Module 7
Detecting malware through image acquisition (iOS, Android)
Last updated on: 26 July 2024
Edit this page on GitHubModule 7
Last updated on: 26 July 2024
Edit this page on GitHubThe first step in detecting malware on a device is to collect data from the device itself for analysis. Ideally the data will be retrieved from the device to a safe space with minimal disruption to the device itself. More advanced malware may attempt to detect forensic activity and delete itself to hamper detection and analysis.
After completing this subtopic, practitioners should be able to do the following:
For a broader view of malware detection methods and possible challenges, we recommend that all Learners take a look at this talk (it’s originally in German but also translated into French and English), which is a great introduction to the topic and lasts around 50 minutes (plus questions and answers).
Mobile operating systems are typically more limited/locked down than desktop ones, so creating and working with a full backup is not as straightforward, and you may not be able to easily get all information from a device. A full-featured cross platform tool for mobile data extraction is the Amnesty International Security Lab’s 🧰 Mobile Verification Toolkit (MVT). Full documentation is available on their web site, but there are also walkthroughs, for example this one (English, 6 minute video). Do note that this latter walkthrough also includes materials we will cover in the next subtopic. Alternatively, you can also use this guide which will show you how to do backups on both iOS and Android.
When it comes to OS, you can use a tool called libimobiledevice or iTunes to make a backup. This backup you can then analyze using MVT.
Detecting malware on Android is a little more complicated. You can use a tool called androidqf to capture logs. See this write-up for more details on androidqf and why it’s difficult to do a backup without first connecting an Android device to another computer.
You can install MVT on Linux or macOS. Most Linux systems have pip3, a tool used to install Python packages, which makes installing MVT somewhat straightforward. On macOS, you will typically need to install two tools—XCode and Homebrew—first before being able to install MVT. You can follow the instructions in this guide to install MVT.
🧰 For mobile devices, the system architecture makes on-device antimalware software less effective. However, the Mobile Verification Toolkit (MVT) will scan an Android or iOS device’s extracted data for various malware.
In the previous section, we went over backing up a device with MVT. Once you have done so, you can scan the backup using the command line tool.
Do note, however, that MVT has some limitations:
For a quick read on the IoCs that MVT checks for, how to download and give MVT new IoC data, and a list of potential IoCs you could use in your detection efforts, check out this sub-page in the MVT documentation.
Smartphone malware forensics: An introduction
FreeA talk by two mobile malware researchers outlining smartphone malware forensics basics, tools, and methods.
Mobile forensics
FreeComprehensive guide by Security Without Borders on mobile forensics across major platforms.
How to make a Windows 10/11 image backup
FreeGuide on creating a system backup for malware analysis on Windows.
How to back up a Mac or Macbook
FreeArticle focusing on disk images for macOS backups.
How To Backup Your Entire Linux System Using Rsync
FreeGuide on using rsync to clone a Linux system for forensic analysis.
MVT, mobile verification toolkit
FreeTool to analyze iOS and Android backups for malware IoCs.
Backing up with iTunes
FreeUsing iTunes to create iOS backups for analysis with MVT.
I analyzed my phone for Pegasus spyware
FreeVideo guide using MVT to find IoCs related to Pegasus on iOS.
Beginner guide - How to backup a mobile device for forensic analysis purpose
FreeIntroductory guide on using tools to backup iOS and Android devices for malware scanning.
libimobiledevice
FreeSoftware library to access and backup iOS devices from Windows, macOS, or Linux.
Simplifying Android Forensics
FreeWrite-up on tools for Android device backups and their limitations.
Install libimobiledevice
FreeGuide on installing libimobiledevice for forensic investigations.
androidqf
FreeTool for accessing data from Android devices for forensic analysis.
SANS Course on Digital Acquisition and Rapid Triage
around 8000+ USDComprehensive course on acquiring and analyzing data from mobile devices.
For the practice exercises in this subtopic, first backup your device (instructions for each platform are outlined below), and then answer the questions under the “all systems” tag.
Install MVT on your desktop operating system. Follow the directions outlined in this section to make a backup, either by using iTunes or by first installing libimobiledevice.
Install MVT on your desktop operating system. Install Androidqf and use it to make a backup.
Conduct a backup of your desktop operating system using a tool of your choice. You can use one of the tools outlined in the learning resources section above.
Check for the following in your backup:
Prior to doing the skill check portion of the exercise, make sure that you have first backed up your files (as described in the practice section). Once you have completed this, do the following:
You have completed a backup of your desktop operating system. Open it and within it, find:
It is perfectly all right to use your favorite search engine to figure out where those files and folders should be located on a disk and then search for them in the same location, just within your backup.
If your iOS backup has been encrypted, use MVT to decrypt it by following these instructions. Read the output of the command to make sure that the decryption has run successfully.
After you have decrypted the backup, ask MVT to download the newest IoCs and then use the tool to scan the backup for malware.
Ask MVT to download the latest IoCs and then use it to scan the backup you made using androidqf.
Congratulations on finishing Module 7!
Mark the checkbox to confirm your completion and continue to the next module.
Marks the current module as completed and saves the progress for the user.
You've completed all modules in this learning path.