How to Hunt Down Malware on Mobile Devices

co-authored by Josh Hickman, Subject Matter Expert Collect and Review, Cellebrite

The ubiquity of mobile devices makes them prime targets for malware attacks. Despite the expertise in incident response and malware detection for PCs and Macs, mobile security, on the other hand, often remains uncharted territory for many organizations and users alike. No longer a question of if but when an attack is going to happen, there is a pertinent need for education in identification, resolution and bolstering defences against future attacks.

What Malware Looks Like and How it Gets There

Mobile malware manifests in various forms, from ransomware encrypting data to spyware surreptitiously monitoring activities. Understanding the modus operandi of mobile malware is critical for detection and mitigation efforts.

How it lands on a device:

• Malicious Links: Phishing links through email or text message (known as smishing), which misdirects users to accidentally download malware onto their devices.
• Overlay Attacks: Malicious apps masquerade as legitimate services, tricking users into divulging sensitive information. An example of this is when a user encounters a fake login screen that closely resembles a legitimate service, such as a banking app, prompting them to enter their credentials unknowingly.
• Cross-device sync: There are cases of users saving passwords in browsers that sync to their mobile devices. An attacker would then retrieve login data from the browser on the device.

What to watch out for:

• Unusual Activity: Sudden battery drain, abnormal data usage and unexpected pop-ups are tell-tale signs of malware.
• Aberrant Behavior: Anomalous camera activity, overheating and unresponsive apps may signify malware infiltration.

A Two-Part Approach to Malware Investigations

The dynamic nature of mobile malware poses unique challenges for investigators. Unlike traditional computers, mobile devices store a wealth of personal and professional information, making them lucrative targets for cybercriminals. Furthermore, the inherent complexities of mobile malware demand a multifaceted approach to investigation, involving both technical expertise and user collaboration.

The Two-Part Approach:

1. Forensic examiners delve into the device's file system and logs to uncover signs of compromise. They utilize specialized tools like Cellebrite Physical Analyzer—the only mobile solution on the market that can scan for malware—to analyze the device's data and identify any malicious activity.
2. Device owners provide insights into their device usage patterns and any unusual behavior, aiding investigators in establishing a baseline and identifying anomalies. Users play a crucial role in malware investigations by reporting any suspicious activity and providing context to aid in the analysis process.

(A note for CSAM Investigations: There are different types of malwares that will put cached images of Child Exploitation on the device, so it's very important for examiners to validate that it is true CSAM and not put there by malware.)

Mitigating Mobile Malware Threats

In the face of a malware attack, swift and decisive action is needed to mitigate its impact and prevent further compromise. From rebooting the device to conducting thorough inspections, users must employ a proactive approach to safeguard their devices and data.

Actionable Steps:

• Rebooting: Temporarily remove malware by rebooting the device, as most malware is not kernel-level. Rebooting can disrupt malicious processes and restore the device to a stable state.
• Inspection: Thoroughly examine the device for suspicious apps, profiles, and settings that may indicate malware presence. Users should review their installed apps and permissions regularly to identify any unauthorized activity.
• Forensic Analysis: Obtain a full file system extraction to conduct comprehensive malware analysis and identify the root cause of the infection. Forensic examiners utilize advanced techniques to extract and analyze the device's data, uncovering hidden malware and identifying vulnerabilities. For example, analyzing file system metadata may reveal the source of a malware infection and provide insights into the attacker's tactics.

Preventing Future Attacks

Prevention is the linchpin of effective mobile malware defense. By implementing stringent security measures and exercising caution in app downloads and permissions, users can fortify their defenses against potential threats.

Proactive Measures for Prevention:

• App Vigilance: Exercise caution when downloading apps and scrutinize permission requests. Users should only download apps from reputable sources and verify the permissions requested by each app before installation.
• Mobile Device Management (MDM): Employ MDM solutions to enforce security policies and restrict app installations from external sources. Organizations can implement MDM solutions to centrally manage and secure mobile devices, ensuring compliance with security protocols.
• User Awareness: Educate users about the risks of mobile malware and encourage them to report any suspicious activity promptly. Training programs can empower users to recognize potential threats and take appropriate actions to safeguard their devices and data.
• Hardware Keys: Consider physical authentication keys like YubiKeys and Passkeys that employ NFC, USB-C connectivity, and biometrics to eliminate takeovers and credential theft. They are not 100% but they do make a significant difference.

About the Author

Heather Mahalik Barnhart is the Senior Director of Community Engagement at Cellebrite, a global leader in premier Digital Investigative solutions for the public and private sectors. She educates and advises digital forensic professionals on cases around the globe. For more than 20 years, Heather’s worked on high-profile cases, investigating everything from child exploitation to Osama Bin Laden's digital media.