Digital Forensics for Mobile Malware

Do you suspect that malware is on a mobile device?

Mobile Malware

Malware, a portmanteau of “malicious software”, doesn’t just affect desktop and laptop computers. Smartphones, miniature computers in their own right, also have their own vulnerabilities to these diabolical digital diseases. As cell phones evolved into smartphones and grew more complex and more capable, they became more open to attack by mobile malware.

Mobile malware often enters victims’ phones through sketchy third-party apps and suspicious websites the user may visit using their phone’s Internet browser. Some especially mischievous malware will send text messages to premium-rate phone numbers without the owner’s knowledge or consent, running up charges on their phone bills.

Smartphone malware often tricks the user into granting it root-level permissions, allowing it to wreak all sorts of havoc on the phone. Mobile spyware can steal passwords, account numbers, and other personal information from your smartphone and distribute it—often for a price—to nefarious third parties. It can compromise your organization’s security and allow sensitive and confidential data to leak out. Malware on your smartphone can allow others to monitor and track your whereabouts.

HummingBad, a prolific and sophisticated example of mobile malware has the sole purpose to generate false ad revenue to the fraudsters’ benefit. HummingBad encrypts its most malicious components, making it difficult for mobile anti-malware systems to detect it.

What Is Mobile Malware?

Most malicious malware have several goals. One goal is to collect information from the user, which can be sold to third parties and used to perpetrate fraud or identity theft. Another goal is to aggravate or disadvantage the user. Malware will often generate intrusive or annoying advertisements (which can have the benefit of generating false ad revenue for the fraudster), send messages without the user’s knowledge to run up their phone bills, compromise the phone’s performance, cause apps to crash without warning, or drain the phone’s battery.

Trojans are the most common form of malware. Like malware on desktop and laptop computers, mobile malware is often spread through social engineering. Trojans, like the legendary wooden horse, disguise themselves as seemingly-reputable files or apps but actually aim to steal data or interfere with the device’s operation.

Masquerading as legitimate and benign apps proves to be the most effective vector of attack for malware programmers. Malware, especially trojans, usually gain the victim’s trust by purporting itself to be a legitimate app, or an attachment in a legitimate-seeming email or SMS message. Malware can also infect users through compromised advertisements on websites accessed through the phone’s Internet browser.

Mobile Ransomware

One particularly vicious type of malware, ransomware, encrypts user files and demands monetary payment in order to decrypt them. Ransomware distributors have made millions of dollars off of these viruses, although the exact figures are difficult to determine.

Ransomware mainly targets users of desktop and laptop PCs, but there are forms of ransomware aimed at Android and iOS smartphones as well. Mobile ransomware rarely encrypts user files the way ransomware aimed at PCs does. Instead, mobile ransomware locks the phone’s screen and demands a payment in order to “unlock” the device and allow the phone to function normally again. The family of mobile ransomware include malefactors such as Pletor, Fusob, and Svpeng.

Potentially Unwanted Applications (PUAs)

In addition to malware such as trojans and worms, there are other potentially unwanted applications which can end up on a phone, such as adware, trackware, and spyware. Adware can collect user information in order to provide targeted ads. Trackware can gather data on the phone’s user and report it back to a third party. Spyware can allow another person to access the text messages, multimedia, and GPS information on an infected user’s phone, and even listen in on the user’s phone calls. Unlike malware, these applications do not normally aim to incapacitate the user’s phone or disadvantage the user.

Potentially unwanted applications are, as their names suggest, potentially unwanted. They do have legitimate and non-malicious uses in the right hands. Adware and trackware on your phone, for example, can be placed on your phone by legitimate providers to deliver user-targeted search results and advertisements informed by your location.

Even mobile spyware does have legitimate uses—for example, an employer can place spyware on company-provided mobile phones in order to ensure that the employees only uses the devices for legitimate company purposes. Mobile spyware apps are usually free or cheap and leave little evidence of their presence. Most mobile anti-malware apps may not be able to detect mobile spyware.

When these applications are used legitimately, the user consents to have them placed on their phone. These applications become unwanted when they are used by a malicious third party to violate the user’s privacy without their consent. The opportunities to misuse these applications, especially spyware, are nearly endless, and can be exploited by malicious employers, or by abusive spouses, partners, parents, or stalkers. Some forms of spyware are extremely invasive and can activate an infected user’s camera or microphone without their knowledge.

Mobile Forensics and PUAs

Potentially-unwanted applications leave as little of a footprint as possible, in order to avoid detection by the user. However, as any mobile forensics investigator worth their salt is well aware, everything leaves behind a trace. When a phone’s owner has reason to believe that somebody seems to have intimate knowledge of the owner’s movements or contents of their phone calls or SMS messages, a skilled mobile forensics investigator can examine the phone for any telltale traces of spyware.

Threats to Smartphone Security

While all mobile operating systems are bound to have bugs and unavoidable security holes, mobile malware tends to target Android devices than iOS devices, with Android threats comprising the vast majority of all discovered mobile malware threats. This is mainly due to Android’s dominance of the worldwide market share, with over 80% of all smartphones running some version of the open-source OS.

Operating System Fragmentation

Operating system fragmentation can make it difficult for smartphone manufacturers to effectively halt the spread of mobile malware by patching their smartphones’ security holes. Over the years, both the Android and iOS operating systems have seen numerous updates and revisions. But not every smartphone user carries the latest version of their phone’s O/S in their pockets. This often happens not just because users are lazy or hesitant to upgrade, but also because users of older models simply cannot upgrade their phones due to a lack of hardware support.

With the users of smartphones fragmented like this, patches to the bugs and oversights in mobile O/Ses which mobile malware developers exploit cannot reach all smartphone users. For example, a Samsung-distributed security patch for Bob’s Samsung Galaxy running Android Kitkat would not help Alice, whose older model of Samsung smartphone cannot support any version of Android more advanced than Ice Cream Sandwich.

What Services Does Gillware Offer for Victims of Mobile Malware?

One of the principles of digital forensics, and the field of forensics in general, is that everything leaves a trace. No matter how “undetectable” malware or spyware purports itself to be, a skilled forensic investigator with intimate knowledge of Android, iOS, and other mobile device O/S architecture and mobile forensics can find the tiny footprints it inevitably leaves behind.

We leverage the expertise of our president Cindy Murphy, a digital forensics investigator with decades of experience in the field and our a data recovery lab that has recovered data from all forms of storage devices for over ten years.

The mobile forensics experts at Gillware can provide complete forensic analysis of any model of Android or iOS smartphone. A full forensic analysis of an infected smartphone can determine what type of malware or PUA infected the phone, how the malefactor gained entry, and in which ways the phone and its owner’s data and personal information has been compromised.

Have remaining questions about mobile malware?