Artificial Intelligence for Android stealth-attack detection: a digital forensics approach

Android is the most popular Operating System (OS) for mobile devices worldwide due to its low cost and open-source platform. Various apps for different services have been developed, but the incorrect management of specific data structures and code sections can lead to vulnerabilities, allowing malware to spread and increasing the risks of cyberattacks. Among the vulnerabilities in Android applications, one of the most interesting is those related to the native code, i.e., C/C++ libraries used to interact with native activities and components such as camera, microphone, elaborate pictures, and fast data processing. These vulnerabilities, imported from common and popular third-party libraries or introduced by developers, refer to common C/C++ vulnerabilities, such as buffer overflow and format string vulnerabilities. When these vulnerabilities are exploited, an attacker can have access to the main memory where data is stored in clear text e.g., encryption keys. Over the years, various static and dynamic analysis techniques (both without and with execution) have been developed, particularly automatic detection systems based on Artificial Intelligence (AI) algorithms. Despite this, malware with anti-analysis and evasion techniques has been developed, for example, involving the use of obfuscation, steganography, or adversarial attacks on AI systems. For this reason, this thesis first introduces a methodology based on AI algorithms to detect and exploit risky vulnerabilities in the native code of Android applications. Secondly, a new detection mechanism based on memory forensics is presented, also resistant to common anti-analysis and adversarial Android samples. Finally, it explains how AI can be applied to Digital Forensics investigations and the importance of accurate and robust AI-based DF tools.