I have a rooted android phone and I know there's a malware in the phone . The malware is capable of automatically connect to a nearby bluetooth device or wifi ap and stream whatever I do on the phone to the attacker .
My questions :
What is the best way to dig out the malware ?
Which part of android filesystem should I look into to dig out the malware ?
What effective tool can I use to log the bluetooth and wifi connection if netstat and ifconfig can't detect the connection ?
1) Unless you know very well what you're doing (for example experience with malware reverse engineering) or you know the exact malware used, I would advise against this. I would say it's better to just format the phone outright.
2) How do you know that there is malware on your phone? This would help track down where you might want to look.
3) This website talks about recording Bluetooth packets. This uses the phone's storage so it may be compromised by the malware, but I have personally not found malware that modifies these logs. According to http://www.fte.com/WebHelp/BPA600/Content/Documentation/WhitePapers/BPA600/Encryption/GettingAndroidLinkKey/RetrievingHCIlog.htm the way to get the logs of Bluetooth packets is as follows:
On the Android device go to Settings.
Select Developer options.
Click to enable Bluetooth HCI snoop logging.
Return to the Settings screen and select Developer options.
In the Developer options screen select Enable Bluetooth HCI snoop log. The log file is now enabled.
On the Android device turn off Bluetooth.
Turn on Bluetooth.
Reboot the Android device.
The HCI log file is now being generated and is saved to /sdcard/btsnoop_hci.log.
As for recording communication over WiFi, I would recommend connecting to the AP and running WireShark on your computer to see what packets are flowing between your phone and the AP.
