cRGB_Mem: At the intersection of memory forensics and machine learning

Mobile malware's alarming sophistication and pervasiveness have continued to draw the attention of many cybersecurity researchers. Particularly on the Android platform, malware trojans designed to steal user PIIs, crypto miners, ransomware, and on-device fraud continue to infiltrate the primary Google store market and other secondary markets. While much effort has been put in place by the research community and industry to curb this menace since 2012, malware authors have consistently found ways to circumvent the existing detection and prevention mechanisms. Largely this remains so because of the restrictiveness of the feature set used in building the current classification models. Thus, the overarching objective of this paper is to bridge the gap between static and dynamic analysis by exploring the use of in-memory artifacts generated from the concrete execution of Android apps for effective malware classification. Our proposed approach, called RGB_Mem trains RGB images generated from in-memory allocation patterns in a Convolutional Neural Network. The result of our classification algorithm achieved an accuracy of 95.98% for samples with known objects and 84.48% for samples with unknown features. These results indicate that artifacts recovered from post-mortem memory forensics can provide a new dimension for training Android malware classification. The post-execution features, which are not impeded by any obfuscation and hooking constraints, provide a more accurate characterization of an app and are, therefore more suitable for classification. (c) 2023 The Author(s). Published by Elsevier Ltd on behalf of DFRWS. All rights reserved. This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/).