Skip to main content
Skip table of contents

Data - Malware detection

Malware Detection in MOBILedit Forensic

MOBILedit Forensic features a powerful malware detection module that utilizes the industry-standard YARA engine to scan Android and iOS devices — including physical images, backups, and supported imports like UFDR files — for known indicators of malware.


How Malware Detection Works

The malware module uses a collection of YARA rules that define specific data patterns which may indicate the presence of malicious software. MOBILedit Forensic applies these rules to the extracted data, scanning all accessible files on the device for matches. When a file matches a rule, it is flagged as potentially harmful and listed in the final report.

Note: The rules database used by MOBILedit Forensic is based on both our historical malware database and a curated collection of publicly available rules used by malware analysis professionals. These are distributed in the form of a package and updated via Live Updates.

Custom rule sets can also be used by the investigator.


Custom YARA Rules

You may import your own .yar or .yara rule sets using the “Select YARA rules files” option in the interface. After selection, enable the "Use custom YARA rules" option to activate them.

  • Both the MOBILedit rule set and custom rule set can be used together.

  • It is advised to test custom rules in advance to minimize false positives.


Scope of Scanning

  • All files accessible from the extraction are scanned, including those from system partitions, app data, and user storage.

  • Rooted (Android) or jailbroken (iOS) devices allow for broader access, improving the likelihood of identifying malware.

  • Unrooted or non-jailbroken devices may result in limited malware detection, particularly at the logical level.

Tip: Consider running the malware scan as a separate task to reduce analysis time for full-content extractions. Enabling malware detection will increase the overall processing time.


Results in Reports

  • Identified files are listed in the report along with APK metadata and additional information.

  • The flagged files are not executed, removed, or modified.

  • This preserves the integrity of the connected device and ensures no changes are made.

Forensic reports are intended to assist investigator review — not to act as an antivirus system that can quarantine or neutralize threats.

Once a file is flagged, the investigator must evaluate it:

  • What is the file?

  • What app does it belong to?

  • Is it harmful, suspicious, or simply intrusive?

Due to the variety of malware types (e.g., spyware, adware, unwanted apps, backdoors), further manual research or reverse engineering may be required to classify the behavior of flagged files.


False Positives

False positives may occur. If a rule partially matches benign content, a non-malicious file might still be flagged.

  • iOS: False positives usually occur due to partial-string matches within the rule set.

  • Android: Some manufacturer apps may exhibit behaviours similar to malware (e.g., stub apps or update backdoors).

If you identify a consistent false positive, we encourage you to report it to the MOBILedit Forensic team so we can evaluate and adjust the rule base if appropriate.


iOS-Specific Considerations

  • Only Pegasus malware is currently detectable on iOS.

  • Indicators are found via links and artefacts stored on the device or in backups.

  • Jailbreaking is recommended for maximum visibility, but not required.

  • Evidence of Pegasus may also be detected in iTunes backups — consider running the malware module on these as well.


Android-Specific Considerations

  • Rooted devices yield the best detection coverage.

  • MOBILedit Forensic can detect a broad spectrum of Android malware.

  • Some legitimate apps may behave similarly to malware — always verify flagged results.


Legal and Investigative Considerations

Ensure malware detection falls within the scope of your legal authority and is relevant to your case. Scanning user files for malware must be justifiable under the warrant or consent that grants access to the device.

Also, consider disabling your PC’s antivirus during extraction to avoid deletion or interference with potential malware samples — which would otherwise not be included in the final report. You can also exclude your report output folder from being scanned by antivirus.


Summary

The MOBILedit Malware Detection module is designed to support forensic investigators in identifying potentially malicious files. It is a passive, non-destructive scanner powered by YARA, customizable, and suitable for use in both standard and advanced forensic workflows.

While false positives may occur, the module provides an essential layer of insight into device activity and suspicious content, especially when paired with full file system access and experienced analysis.


Report example

Malware detection - PDF Demo Report - MOBILedit Forensic PRO 9.0.1.23854 (1).pdf

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.