Mobile malware is picking up steam. From malicious apps that send private and personal data to unknown third parties, to sound- and light-activated mobile malware, to mobile malware that can exfiltrate information from Windows PCs, mobile malware increased between 580% and 1000% last year, with tens of thousands of pieces of malware currently in the wild.
That’s why in December, BitDefender’s anti-malware technology was implemented in Cellebrite’s UFED Physical Analyzer software to analyze physical and file system extractions and provide a comprehensive malware report.
The integrated solution helps forensic examiners to pinpoint whether undetected malware aided the commission of crimes. More specifically, BitDefender unpacks apps’ .apk files and looks inside them for infected files. The company regularly and frequently updates its signature files, so each time you run UFED Physical Analyzer’s malware scanner, you get fresh malware signatures to scan images.
At Mobile Forensics World last month, presenters Carlos Cajigas and Pete McGovern with Florida-based EPYX Forensics used open source Linux-based tools to validate our integration of BitDefender mobile malware scanning. Among the tools: AVG and Clam, as well as BitDefender mounted within Linux Ubuntu.
As described in the EPYX blog, Cajigas had already scanned the image of an infected HTC Desire with UFED Physical Analyzer’s BitDefender integration. There, our software identified 331 infections.
After a review of how AVG, Clam, and BitDefender performed against 11,080 known pieces of malware identified from ViruShare.com, a repository of samples, Cajigas ran AVG and Clam against the device’s image. They found only 14 and 19 infections, respectively. As he noted, this can be valuable low-hanging fruit that may be all that is needed to make a case.
Even so, a final scan with BitDefender uncovered 368 suspicious files out of 39,473 total files (including those within the 11,080 .apks); of those, 41 were viruses. Cajigas accounted for the discrepancy between this scan and the initial Physical Analyzer scan by stating that he had performed the first scan several weeks earlier—and that BitDefender had likely updated its signature files since.
Beyond the malware scan
Cajigas points out: “Simply scanning a device only points to the fact that there may be some evil on that image. Reverse engineering can find out if the image is in fact infected, or would be a false positive.”
What counts as a false positive? That depends. “If I root my phone, I will install BusyBox on it,” says Cajigas. “Because most people call it a hacking tool, malware detectors alert on it. But because it was intentionally installed, it’s not in fact malware. This makes it a false positive.”
Several variables determine whether a forensic examiner should move forward in determining whether a malware infection has any bearing on a case. One variable is the severity of charges. Another is what other evidence exists in the case. A case that hinges on mobile device evidence may require additional investigation so as to reduce reasonable doubt.
“If you find malware, how would you be satisfied that the malware you found is not related to the crime?” Cajigas asks. “The only answer is research and investigation.” He recommends pulling any infected .apks into a resource like Anubis, which “sandboxes” .apks for safe exploration. Here, it is possible to see what URLs the .apks are calling, along with any other suspicious behavior.
From there, it may be necessary to reverse engineer the suspected malware. Cajigas says this is an advanced skill which usually involves very specific training. Yet, developing this kind of skill—or finding an expert who has it—could be important to a case.
He offers the example of an .apk that is shown to be a worm. “Later on the examiner might determine that the worm opened a backdoor that calls to a command and control center, which steals information such as the device’s IMEI or ICCID—but does not download child porn,” he explains. This could be very important in a child exploitation case.
As Cajigas’ presentation showed, the addition of BitDefender to UFED Physical Analyzer means that investigators’ ability to identify potential and actual malware is much stronger than it would be if Clam or AVG were all they had to rely on. However, examiners must be able to testify in court about the process they used to detect and then investigate suspicious .apks.