Professional Documents
Culture Documents
IRM 9 SmartphoneMalware
IRM 9 SmartphoneMalware
IRM 9 SmartphoneMalware
1 Identification
2 Containment
3
Objective: Establish contacts, define Objective: Detect the incident, determine its Objective: Mitigate the attack’s effects on the
procedures, and gather information to save scope, and involve the appropriate parties. targeted environment.
time during an attack.
■ Mobile helpdesk must have a defined process Main points of notification for suspicious ■ Ensure user is given a temporary or new
in case of a suspected malware infection: smartphone: permanent device to avoid any time constraint
replace the smartphone of the user with a new on the investigation.
one and isolate the suspicious device for ■ Antivirus raises alerts;
analysis by the forensic investigator. ■ Unusual system activity, unusually slow ■ Back up the smartphone data.
system;
■ A good knowledge of the usual activity of the ■ Unusual network activity, very slow Internet ■ Remove battery to block all activity (wifi,
smartphone is appreciated (default and extra connection; Bluetooth, etc).
tools running on it). A smartphone support ■ The system reboots or shutdowns without
expert can be helpful to assist the forensic
investigator.
reason; ■ Launch an antivirus check on the computers
■ Some applications crash unexpectedly; that are/have been synchronized or linked with
■ A monitoring should be done to check unusual ■ User receive one or multiple messages, some the smartphone.
user bill or network activity. could have unusual characters (SMS, MMS,
Bluetooth messages, etc.); ■ Send the suspicious smartphone and
■ Huge increase in phone bill or web activity. appropriate components (SIM, battery, power
cable, memory cards) to your security incident
■ Unusual calls to unusual phone numbers or at response team. This team will help to isolate
unusual hours/days. the malicious content and send it to antivirus
companies.
Evidence such as website URLs need to be
gathered.
If some encryption or password accesses are set, If user needs to recover from the infected support, define
find out a way to get access to the stored data. If a quarantine period and appropriate anti-virus check, if
this is not possible, the investigation will suffer high possible, to ensure nothing could harm user or the
IRM #9
limitations. company’s systems.
Restore the data saved previously from a trusted source Malware on smartphone
Specific tools should be used by your incident on the destination device. How to handle a suspicious smartphone
response team to lead forensic investigation on the
___________________________________________________
smartphone. Once the investigations are over, wipe the infected IRM Author: CERT SG / Julien Touche
smartphone (if possible) and reset it to factory settings IRM version: 1.2
Just for information, here is a short list of tools with a pristine firmware and file system, in order to be
which can be useful: used again. E-Mail: cert.sg@socgen.com
Web: https://cert.societegenerale.com
Twitter: @CertSG
Free tools: XDA Utils (Windows Mobile), MIAT
(Mobile Internal Acquisition Tool – Symbian,
Windows Mobile), TULP2G, Blackberry Desktop
Manager
Aftermath
6 Abstract
Commercial tools: XRY, Cellebrite, Paraben … Objective: Document the incident’s details, This Incident Response Methodology is a cheat sheet dedicated
to handlers investigating on a precise security issue.
discuss lessons learned, and adjust plans and Who should use IRM sheets?
Actions: defences. Administrators
Security Operation Center
■ Remove SIM from the smartphone if not Report
CISOs and deputies
CERTs (Computer Emergency Response Team)
already done;
■ Recover phone history, web history and all An incident report should be written and made Remember: If you face an incident, follow IRM, take notes
available logs; available to all of the actors. and do not panic. Contact your CERT immediately if
needed.
■ Recover server connections log if The following themes should be described:
available;
■ Initial detection
■ Identify and remove the threat on the
smartphone. ■ Actions and timelines Incident handling steps
■ If the threat is related to an installed ■ What went right 6 steps are defined to handle security Incidents
application, identify its location on Internet ■ What went wrong Preparation: get ready to handle the incident
and remove it. ■ Incident cost
Identification: detect the incident
Containment: limit the impact of the incident
Remediation: remove the threat
Capitalize Recovery: recover to a normal stage
Aftermath: draw up and improve the process
Actions to improve the smartphone policy should
be defined to capitalize on this experience. IRM provides detailed information for each step.
Debrief the incident with user to improve his
awareness of security problems. This document is for public use