ROs Maryam Ahmad Dated: Dec, 2022

SOP for Malware Detection in Smartphones (Android and iOS)

Introduction
1. In this document, we will conduct malware findings in Android and iPhone
smartphones. There are four ways for identification of malware in smartphones. Details
are as follow: -
(a) Forensic Image Acquisition
(b) Anti-Malware Scanning using Application
(c) Memory Capture
(d) Traffic Analysis
2. Different tools are used for Malware Identification. Details about installation and
usage of these tools are described in Appendix 1 and Appendix 2.
Category Android iPhone

Phone Scanning VirusTotal mobile app iMazing

Memory Analysis LiME Not possible due to strict iOS restrictions.

Volatility

Traffic Analysis Wireshark Mac Catalina VM

Netstat Plus (GUI based, an Android App) XCode
Packet Capture (GUI based, an Android App) Wireshark

Forensic Image Acquisition- Physical Acquisition

3. Rooted / Jail Breaking: For Physical image acquisition, rooting is required
for Android smartphone and Jail Breaking is required for iOS smartphone. Rooting is
the process by which users of Android devices can attain privileged control (known as
root access) over smartphones. Rooting procedure of most Android smartphones is
present in following this link: www.xda-developers.com/root. While Jailbreaking is the
use of a privilege escalation exploit to remove software, restrictions imposed by the
manufacturer. Jail Breaking procedure of iOS smartphone is done by following this link:
www.wikihow.com/jailbreak-an-iphone. Further details are as follows: -
1. Acquire a physical image of the iPhone 14: Use a forensic tool to create a bit-
by-bit copy of the device's storage. This image will be used for analysis and
investigation. There are several forensic tools that support physical imaging of
iPhone 14 devices. Some popular tools include:
a) Cellebrite UFED: Cellebrite UFED is a widely used mobile forensic tool
that supports physical imaging of iPhone 14 devices. It can extract data from a
variety of sources, including device memory, SIM cards, and cloud services.
b) Magnet AXIOM: Magnet AXIOM is another popular mobile forensic tool
that supports physical imaging of iPhone 14 devices. It has advanced analysis
features and can recover deleted data from the device.
c) Oxygen Forensic Detective: Oxygen Forensic Detective is a
comprehensive mobile forensic tool that supports physical imaging of iPhone 14
ROs Maryam Ahmad Dated: Dec, 2022

devices. It has a user-friendly interface and can extract data from a variety of
sources, including device memory, SIM cards, and cloud services.
d) XRY: XRY is a mobile forensic tool that supports physical imaging of
iPhone 14 devices. It has a wide range of features, including advanced analysis
and decryption capabilities.
e) GrayKey: GrayKey is a forensic tool developed by Grayshift that can
perform physical imaging of iPhone 14 devices. It has a simple interface and can
extract data quickly.

2. Identify potential malware indicators: Look for any unusual activity, such as
unexpected network connections, suspicious files or folders, or abnormal battery
usage. Check system logs, application logs, network logs, and security logs for any
anomalies. Here are some of the commonly analyzed log files and their locations:

a) System logs: System logs are located in the /var/log directory. The
main system log file is called system.log, and it contains information about
system events, crashes, and errors.
b) Application logs: Application logs are located in the
/var/mobile/Library/Logs directory. Each application has its own log file, which
may contain information about app crashes, errors, and user activity.
c) Network logs: Network logs are located in the /private/var/log/ directory.
The main network log file is called ppp.log, and it contains information about
network activity, including IP addresses, DNS requests, and network
connections.
d) Security logs: Security logs are located in the /private/var/log/ directory.
The main security log file is called auth.log, and it contains information about
authentication events, such as login attempts and password changes.
3. Analyze the network traffic: Check the device's network traffic for any
suspicious activity, such as connections to known malicious domains or
communication with unfamiliar IP addresses.
4. Analyze installed apps: Check the installed apps for any suspicious behavior or
permissions that may indicate malware. Pay attention to any apps that are not
from the official App Store or that have been side-loaded onto the device.
5. Check for jailbreaking or rooting: Check if the iPhone 14 has been jailbroken
or rooted, as this may increase the risk of malware infection. Look for any signs
of a jailbreak, such as Cydia app, unauthorized system changes, or
installation of third-party apps outside of the App Store.
6. Use anti-malware tools: Use anti-malware software to scan the device's storage
image for known malware signatures or behaviors.
7. Analyze the data: Analyze the data obtained from the above steps to identify
any patterns, traces or artifacts that may indicate the presence of malware.
ROs Maryam Ahmad Dated: Dec, 2022

