6

As has become a mainstream news story many times over, some Android phones are being shipped with malware preinstalled, because they go from factory to a second party who adds the malware and then to the US.

What is the strategy for examining and identifying malware on these phones?

I assume I'd need to use adb to extract a complete file list, look for obvious known adware like Adups, spyware, etc., and then proceed to scan all files looking for patterns i.e. Yara files.

Can anyone expand upon this basic understanding and correct misunderstandings?

Soron
  • 2,809
  • 1
  • 12
  • 19
flane
  • 69
  • 2
  • 1
    You really can't do much if the backdoor is added at the firmware level since the firmware itself can lie about what's on the device. If it's a rooted device that can also make it near impossible to spot a backdoor. There's really just a lot of trust you have to place in your supply chain. This is why companies have blacklists of suppliers they will never purchase from. Be careful where you buy your hardware from, and be wary of used devices. An easy precaution is to factory reset a new device even if it's fresh out of the box. That at least will handle low effort attacks. – Daisetsu Oct 09 '18 at 17:33
  • 2
    There are known examples though of easily found adware or malware, where the carrier (e.g. BLU) just didn't even look. This is more what I'm looking for in the first pass. But I need access to the file systems first to see what is in them. I'm trying to avoid desoldering the flash chips and reading them with custom Raspberry pi setup as some people might. – flane Oct 09 '18 at 20:45
  • (not an answer- doesn't address method) there is [software available called ClassyShark3xodus](https://f-droid.org/en/packages/com.oF2pks.classyshark3xodus/) that can be installed from F-droid, which will scan apks - it uses `dexdump` and a prefix lookup from the [static analysis tool εxodus](https://github.com/Exodus-Privacy/exodus-standalone), which can be installed as a cli tool to scan data from a device (ps. this [appears to gain its lookup db from a web-service](https://github.com/Exodus-Privacy/exodus-core/blob/v1/exodus_core/analysis/static_analysis.py), despite the label "standalone") – brynk May 27 '22 at 18:40

0 Answers0