In the example presented on this slide, the phone started giving an error “com.process.system isn’t responding. Do you want to close it?” This error was considered to be suspicious because the phone recently started to respond slowly, and the battery was draining quickly.

A check of Data/App revealed an .apk file named com.process.system–1.apk with file dates around the time the phone started to act strangely. By exporting the suspicious .apk file from the image, it can be run through online malware sandbox sites for static and dynamic malware analysis, as shown later in this section.

This error and com.process.system turn out to be associated with TRacer, a mobile spyware tool sold by KillerMobile.