It's important to note that the above steps may not apply to every case and may vary
depending on the specific circumstances of the investigation
Limitations / Challenges
4. Accessing system logs, application logs, network logs, and security logs in
iPhone 14 without jailbreaking is not possible. Apple does not provide a built-in tool to
access these logs on non-jailbroken devices. However, there are some alternate ways
that may be helpful in some scenarios:
Logical / Advance Logical Acquisition
If the iPhone 14 is not jailbroken, then still able to create a logical image of the
device's data using forensic tools that support logical acquisition. Details are as follows:
-
a. Connect the iPhone 14 to a forensic workstation using a USB cable.
b. Launch Oxygen Forensic Detective 14 on the forensic workstation.
c. In the main window of Oxygen Forensic Detective 14, click on the "Acquire" tab
at the top of the screen.
d. From the dropdown menu, select "iOS Logical."
e. Follow the on-screen instructions to establish a connection between Oxygen
Forensic Detective 14 and the iPhone 14. You may need to enter the passcode of
the device to unlock it.
f. Once the connection is established, select the data categories that you want to
include in the logical acquisition. Oxygen Forensic Detective 14 allows you to select
from a wide range of data categories, including calls, messages, contacts,
calendars, photos, and app data.
g. Click on the "Start Acquisition" button to begin the logical acquisition process.
h. Wait for Oxygen Forensic Detective 14 to complete the acquisition process. The
time required to complete the acquisition will depend on the amount of data selected
for acquisition.
i. You can then use the data acquired by Oxygen Forensic Detective 14 to analyze
and investigate the iPhone 14 for any evidence of malware or other suspicious
activity. Different files of iOS Smartphone are analyzed. Details are as follows: -
 File system: The file system of the iPhone is located in
/private/var/mobile/ and contains important data and files related to installed
applications, user data, and system settings.
 System logs: The system logs are located in /private/var/log/ and can
provide valuable information on system events, errors, and other activity on
the device.
 Application data: The application data for each installed application is
located in /private/var/mobile/Containers/Bundle/Application/ and can
provide information on user activities, contacts, and communications.
ROs Maryam Ahmad Dated: Dec, 2022

 Network logs: The network logs are located in

/private/var/mobile/Library/Logs/CrashReporter/ and can reveal
information on network activity and communications, such as websites visited
and data transferred.
 Call logs and messages: The call logs and messages are stored in
/private/var/mobile/Library/CallHistoryDB/ and
/private/var/mobile/Library/SMS/, respectively, and can provide information on
the user's communications and contacts.
 Photos and videos: The photos and videos are stored in
/private/var/mobile/Media/DCIM/ and
/private/var/mobile/Media/PhotoData/, respectively, and can provide
evidence of the user's activities, including locations, people, and events.
 Geolocation data: The geolocation data is stored in
/private/var/root/Library/Caches/locationd/consolidated.db and can
provide information on the user's movements and activities.
 Contacts and calendars: The contacts and calendars are stored in
/private/var/mobile/Library/AddressBook/ and
/private/var/mobile/Library/Calendar/, respectively, and can provide
information on the user's personal and professional contacts and schedules.
 Email and social media: The email and social media data is stored in the
respective applications' data directories, such as
/private/var/mobile/Containers/Data/Application/ for email and social
media apps, and can provide information on the user's communications and
contacts.
Anti-Malware Scanning using Application
1. Different apps are used for malware scanning in smartphone. VirusTotal app is
used for Android Mobile and iMazing app is used for Ios Smartphone. Comparison of
iPhone and Android Scanning Applications are mentioned below: -
Features iMazing App for iPhone Smartphone Virus Total App for Android Smartphone
Description iMazing's spyware detection tool (iMazing.com). iMazing is Virustotal Mobile checks the applications
only compatible with Apple devices. installed in your Android phone against
virustotal (www.virustotal.com). It will inform you
about malware (virus, trojans, worms)
Supported All iPhone, iPad and iPod touch models are supported. It All android phones.
Devices supports iOS version (prior to iOS 5).
How it works? It works by analyzing a backup of your iPhone or iPad to Analyzes APK files, suspicious files and URLs
spot traces left by known spyware.
Paid or Free Many of iMazing's features are available for free, but you'll Free
need to purchase a license from our store to unlock
unlimited data exports, access to advanced options when
you restore a backup, and to update or reinstall iOS
Report Type, Severity, Malware, Analyzer Module, Description etc Detection by antivirus
Includes

