Android Application (Dalvik) Memory Analysis & the Chuli Malware

This blog serves to highlight a recent collaborative effort between myself and Joe Sylve and Vico Maziale of 504ensics Labs. In this effort, we added to Volatility the capability to perform deep, per-application analysis of running Android applications. Each application runs in its own instance of Dalvik, which is Android's version of the Java Virtual Machine (JVM). This analysis leads to the recovery of all loaded classes, including the values of static and instance variables for each instance. This will often include data such as usernames and passwords, data read from the network and disk, and parameters used by malware to perform operations. 504ensics has made their own blog post on this work, where they not only explain the project in more detail, but also show analysis of the recently disclosed Chuli malware. If you perform Android malware analysis or are interested in the subject, I highly recommend reading their post here.

The Volatility Team is very happy to continue to see leading researchers in the memory forensics field focus their efforts towards the framework.  This will continue to make Volatility the leading memory forensics tool, and give it all the capabilities investigators need.