A mobile device is a portable, wireless device small enough to be used while held in the hand (e.g. smartphone). Forensics differs from stationary computers: specialized hardware, many OS versions, large storage, accessories (camera, GPS).
| Characteristic | Mobile | Stationary (C) |
|---|---|---|
| Hardware | Specialized, varied | Standardized |
| OS | Many versions | Usually Windows, Mac, Linux |
| Storage | Large capability | - |
| Accessories | Cameras, GPS | - |
Risk is relatively low - app review and sandbox execution help. But data loss/theft is a bigger concern; AV vendors focus on protecting and managing mobile data.
Normal flow: App Store → User PC with iTunes → Purchase → FairPlay → Install on device. Attack vectors: FairPlay MITM (steal auth), third-party client, enterprise distribution, toolchain attack, risky SDKs, repackaging.
Profit: advertisement, accounts, app promotion, user privacy. Produce: private APIs, hooking, design flaws.
Unofficial Xcode distributions for Chinese developers were infected. Apps compiled with infected Xcode become malicious - collect device info and upload to C&C. 39 apps published to official App Store were affected. Attackers modified the compiler and linker.
Current time, app name, bundle ID, device name/type, system language/country, network type, device UUID.
App has intended vulnerabilities exploitable at runtime with crafted input. Exploit introduces new execution paths via ROP - send SMS, email, Tweet, take photo, steal device ID. App Store review cannot find these paths without correct input. Control flow appears safe during review.
Get installed/running apps, launch apps, send/receive SMS, make calls, monitor calls, get device ID/Apple ID/ad ID, take photo, install/uninstall apps.
Four areas: Configuration, Preprocessor, Compiler, Linker - each step can be hardened.
CYREN noted 61% increase in mobile malware targeting Android. Categories: SMS Trojan (~76%), Adware (~15%), Stealer (~7%). Many samples are repackaged legitimate apps - most effective distribution method.
| Malware | Behavior |
|---|---|
| AccuTrack | GPS tracker |
| Ackposts | Steal contacts, upload to server |
| Acknetdoor | Backdoor, send IP to attacker |
| Steek/Fatakr | Fake income app; steal privacy data, send SMS |
| Tapsnake | Post phone location to web service |
| ZertSecurity | Trick user into banking details |
| Zitmo/Citmo | Steal mTAN (banking) codes from SMS |
Also: Acnetdoor, Badnews, DroidDream, Obad, and many more.
Malicious app disguised as event info for "Human Rights in China" conference. After install, app reports to C&C and harvests contacts, call logs, SMS, location, phone data. Waits for SMS commands from C&C to upload - not automatic.
Private APIs, hooking, design flaws, enterprise distribution, FairPlay MITM, toolchain attack (XcodeGhost), risky third-party SDKs, repackaging.
App Store (if bypassed), alternative markets, third-party clients, sideloading.
Suspicious permission combinations; 9 manually compiled rules; multi-app support.
DVM code loading from assets; crypto APIs before native code; sensitive calls w/o user interaction. Found zero-day: AnserverBot.
Static + dynamic; manifest, packages, native loading location, API/syscall tracing. Found DroidKungFu, Plankton.
Permissions, API calls, intents, network addresses; SVM with 545K+ dimensions; ~10 sec/app on real device.
Most malware is repackaged legitimate apps - clone a popular app, add malware. Tools: DNADroid (PDG similarity), PiggyApp (piggybacked), DroidMOSS (fuzzy hashing of methods).
Andrubis, Mobile Sandbox, APK Analyzer.
CrowDroid (cloud anomaly), PREC (per-app model), CopperDroid (QEMU-based).
Static analysis; initially encrypted (memory dump); ARM assembly, indirect jumps. 1,400 apps - more than half leaked device ID.
Dynamic taint tracking in framework; variable + message level; 14% overhead. 15 of 30 apps leaked location.
Compares app permissions against description using NLP - does the app do what it promises?
Track flows from sources (location, contacts, etc.) to sinks (SMS, internet, logs). Used to detect API abuse and data theft. Android has 30+ source types, 10+ sink types, ~400 flow types.
App description: "Facebook does not allow export of phone numbers or emails. Only names, pictures, statuses synced." Observed flows: additional leakage paths not declared. Data flow analysis can compare expected vs actual flows.
Android codebase is huge (3M+ lines); full-system analysis is expensive. STAMP abstracts Android into models to make analysis tractable. Accuracy is critical.
When benign apps become evil - ROP, bypass App Store review.
iOS/Android information leakage detection.