When examining data from a device that is suspected to be infected with either mobile malware or spyware, it is important to remember that the forensic tools you use to examine the device may not automatically detect malware on the device. They also may not detect spyware as an application of concern because spyware apps are considered to have legitimate purposes, and so they are often not considered to be malware.

Therefore, during examination for malware and spyware, you may have to dig deeper and use clues from the device to help you determine if it is infected, what malware is causing the problem, and what that malware is doing on the device.

As mentioned previously, malware and spyware are introduced to a device in a limited number of ways (via an app store, malicious websites, email, SMS, MMS, and so on), and have to be installed in order to run on the phone. Therefore, if you are able to narrow down a date range for suspicious symptoms or can identify specific errors the phone is reporting, these may be important clues in finding malware and spyware on the device. By examining the data areas on the device that are associated with infection mechanisms, you can attempt to identify suspicious texts, email messages, or application downloads and installations.

If you know approximately when the phone started to act suspiciously, this information can be used to narrow the scope of your search to those files that came into the device on or around the time of suspected infection. Error messages and odd notifications displayed on the screen of the phone might give you further clues to research potential malware infections.