Using antivirus scanners is a typical way to find known pieces of malware, so it's a recommended first step for picking low-hanging fruit. There are a multitude of antivirus scanners, with many of them having free versions that can be used by mobile forensic examiners to complete such tasks. Most of them are Windows-based, so the first step is to mount a previously created physical image so that it will be accessible to the operating system and antivirus scanner.
As you already know, most Android devices use EXT4 as the filesystem for the most interesting partition from a forensic point of view—the userdata partition. By default, this filesystem isn't supported by Windows, so we need a third-party tool to be able to mount it and, more importantly, in read-only mode, as we don't want the antivirus scanner to delete anything from the image we are going to examine.
Of course, forensic examiners have such a tool available. It's called Linux File Systems for Windows, and its trial version is available for download here: https://www.paragon-drivers.com/en/lfswin/. After installation, you are ready to start mounting the userdata partition. You'll need FTK Imager, but you should have it already installed, as we used it in the previous chapters. Here is how to mount an ext4 partition on a Windows host in two simple steps:
- Open FTK Imager and go to File | Image Mounting...
- Choose the image file. In our case, it's an Android 9 userdata partition physical image. Choose Physical & Logical as the mount type, Block Device / Read Only as the mount method, and then click the Mount button:
That's it! Now the filesystem is available as logical disk E: on our Windows 10 host:
Now it can be easily scanned with an antivirus scanner. Usually, user-installed applications can be found under the /data/app directory, so it may be a very good idea to start our malware hunting by scanning this folder. For this example, we will use ESET NOD32 antivirus (https://www.eset.com/int/home/antivirus/). It has a very interesting option from a forensic point of view—Scan without cleaning. This enables an examiner to find a piece of malware, but not delete or quarantine it. To choose it, right-click on your folder of choice, and go to Advanced options. In our case, scanning only took a few seconds, and the result yielded two malicious objects:
As you can see, sometimes, especially if you know where to look, you can find Android malware very quickly and easily using antivirus engines. Of course, the software you are using may not contain corresponding signatures and may miss malicious applications, so it's highly recommended to use multiple engines for scanning.