1 00:00:00,960 --> 00:00:07,590 There are two common approaches to counter forensic investigation, often allegedly malicious mobile 2 00:00:07,590 --> 00:00:08,250 application. 3 00:00:09,120 --> 00:00:13,320 That is the static analysis and the dynamic analysis. 4 00:00:14,190 --> 00:00:21,360 The static analysis consists of viewing the APC a file without inspecting the actual instructions. 5 00:00:22,350 --> 00:00:30,060 This type of analysis can verify whether the data is malicious, present information about its functionality, 6 00:00:30,480 --> 00:00:37,680 and sometime give information allowing us to create some uncomplicated network signature. 7 00:00:38,340 --> 00:00:47,640 However, this kind of analysis is not effective against complex meller as it can skip some of its behavior 8 00:00:48,210 --> 00:00:48,490 elsewhere. 9 00:00:48,520 --> 00:00:49,680 Dynamic analysis. 10 00:00:49,950 --> 00:00:57,510 The main methods include launching the APC a file or launching the application and monitoring its behavior 11 00:00:57,510 --> 00:00:59,820 in the system to remove the infection. 12 00:01:00,060 --> 00:01:07,050 However, before running the malware safety, you must make sure to run it in a lab environment to minimize 13 00:01:07,050 --> 00:01:08,430 the harmful effect. 14 00:01:09,570 --> 00:01:16,710 You can use the techniques of dynamic analysis without having an in-depth programming knowledge such 15 00:01:16,710 --> 00:01:17,820 as Java. 16 00:01:18,330 --> 00:01:25,200 But again, this kind of technique is not useful for all the malicious program as it can skip some functionality. 17 00:01:25,200 --> 00:01:33,180 So the best way is to combine static and dynamic analysis techniques to how does these application reach 18 00:01:33,180 --> 00:01:37,170 the end user simply through different distribution mechanism. 19 00:01:37,650 --> 00:01:44,430 The simplest one is Appstore distribution and where the Trojans are uploaded to the absolute and large 20 00:01:44,430 --> 00:01:47,730 number to take advantage of the download volume. 21 00:01:48,180 --> 00:01:55,740 The Trojan is disguised in a free tool which supposedly will have legitimate application purposes. 22 00:01:56,340 --> 00:02:00,060 Another approach is to use phishing enabled distribution. 23 00:02:00,600 --> 00:02:07,050 It's a popular method for coercing users into installing malicious applications is another approach 24 00:02:07,080 --> 00:02:09,780 is to use phishing, enable distributions. 25 00:02:10,260 --> 00:02:17,700 A popular method for coercing users to install malicious applications is to send them links to HBK files 26 00:02:18,150 --> 00:02:20,700 posted on the attacker Web site. 27 00:02:21,180 --> 00:02:27,000 Normally this happens over s.m as or email spam messages. 28 00:02:27,360 --> 00:02:31,640 A third approach is to distribute via compromised website. 29 00:02:32,400 --> 00:02:38,430 The dissemination of mobile malware may be facilitated through the compromise of a legitimate website 30 00:02:38,850 --> 00:02:42,960 that is then used to host malicious applications. 31 00:02:43,380 --> 00:02:52,200 Distribution via operating system images is an alternative to App Store deployment in where the Trojan 32 00:02:52,260 --> 00:02:57,100 application is included within the custom operating system images. 33 00:02:57,600 --> 00:03:04,950 So on the US platform itself, natively, so on platforms that allow device manufacturers to load their 34 00:03:05,040 --> 00:03:08,370 own or as version images at the point of distribution. 35 00:03:08,910 --> 00:03:17,130 There is a risk that Chozen application may be included as part of the standard distribution compromised. 36 00:03:17,430 --> 00:03:18,420 So scalds. 37 00:03:18,660 --> 00:03:26,430 So legitimate applications can also be romanized by a malicious actor without the knowledge of the original 38 00:03:26,640 --> 00:03:27,240 developers. 39 00:03:27,540 --> 00:03:33,690 So an attacker might compromise source code, do a malicious change and then upload the application. 40 00:03:34,020 --> 00:03:40,650 At the end of the day, the users will install such applications that supposedly will facilitate their 41 00:03:41,130 --> 00:03:47,490 compromised source code happen when legitimate applications are traumatized by malicious actors without 42 00:03:47,490 --> 00:03:49,290 the knowledge of the original developer. 43 00:03:49,500 --> 00:03:55,860 The source code is then changed compiled and the APC is uploaded to many platforms. 44 00:03:56,550 --> 00:04:02,730 While the distribution of frozen applications is the most common form of deployment mechanisms for mobile 45 00:04:02,730 --> 00:04:03,240 malware. 46 00:04:03,570 --> 00:04:11,760 There are some circumstances where a malicious actor may develop exploits for typical software installed 47 00:04:11,880 --> 00:04:16,860 on target devices and use them to install their payloads without user interaction. 48 00:04:17,310 --> 00:04:27,360 So an attacker might exploit a vulnerability in an application to be able to silently install a malware 49 00:04:27,840 --> 00:04:30,300 on the mobile phone of the user. 50 00:04:30,480 --> 00:04:36,390 And last but not least, it's the loss of physical control and where most of the deployment mechanisms 51 00:04:36,420 --> 00:04:42,720 we just describe involve compromise that occurs while the device is in the hands of the user. 52 00:04:43,200 --> 00:04:49,410 However, there may be situations where a malicious actor seeks to leverage a period of time when the 53 00:04:49,410 --> 00:04:51,780 device is not in the possession of the user. 54 00:04:52,470 --> 00:04:59,850 Scenarios such as monitoring software installed by authorities during a border transit or device left. 55 00:04:59,990 --> 00:05:05,420 Unattended, for example, in an Ortel or in a public place.