Mobile Forensics
Mobile Forensics
Mobile Forensics
  • Introduction
  • Preparations
    • Knowledge
    • Safety
    • Trust
    • Backup
  • Methodology
  • Checking Windows Computers
    • Review Programs Launching at Startup
    • Review Running Processes
    • Review Network Connections
    • Extract Data for Further Analysis
  • Checking Mac Computers
    • Review Programs Launching at Startup
    • Review Running Processes
    • Review Kernel Extensions
    • Review Network Connections
    • Review XProtect Logs
    • Extract Data for Further Analysis
  • Checking Smartphones
    • Note: curriculum
    • Smartphone System Architecture
    • Check Devices Linked to Chat Applications
    • Check for Suspicious Messages
    • Monitor Network Traffic
    • Note: Monitoring Network Traffic on Linux
  • Checking Android Devices Basic
    • Review Installed Applications
    • Check Storage
    • Check if the Phone is under Android Device Policy
    • Check if the Phone is Rooted
    • Check if Developer Options is Enabled
    • Analyze Applications
    • Extract Data for Further Analysis
    • Optional : Check for Indicators of Stalkerware Installation
  • Checking Android Devices Advanced
    • Wireshark
    • MVT
    • Other Tools
  • Checking iOS Devices
    • Review iCloud Accounts
    • Review Installed Applications
    • Check for Mobile Device Management Profiles
    • Check for Shortcuts
    • Check for Jailbreaks
    • Enable and Check App Privacy Report
    • Extract Data for Further Analysis
    • Analyzing Extracted Data
    • About Lockdown Mode
  • Checking Devices Remotely
    • Mac Computers
    • Android
  • Concluding a Forensic Gathering
  • References and Further Learning
  • License and Credits
Powered by GitBook
On this page
  • Application ID
  • Application version
  • Permissions
  • Running Applications
  1. Checking Android Devices Basic

Review Installed Applications

PreviousChecking Android Devices BasicNextCheck Storage

Last updated 1 year ago

Application ID

Some malicious applications are presented as legitimate applications, often being a copy of a legitimate application with malicious code added to them. Go to Settings > Applications, and click on each application to check its ID at the page bottom.

Application version

On the same App Info page, the app version is also displayed. One can search the app version on Google to determine whether the version actually exists. If there are lots of search results returned for the version string, then the version probably exists. For example, the above screenshot shows the app com.twitter.android version 9.36.0-release.0 is installed, and searching for "twitter 9.36.0" returns many search results, which indicates that this version is probably legitimate. However, if you see something like "version 100", then the app is probably fake.

Permissions

Even if fake applications were installed, they still need an important number of Android permissions to be able to monitor your phone remotely, so a first step is to check the list of applications installed and their permissions.

To do that, visit Settings > Applications

This menu is showing you a list of all the applications installed. You should visit the page of each of these applications and check for the permissions allowed for them.

The following permissions are specifically suspicious as they are very regularly used by malicious applications :

  • Location

  • Contacts

  • SMS

  • Microphone

  • Camera

  • Call logs

  • Phone

It is also interesting to check other parameters about this app, that may or may not be displayed depending on your version of Android :

  • Check if the app was installed from the Google Play store : see App details or App details in store

  • Check if the app is allowed to install other applications : see Install unknown apps

Running Applications

Check unknown running apps by googling their names.

Disable Developer Options after inspecting running apps to prevent leaking information.

The application ID should reflect the app's displayed name, for example, the authentic "Play Store" app's ID is com.android.vending, however, there are also pretending to be the Play Store with ID com.restthe71.

Check if the app can modify system settings or have other "Special App Access" : see Modify system settings or Change system settings. Follow to open the settings.

To inspect running apps, follow .

malwares
this guide
this guide