Last month we covered new capabilities developed by 504ensics Labs that allowed for analysis of Dalvik instances within Volatility. This included a set of plugins as well as a GUI to explore the classes loaded into memory. We are writing an updated post as the GUI now contains the ability to automatically generate Volatility plugins that target interesting classes and members. Once generated, this plugin can be used in any investigation involving the class(es) of interest. Not only is this useful for malware-specific information, but can also target standard Dalvik classes such as those for networking (IP addresses, ports), file system activity, data structures, and much more.
The blog post by 504ensics explaining all the details can be found here.