The presence of mobile malware may be automatically assumed to be problematic to an investigation because it brings up the potential for a malware-based defense. The same methods used to rule out malware as the culprit in a traditional computer forensic investigation can be used to rule it out in a mobile forensic examination as well. Consider whether the activity being investigated happened before or after the malware infection. Also research the specific malware variant and consider whether it is capable of the suspicious actions under investigation. This investigative methodology will help to rule the malware in or out as the source of suspicious activities.
The presence of malware may actually be useful to an investigation. Databases associated with mobile malware may contain user data that has been otherwise deleted by the user and can be a unique source of location data or other information important to an investigation.
Malware can also provide clues about the user’s intent. In the above screenshot from an actual criminal case, Cellebrite’s malware scanner has identified 13 positive malware hits using Bitdefender definitions. Most of these hits are executable files for video players. Windows-based executable files won’t work on an Android-based phone. The second hit for the “flv_player_installer.apk” file would execute and run on an Android device. Always remember to update your malware definitions in whatever malware scanning tool you use. New variants are detected every day and are added to antivirus software regularly. In this case, the first malware scan detected just one positive hit. A scan several months later resulted in additional positive hits.
When comparing the browsing history on the phone against the dates and times of the detected .exe and .apk files, it becomes apparent that the user was downloading multiple video players in an attempt to play videos with child exploitation content. In this particular case, the defendant pled guilty to child pornography charges based partially on evidence provided by mobile malware files.