Android Hacking, Sandboxing, & Security Exploits

Uncovering Malware Persistence: Analyzing In-Memory Injectors & Process Hollowing on Android

By Antigravity Research Published May 30, 2026 ⏱️ 4 Min Read
Google AdSense Native Placement - Horizontal Top-Post banner

Introduction: The Elusive Nature of Android Malware Persistence

Android malware has evolved significantly, moving beyond simple APK analysis to employ sophisticated evasion techniques. Among the most challenging to detect are those that achieve persistence through in-memory injection and process hollowing. These methods allow malicious code to execute within legitimate processes, making static analysis ineffective and dynamic analysis extremely difficult. This article delves into the intricacies of these advanced persistence techniques on Android and explores expert-level methods for their detection and analysis.

Understanding In-Memory Injection on Android

In-memory injection refers to the act of injecting arbitrary code or data into the address space of a running process. On Android, this typically involves a malicious application (the injector) targeting another process (the target) to execute its payload. Unlike traditional file-based malware, the payload never resides on disk in an executable form, making it notoriously difficult for traditional antivirus solutions to detect.

Common In-Memory Injection Techniques:

  • Dynamic Library Loading: Malicious code can be packaged as a shared library (.so file). The injector then uses APIs like dlopen to load this library into the target process’s memory and dlsym to resolve and execute functions within it.
  • Direct Memory Manipulation: More advanced techniques involve directly mapping or modifying memory regions within the target process. This often leverages system calls like mmap, mprotect, and sometimes even ptrace (though ptrace is more often associated with process hollowing). The injector might write raw shellcode or a full malicious ELF binary into a newly allocated or existing writable-executable memory region.

The primary challenge with in-memory injection is that the malicious code executes within the context of a legitimate process, inheriting its permissions and often blending in with its normal behavior.

Process Hollowing: A Deeper Dive into Evasion

Process hollowing is a highly stealthy technique where a legitimate process is created in a suspended state, its memory space is emptied (or "hollowed out"), and then malicious code is written into its address space. The execution context (e.g., program counter) is then redirected to the injected code, and the process is resumed. This creates an entirely new malicious process that appears to be the original legitimate one.

The Steps of Process Hollowing:

  1. Create a Suspended Process: The injector uses fork() and execve(), often in conjunction with ptrace(PTRACE_TRACEME, ...) in the child, or fork() then waitpid() with WIFSTOPPED in the parent, to create a new process that immediately stops before its execution begins.
  2. Unmap or Hollow Memory: Using ptrace(PTRACE_POKEDATA, ...) or other memory manipulation calls, the injector unmaps or overwrites the legitimate code and data segments of the suspended process.
  3. Write Malicious Code: The malicious payload (e.g., shellcode, a malicious ELF binary) is written into the now-empty memory space of the target process using ptrace(PTRACE_POKETEXT, ...) or direct memory writes.
  4. Modify Execution Context: The program counter (PC) or instruction pointer (EIP) register of the suspended process is altered to point to the entry point of the injected malicious code using ptrace(PTRACE_SETREGS, ...).
  5. Resume Process: The suspended process is resumed using ptrace(PTRACE_CONT, ...), causing it to execute the injected malicious code under the guise of the legitimate process.

Process hollowing offers superior evasion because the process metadata (like process name, parent PID) all point to the original, legitimate executable, making it extremely difficult for endpoint detection and response (EDR) systems to differentiate.

Techniques for Detection and Analysis

Detecting in-memory injection and process hollowing requires a blend of dynamic analysis and memory forensics.

1. Dynamic Analysis with Runtime Monitoring

Tools like Frida are indispensable for runtime monitoring. By hooking critical system calls, we can observe suspicious behavior indicative of injection or hollowing.

Frida Script for Monitoring Memory Operations:

This script hooks common memory allocation/protection and process control calls:

Java.perform(function() {    var mmap = Module.findExportByName(null,

        
        
        

            

                
            

            

                
Android Mobile Specs & Compare Directory

                
Are you researching mobile hardware properties, processor SoCs, GPU chipsets, or RAM configurations? Access our complete specs catalog to compare up to 5 devices side-by-side!

                Compare Devices Specs →
Google AdSense Inline Placement - Content Footer banner
Tags: #Android Malware #Android Security #In-Memory Injection #Memory Forensics #Process Hollowing

Related Technical Guides

Root Detection Bypass Toolkit: Defeating Common Anti-Root Mechanisms in Android Apps

May 30, 2026

Troubleshooting Corrupted DEX Files: Identifying and Fixing Common Issues in Malformed or Tampered APKs

May 30, 2026

The ART of Persuasion: Achieving Arbitrary Read/Write Primitives via Runtime Manipulation

May 30, 2026