Mobile Forensic Analysis: A Case Study Walkthrough – Part 05 – Wrap-up. Summary & Next steps after infection

In this concluding phase, we will summarize the key steps followed throughout the case and investigation of the suspicious application `”com.systemservice”`. This phase will also reflect on the investigative process, highlighting the findings related to the app’s capabilities and discussing the intuition and methodologies applied during the analysis.

Summary of Phases:

Phase 1: Preliminary triage and case setup

• Contextual information: we began by gathering contextual details from the person-at-risk to understand the background and nature of the suspected compromise. This included conducting an interview and identifying potential signs of malicious activity on the device.
• Initial triage: the device’s graphical interface was examined for warning signs, such as apps requesting dangerous permissions, binding to accessibility services, and potentially insecure device settings. During this process, we identified a suspicious app that appeared to disguise itself with a legitimate-sounding name like “Google Services” and a similar icon to the legitimate Google service apps. Although we still needed to confirm the app’s malicious nature, it immediately caught our attention and required further investigation.

Phase 2: Forensic analysis

• Data acquisition: the potentially compromised device was connected to a forensic workstation, and data acquisition was performed using AndroidQF to gather extensive data on the phone
• Forensic analysis: the Mobile Verification Toolkit (mvt) was used to analyze the acquired data. This phase concentrated on identifying any signs of compromise, with a particular focus on the app flagged during triage. The analysis also involved checking the data against known Indicators of Compromise (IOCs), revealing that the app "com.systemservice" matched the IOCs associated with the known stalkerware “TheTruthSpy.”

Phases 3 and 4: Static and Dynamic App Analysis

• Static analysis: the APK "com.systemservice" downloaded from the infected device was decompiled using jadx, revealing the app’s permissions and capabilities. This analysis identified the app’s potential for accessing sensitive data such as SMS messages, call logs, and location information. The app’s use of accessibility services to capture user interactions and screen content was also confirmed.
• Dynamic analysis: the app was run in a controlled emulator environment to observe its behavior while running. Tools like pidcat and fsmon were used to monitor logs and file system activities, respectively. Using network traffic interception with burp, the app was found to be exfiltrating data, including URLs visited by the user to remote servers.

Findings on the capabilities of the malicious app

The investigation confirmed that the app "com.systemservice" is indeed malicious, aligning with the identified IOCs for “TheTruthSpy.” The app was found to have extensive capabilities, including:

• Data exfiltration: the app captured and transmitted sensitive user data, such as URLs visited in the browser, to external servers.
• Abuse of Accessibility services: the app abused the Android’s Accessibility Services to monitor user interactions and read on-screen content.
• Dangerous permissions: the app requested numerous dangerous permissions, allowing it to access the device’s camera, microphone, SMS messages, call logs, and location data.

Next steps to clean the device from the infection detected

To effectively clean the device from this infection, the triager or technologist from the helpline would follow these steps:

• Uninstall the malicious app: remove the malicious app from the infected device, ensuring that it no longer has access to Accessibility Services, administrator privileges, or any other permissions. Also ensure that Developer Mode, which was enabled for our analysis, is also disabled.
• Re-enable Play Protect: re-enable Google Play Protect and use Play Protect to perform a manual scan of the device, ensuring that no other malicious apps are present.
• Review device settings: thoroughly review the device settings, permissions, and configurations again to ensure that no other malicious apps are installed.
• Factory reset: optionally consider wiping the phone and reinstalling the operating system to ensure no other malicious software remains on the device. Be mindful of the information stored in the phone and its availability after the reset.
• Reset passwords: support the owner of the device on resetting passwords for all accounts that were synchronized with the infected device to prevent unauthorized access, doing so from a different trusted device.

Additionally, you can also support the device owner by encouraging them to update the device and its apps and remove any unused apps or accounts present in the phone. These steps should be integrated into a broader digital security strategy. In addition to considering the individual’s specific threat model, the following actions could be valuable to share with the device owner to help protect against future threats and ensure the device remains secure.

• Use a strong PIN or password to lock the phone: recommend to always lock the device with a strong PIN or using a password instead that includes letters and special characters.
• –Enable two-factor authentication (2FA): recommend to strengthen account security by enabling 2FA on all accounts.
• Minimize information on the phone: minimize traces of information stored on your phone by enabling self-deletion for messages in messaging apps, when available.
• Review app permissions: recommend to regularly review and clean up permissions granted to apps.
• Remove unused apps and accounts: periodically review and remove unused apps and accounts from the device.
• Update the device and apps: keep the device’s operating system and all apps up to date.
• Avoid rooting the phone: rooting the device can expose it to additional risks and make it more vulnerable to malware.

These recommendations are just initial steps in a broader digital security strategy, which may be a long term process that may require continued support.

This guide was created by tes and is shared under Creative Commons BY-NC-SA license; for any errors or enhancements, please share your feedback via email (`[email protected]`) or keybase (`https://keybase.io/texturas`)