. In NDSS, volume 2, page 4.
Mace, J., Roelke, R., and Fonseca, R. (2015). Pivot tracing:
Dynamic causal monitoring for distributed systems. In
Proceedings of the 25th Symposium on Operating Sys-
tems Principles, pages 378–393.
Newsome, J. and Song, D. X. (2005). Dynamic taint anal-
ysis for automatic detection, analysis, and signature-
generation of exploits on commodity software. In
NDSS, volume 5, pages 3–4.
Octo (2022). Look out for octo’s tentacles! a new on-device
fraud android banking trojan with a rich legacy. https:
//threatfabric.com/blogs/octo-new-odf-banking-troj
an.html. Accessed: 16.08.2022.
Tam, K., Fattori, A., Khan, S., and Cavallaro, L. (2015).
Copperdroid: Automatic reconstruction of android
malware behaviors. In NDSS Symposium 2015, pages
1–15.
ThreatLandscape (2022). 2022 mobile threat landscape up-
date. https://www.threatfabric.com/blogs/h1-2022-m
obile-threat-landscape.html. Accessed: 6.03.2021.
Toslali, M., Ates, E., Ellis, A., Zhang, Z., Huye, D., Liu,
L., Puterman, S., Coskun, A. K., and Sambasivan,
R. R. (2021). Automating instrumentation choices for
performance problems in distributed applications with
VAIF. In ACM SoCC, pages 61–75.
Yuan, D., Park, S., Huang, P., Liu, Y., Lee, M. M., Tang, X.,
Zhou, Y., and Savage, S. (2012a). Be conservative:
Enhancing failure diagnosis with proactive logging. In
USENIX OSDI, pages 293–306.
ICISSP 2023 - 9th International Conference on Information Systems Security and Privacy
400