Combating the OS-Level Malware in Mobile Devices by Leveraging Isolation and Steganography

Document Type

Conference Proceeding

Publication Date



Department of Computer Science


Detecting the OS-level malware (e.g., rootkit) is an especially challenging problem, as this type of malware can compromise the OS, and can then easily hide their intrusion behaviors or directly subvert the traditional malware detectors running in either the user or the kernel space. In this work, we propose mobiDOM to solve this problem for mobile computing devices. The key idea of mobiDOM is to securely detect the OS-level malware by fully utilizing the existing secure features of a mobile device in the hardware. Specifically, we integrate a malware detector in the flash translation layer (FTL), a firmware layer embedded into the external flash storage which is inaccessible to the OS; in addition, we build a trusted application in the Arm TrustZone secure world, which acts as a user-level controller of the malware detector. The FTL-based malware detector and the TrustZone-based controller communicate with each other stealthily via steganography. Security analysis and experimental evaluation confirm that mobiDOM can securely and effectively detect the OS-level malware.

Publication Title

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)