As Android continues to increase its market share, so do attacks or malware targeted at Android users. Mobile malware is a broad term that refers to a piece of software that performs unintended actions and includes Trojans, spyware, adware, ransomware, and so on. According to Pulse Secure, 97 percent of mobile malware is focused at the Android operating system (http://www.scmagazineuk.com/updated-97-of-malicious-mobile-malware-targets-android/article/422783/). As per statistics released by G-DATA software, almost 4,900 new Android samples are being discovered every day. The following is a sample screenshot that shows the rise of Android malware over the past few years (referenced from https://public.gdatasoftware.com/Presse/Publikationen/Malware_Reports/G_DATA_MobileMWR_Q1_2015_US.pdf):
One of the primary reasons for this situation is that, unlike Apple's App Store, which is tightly controlled by the company, Google's Play Store is an open ecosystem without any detailed upfront security reviews. Malware developers can easily move their apps to Play Store and thereby distribute their apps. Google now has a malware detecting software named Google Bouncer, which will automatically scan an uploaded app for malware but attackers have figured out several ways to remain undetected. Moreover, Android officially allows loading apps downloaded over the Internet (side-loading) unlike iOS, which does not allow unsigned apps. For example, as shown in the following screenshot, when the Unknown sources option is selected on an Android device, it allows the user to install apps that are downloaded from any site over internet:
The third-party app stores that host Android apps are known to be the hub of malware. This prompted Google to roll out the Verify apps feature starting from Android 4.2, which scans apps locally on Android devices to look for malicious activities, such as SMS abuse. As shown in the following screenshot, the Verify apps feature may warn the user or in some cases may even block the installation. However, this is an opt-in service, so users can disable this feature if they choose to:
Once malware gets into a device, it can perform dangerous actions, some of which are listed, as follows:
Advanced malware is also capable of rooting the device and installing new apps. For example, the Android Mazar malware, discovered in Feb 2016, spreads via text messages and is capable of gaining administrator rights on phones, allowing it to wipe handsets, make calls, or read texts.
A full list of Android malware families and their capabilities is available at http://forensics.spreitzenbarth.de/android-malware/ for reference.
An Android device can be infected with malware in several different ways. The following are some of the possible ways:
From a forensic perspective, it's important to identify the presence of any malware on the device prior to performing any analysis. This is because malware can alter the state of the device or contents on the device, thereby making the analysis or the results inconsistent. There are tools available in the market that can analyze the physical extraction to identify malware. For example, Cellebrite UFED Physical Analyzer has BitDefender's antimalware technology, which scans for malware. As shown in the following screenshot, once the physical image is loaded into the tool, the file can be scanned for malware.
Once the scan starts, the BitDefender software tries to unpack the .apk
files and looks for infected or malicious files. Hence, the process is automatic, and the tool points to the malicious apps, as shown in the following screenshot:
The tool simply points out that something malicious is present on the device. The forensic investigator has to then manually confirm whether this is a valid issue by analyzing the respective application. This is where the reverse engineering skills that were discussed in the previous sections need to be leveraged. Once the application is reverse engineered and code is obtained, it is recommended that you take a look at the AndroidManifest.xml
file to find out the app permissions. This will be helpful to understand where the app stores the data, what resources it is trying to access, and so on. For example, a Flashlight application does not need read/write access to your SD card data or to make a call.
It's also important to note that the tool may not identify a valid case if the details are obfuscated in the .apk
file. Hence, as a forensic investigator it's important to develop the necessary skills to reverse engineer any suspicious apps and analyze the code to identify malicious behavior. In some investigations, the nature of the malware that is present on the device may also result in arriving at certain crucial conclusions, which may affect the outcome of a case. For example, consider an internal investigation in a corporation that involves sending abusive messages to other employees. Identifying malware on this device that sends.