As smartphones have gained popularity in American culture, it stood to reason that eventually malware—and the potential spoils to be gained from its use—would become attractive to cyber criminals.
Yet the unknowns about mobile malware are almost as many as the apps it often comes packaged in. Not least is the question of whether mobile malware is really an emerging threat, or just so much FUD. (Remember, Verizon's 2012 Data Breach Investigations Report noted that “confirmed [mobile] data compromises remained rare” that year.) What are the major challenges to digital forensic examiners?
1. Mobile malware continues to evolve.
Two of the more common include spyware apps that help domestic abusers stalk their victims, and malware that mines other apps for private information. Other types of malware, however, purchase new malicious apps, block security updates, send SMS spam, or even lock an infected device as part of a “ransomware” scheme.
Data destruction, denial of service, data theft and espionage payloads are also expected to appear, along with more complex intrusions targeting sensitive data on smartphones—for instance, enterprise credentials—and mobile payments. Phishing, smishing (SMS phishing) and even vishing (VoIP phishing) may become more prevalent.
Compounding this variety is what happens when devices are jailbroken or rooted. A jailbroken iOS device is vulnerable to both data exfiltration and infiltration. Its installed applications run outside of the iOS sandbox, so they can access data within other apps. And users can install and run apps other than those vetted through the App Store. A rooted Android device, meanwhile, is likewise vulnerable to malicious and exploitable apps, including remote administrative malware.
2. Mobile devices continue to evolve, too.
Additional layers of security, including data encryption, partitions and user locks all designed to protect personal privacy and corporate data, are effectively anti-forensic. Whether a mobile forensic tool can bypass or break user locks, decrypt data and parse file systems, should be top of mind for any forensic examiner who anticipates encountering mobile malware.
3. The presence of mobile malware doesn't necessarily mean that it is the cause of a breach or crime. Look at Verizon's report, and you'll see a wide variety of attack vectors used in data breaches. But just because money-, information-, or privacy-stealing malware exists on a mobile device doesn't mean that a server or laptop wasn't the actual, or an additional, vector; or that there isn't another way the domestic abuser is monitoring a victim's conversations or travels.
Then again, malware's presence doesn't exculpate offenders either. There is no reason to expect that the “Trojan defense” for possession of child abuse images would not come up with mobile malware.
Any investigation should be based on clear, comprehensive goals. If you're a forensic examiner, make sure the investigator gives you a complete overview of what has happened and what he or she expects to find on the mobile device. If you are an investigator performing the forensic examination, manage your own expectations and assumptions with a scientific approach to the case.
4. Not all attacks are equal.
Is the malware part of a targeted “spear phishing” attack, a “spray and pray” campaign, or somewhere in between—and what would each mean for your case? In a “spray and pray” campaign, the malware is likely to have been downloaded from an app store. But a targeted attack may see malware delivered to a specific person via email or SMS for a particular purpose: the exfiltration of intellectual property, or login credentials.
Isolating the compromised device could be a challenge to enterprise investigators without a comprehensive incident response plan that includes smartphones—especially in organizations that allow bring-your-own-device (BYOD), but do not employ audit practices, user policies, or mobile device management (MDM) solutions that can detect a jailbroken or rooted device.
5. Mobile forensic extractions are also not all equal.
It may be that a file system extraction is enough to extract databases that contain malware—but that assumes the forensic tool you're using extracts the right file types.
You can, of course, perform a physical extraction on many devices to get those files. However, unless the mobile forensic tool you're using adequately reconstructs the file system, the data will be meaningless for the most part.
Even if the extraction and decoding go smoothly, most current mobile spyware detection tools, which come from firms like Lookout, Kaspersky and Symantec, were not designed for forensic examinations and are therefore not forensically sound. Additionally, not all tools maintain up-to-date malware signature databases and may only be able to detect the most common mobile malware.
Finally, remember that typical, automated extraction and decoding cannot capture running processes, so any malware in RAM will remain undetectable unless it leaves artifacts in the Flash memory.
The good news is, mobile forensics does not have to reinvent the wheel: malware has been around for a long time, and lessons learned from computer and network compromises will help mobile malware forensics evolve, too.