JoKER: Trusted Detection of Kernel Rootkits in Android Devices via JTAG Interface

TL;DR

JoKER leverages the JTAG interface to perform trusted memory forensics on Android devices, enabling detection of stealthy kernel rootkits that evade traditional anti-virus solutions.

Contribution

This paper introduces JoKER, a novel framework that uses JTAG for trusted detection of kernel rootkits in Android devices, addressing limitations of existing detection methods.

Findings

Successfully detects stealthy kernel rootkits in Android

Demonstrates JTAG's utility beyond system testing for malware detection

Provides a practical architecture for trusted memory analysis

Abstract

Smartphones and tablets have become prime targets for malware, due to the valuable private and corporate information they hold. While Anti-Virus (AV) program may successfully detect malicious applications (apps), they remain ineffective against low-level rootkits that evade detection mechanisms by masking their own presence. Furthermore, any detection mechanism run on the same physical device as the monitored OS can be compromised via application, kernel or boot-loader vulnerabilities. Consequentially, trusted detection of kernel rootkits in mobile devices is a challenging task in practice. In this paper we present JoKER - a system which aims at detecting rootkits in the Android kernel by utilizing the hardware's Joint Test Action Group (JTAG) interface for trusted memory forensics. Our framework consists of components that extract areas of a kernel's memory and reconstruct it for further analysis. We present the overall architecture along with its implementation, and demonstrate that the system can successfully detect the presence of stealthy rootkits in the kernel. The results show that although JTAG's main purpose is system testing, it can also be used for malware detection where traditional methods fail.