The Malware detection module is based on the YARA project and can be run on Android or iOS devices and with imported files such as physical images, UFDR, etc…
Yara works on the basis of rules that describe any pattern of data, in our case, patterns that may indicate malware. MOBILedit Forensic applies these rules and searches the code to see if it matches any of these rules, and returns a list of results. Returned results mean that the file, or files, contain the data patterns described in the rules.
During analysis, all files on the phone are scanned.
We created a rules database based on the same malware database we used in the old version and improved and added rules from various other sources on the Internet, that are also used by malware search teams.
We distribute our rules in the form of a package and the user can choose to either use the MOBILedit Forensic Malware detection package or, if preferred, use a custom set of YARA rules. The MOBILedit Forensic malware rules are regularly updated via live updates, as is the YARA malware detection engine.
You can import custom rules by clicking the “Select YARA rules files” button and then selecting the file.
After selecting your custom YARA rules file, check the "Use custom YARA rules" button above, supported file formats are .yar and .yara.
It is possible for both malware options to be selected to run in the same extraction and analysis.
Identified files will be shown in the final report with additional info about the APK files, however, they will not be affected (or even removed) in any way, since the main goal is to keep the connected device in the very same state.
The potentially harmful file will not be executed and therefore cannot harm the mobile device. As both Android and iOS are Linux-based operating systems and mobile malware is specifically written to target these operating systems, it is unlikely any malware found would have any effect on the forensic workstation.
We do recommend turning off your PC anti-virus program since it might delete potentially harmful files so they will not be discovered and shown in the final report.
Malware detection for iOS
For best results the device should be jailbroken, although it is not necessary. However, the only malware detectable in iOS is Pegasus. MOBILedit Forensic looks for links and artefacts that could indicate that Pegasus is, or was, on a device. These artefacts may also be present and detectable at a logical level.
There may also be evidence of Pegasus in an iTunes backup, so it would be worth running malware detection on this as well, if available.
Malware detection for Android
For best results, the device should be rooted, although this is not necessary. In the case of Android devices, MOBILedit Forensic can detect a lot of malware. However, keep in mind that some apps may perform similar activities to malware, but they may not be malware.
The malware detection module will identify files that are “potentially” malware. It does not work like anti-virus software in that the latter are able to quarantine, remove or neutralise a threat.
Once the potential malware has been identified, it is up to the investigator to research or reverse engineer the APK or file to see what the intended behaviour of it is. Remember that there are many classifications of malware, including spam, apps with elevated privileges, and user wanted potentially harmful apps (PHA’s).