Memory Capture
ROs Maryam Ahmad Dated: Dec, 2022

Android Smartphone – Memory Capture

5. Capturing volatile memory data of a mobile phone enables investigators and
examiners to do a full memory analysis and access data including: browsing
history, encryption keys and chat messages. It allows an investigator to identify
unauthorized and anomalous activity on a target computer or server. In Android
smartphones, Android memory was captured using Linux Memory Extractor, LiME,
and analyzed through Volatility. Different artifacts can be detected from memory dump.
Details are as follows: -
Attribute Description Artifacts
Process Tree Look at what processes have been created and child/parent, PID/UID, process names
what the parent processes are
Linux_pslist plugin It deals with process lists. extracts a list of running processes
Linux_Arp It gives a view on systems that the mobile extracts ARP cache
device recently connected to within the same
subnet.
Linux_route_cache It gives a view on IP addresses that the Android extracts routing cache
device connected to
linux_netstat It deals with open sockets lists all open sockets
Find files and directories in memory by inode address, inode number and file
Linux_enumerate_file identifying and parsing file system structures path
s
Linux_lsof Give more context about the files in memory. displays a list of open files
For instance, if an image was opened by a
messaging application, this could indicate that
the image was sent or received via the
application
Access Other Apps If an app is detected to be accessing other Analyze directories
directories in the data directory, it implies that it
may be malicious.

iOS Smartphone – Memory Capture

6. Performing a memory capture on an iPhone 14 typically requires a jailbroken
device and specialized tools. However, there are a few potential options that may work
without jailbreaking, although they are not guaranteed to work on all devices or in all
circumstances.
7. One option is to use the Checkm8 exploit, which is a low-level bootrom
exploit that can be used tos bypass security restrictions and gain access to the
device's memory. This method requires physical access to the device and specialized
tools to perform the exploit, but does not require the device to be jailbroken.
8. Another option is to use a hardware-based solution, such as a JTAG
debugger or chip-off technique, to extract the device's memory directly from the
circuit board. This method is typically used as a last resort and can be expensive and
time-consuming.
It's important to note that attempting to perform a memory capture on an iPhone 14 may potentially
damage the device or violate its warranty, and should only be done by trained professionals with proper
authorization.
ROs Maryam Ahmad Dated: Dec, 2022

Traffic Analysis
iOS Smartphone – Traffic Analysis
9. For the iPhone traffic analysis, we need a macOS Catalina, XCode and
Wireshark tools. For this purpose, they recorded all incoming and outgoing network
packets to and from the iOS device for specific duration of time. Details are as follows:
-
a) Connect the iPhone to the macOS Catalina computer: Use a lightning
cable to connect the iPhone to the computer running macOS Catalina.
b) Install Xcode: Xcode is a development tool that allows you to create and
manage iOS apps. Install Xcode on the macOS Catalina computer by
downloading it from the App Store.
c) Enable USB tethering: To allow the computer to capture network traffic
from the iPhone, enable USB tethering on the iPhone. Go to Settings >
Personal Hotspot > and turn on the "Allow Others to Join" option.
d) Open Xcode: Open Xcode on the macOS Catalina computer and go to
Window > Devices and Simulators.
e) Select the iPhone: Select the iPhone from the list of available devices in
the Devices and Simulators window.
f) Enable network traffic capture: Click on the "Open Console" button in
the Devices and Simulators window. This opens the Console window, which
displays logs and messages from the iPhone.
g) In the Console window, enter the following command:
h) bash
i) Copy code
j) sudo /usr/local/bin/iproxy 2222 22
k) This command forwards traffic from port 2222 on the macOS Catalina
computer to port 22 on the iPhone.
l) Capture network traffic using Wireshark: Open Wireshark on the
macOS Catalina computer and select the loopback interface from the list of
available interfaces.
m) Start capturing traffic: Click on the "Start" button in Wireshark to start
capturing network traffic from the iPhone. Perform actions on the iPhone that you
want to capture traffic for, such as browsing the web, using apps, or
sending/receiving messages.
n) Stop capturing traffic: Once you have captured enough traffic, click on
the "Stop" button in Wireshark to stop capturing network traffic from the iPhone.
o) Analyze captured traffic: You can now analyze the captured network
traffic using the Wireshark tool. This may involve decoding the traffic, extracting
metadata and artifacts, and identifying any suspicious or malicious activity.
It's important to note that capturing network traffic from an iPhone without proper authorization may
violate privacy and security laws and expose you to legal and ethical consequences. Therefore, it's
ROs Maryam Ahmad Dated: Dec, 2022

recommended to consult with a legal expert and follow the proper procedures and guidelines before
attempting to capture network traffic on an iPhone.