How to Detect Malware—Expert Answers to the 5 Most Common Questions
A number of questions came in following our recent “Detecting Mobile Malware When Time is of the Essence” webinar. I answered them all but wanted to share the five most commonly asked questions I receive on malware. Hopefully these answers will help you along the way.
- Do the malware signatures include identification of common spyware/tracker type apps?
The malware signatures will hit on any type of malware that has a known signature and is currently in the Bitdefender list. Keep in mind that many normal apps can be used for spying. Applications such as iCloud, Google, Facebook, Find My, Find Friends, and more can be used in malicious ways.
Many investigations include one or more of these apps when a victim suspects someone is covertly watching them. This is something I discussed last year at RSA.
I recommend you follow these steps when investigating mobile devices for malware:
- Scan for malware and examine any results (make sure you update your signatures).
- Look at both Installed Applications and Applications as parsed by Physical Analyzer.
- For iOS, examine the TCC.db for microphone and location permissions.
- For Android, review all Download directories (phone, SD, media, etc.) and Cache directories.
- Examine the Download data model in Physical Analyzer and follow the trail from
- Review all application usage artifacts and anything that drains the battery. This requires advanced analysis.
- Use timeline analysis – it is so important.
If it’s a legitimate application being used maliciously, it will never be detected, so it’s up to you!
- With the introduction of checkm8 (and considering that this type of acquisition retrieves more data), understand if this type of acquisition is recommended or effective when hunting for malware?
Yes! The fact that you can use Cellebrite UFED to perform a full file system extraction of an iOS device with checkm8 changes the game on iOS malware investigations. You can now access key files that were previously inaccessible, which paints the picture of application (and possibly malware) usage.
Examining artifacts like KnowledgeC, Screentime, PowerLog, as well as other files that track app usage, will help you determine what’s draining the battery, and find out which apps run in the background. This will help you so much. I recommend this type of extraction for everything (if you have permission), in order to gain access to the most data on the device.
- Can the APK automatically install itself just by the user clicking on the Dropbox download link? Or do they still have to confirm installation?
There is no way to be sure, but most malware will have to have been installed by the user at some point. I say “most” because I haven’t seen it all. When a user downloads an application from the app store, it automatically installs because the user selects the “Install” button. If the user downloads a piece of malware that was developed to install automatically, it is possible, but this is not as common from what I have seen.
Most malware requires the user to interact with it at some point. You may see where they were enticed to click on it and also the way it was obfuscated. From the timeline perspective, you may even see how the malware was sent or stumbled upon, if the user installed it, and anything that happened right after the malware hit the system. Timelining and reviewing installed applications will really help you here.
- How effective is this Malware Scanner in iOS Devices?
As of today, we use Bitdefender as our scanning tool and rely on their signatures. Bitdefender supports mostly signature-based malware from APK files. These are Android-based applications. Keep in mind that not all malware (even that from Android), has a known signature, thus the scanner is not even perfect on Android devices.
The support for iOS signatures is not robust at this time. At Cellebrite, we are relying on you, the community, to tell us if this is an issue or if the other methods discussed in the webinar were good enough to help you identify iOS malware.
- Do iPhones need to be jailbroken to get infected with malware?
No! They actually don’t and for the longest time we assumed that a jailbreak was needed. In 2015 XcodeGhost became public knowledge. This infection existed inside the Apple-approved version of Xcode that was provided to application developers.
What this means is that legitimate apps that were available in the Apple App Store were malicious in nature. Most people wouldn’t think twice about downloading an app from this location. These apps infected iOS devices, including those that were not jailbroken. Full command and control were granted via the malicious app. WeChat was one of the apps impacted by XcodeGhost.
Now, if your device is jailbroken, you are 100% more vulnerable to malware. Once a user installs Cydia (which is back with the checkra1n jailbreak) they have access to additional apps that are not monitored by Apple. This is why we recommend using Cellebrite UFED with checkm8 for a full filesystem extraction versus using the beta of checkra1n to manually jailbreak. Our methods do not permanently jailbreak the iOS device.
Clearly mobile malware is of interest to many of you. Please let me know how Cellebrite can make examining these investigations easier for you. It never hurts to ask, right? I’m all ears, so contact me here.