Below, we’ll look at a few examples of how mobile ransomware works. We’ll also provide tips for preventing malware from endangering your data.

Can ransomware infect an iPhone or Android phone?

To date, all mobile ransomware has targeted Android devices.  iOS devices like iPhones are highly resistant to malware, but malicious users have exploited vulnerabilities to trick users into believing that their devices were infected with ransomware.

While Android mobile operating systems include safeguards to protect against malicious software, those protections have limits, particularly when attackers use social engineering to trick users into downloading files.

Notable recent incidents:

• In 2014, the Koler “police” ransomware began to spread using pornographic networks. Android users are tricked into downloading a fake .apk file, which encrypts files and demands a ransom of $100-$300. By some estimates, Koler has infected more than 200,000 Android devices.

• Doublelocker is a Trojan that infects Android devices, changing their PINs and encrypting data to prevent access. It is typically distributed as a fake Adobe Flash Player. Victims are tricked into providing the malware with administrator rights and permissions.

• AndroidOS/MalLocker.B uses social engineering to lure victims into installing fake versions of games or popular apps. Instead of encrypting files, this ransomware family prevents the user from accessing their device by forcing a ransom note onto every screen.

To protect your phone from ransomware, follow these steps.

Cybercriminals use sophisticated methods to install malware and extort users. If you store important data on your phone (and realistically, that’s true for nearly every smartphone user), you’ll need to protect yourself. Some quick steps to keep your device secure:

1. Back up your data.

The best practice is to maintain at least three copies of every important file. However, even a single backup will provide enormous protection — provided that your backup isn’t prone to infection.

Here’s a guide from Google for backing up data manually on an Android device. For Apple iPhones and iPads, this guide explains the process for using iCloud. In addition to cloud backups, consider copying important data (such as pictures, videos, and contacts) to your PC or Mac on a regular basis.

2. Don’t install apps unless you can verify the source.

Most Android ransomware variants infect devices by posing as free games, utilities, or video players. By default, the Android operating system blocks users from installing .apk files from unknown sources, but users can disable this protection.

The safest course of action: Never download an .apk file through your phone’s web browser, and never open email attachments if you’re not completely confident in the contents. Only install apps using the Google Play store or another trusted app store.

If you do need to install an .apk manually, make sure you trust the source. Check that the website has valid security certificates. After installing the app, head to Android Settings -> Biometrics and Security and change the “Install unknown apps” settings back to the default.

3. Keep your device updated.

Malware often spreads by taking advantage of security vulnerabilities within apps or the mobile operating system.

Make sure your phone updates its operating system automatically. Here’s a guide to enabling auto-updates on Android, and here’s a guide for enabling automatic updates on iOS devices.

Android users should also enable automatic updates on apps downloaded from the Google Play store.

4. If your smartphone is infected with ransomware, have a game plan.

If you believe your phone is infected with malware, take notes about any symptoms, including actions that may have led to infection (such as downloading an APK file or downloading email attachments). If your phone displays a ransom note, take a picture with another device or write down the note in its entirety.

Decryption tools exist for many common Android ransomware variants. If you have a strong working knowledge of the Android operating system, NoMoreRansom.org is a trustworthy resource for finding free decryption tools.

However, we recommend working with an experienced ransomware recovery firm to maximize your chances of a successful result. To learn more, contact our team at 1-800-237-4200 or click here to set up a case online.

The post How to Protect Your Phone from Ransomware appeared first on Datarecovery.com.

The Apple iPhone’s Recovery Mode deletes everything on the device. Deleted data is completely unrecoverable under most circumstances.

Deleted iPhone files are unrecoverable for several reasons:

• File-Based Encryption – The iPhone stores most user files with file-based encryption, which means that every file has a unique encryption key. When iOS deletes data, it deletes the encryption key, which makes the data unusable.There are exceptions, however: For devices operating iOS 12 or earlier, the user’s photos, videos, internet browsing history, and text messages may be recoverable after a typical delete command. However, Recovery Mode isn’t a typical delete command — it essentially reformats the device, restoring it to factory settings.
• Flash Media Engineering – iOS devices use NAND flash, a type of non-volatile memory consisting of transistors arranged into a grid. The transistors hold electrical charges to store data. Read more about solid-state storage here.When data is deleted from flash drives, they’re usually gone forever. NAND flash media uses a garbage collection process to improve efficiency and optimize space. This process clears the charges from the transistors, rendering the data permanently unrecoverable.

Following a full restore to factory settings, data recovery engineers may be able to recover metadata from iPhones and other iOS devices. Metadata is typically used for computer forensics cases to provide a record of phone usage, but it isn’t useful for consumers.

The bottom line: You should only use iOS Recovery Mode if you have a full backup of your device. We strongly recommend reviewing your backup before beginning the process — it’s irreversible. After confirming your backup, you can put your iOS device into Recovery Mode by following this guide from Apple.

Can I recover data from an iPhone before using Recovery Mode?

If your iPhone has become unresponsive or if you’re not able to boot past the iOS logo, your data may be recoverable. This is easiest if your computer recognizes the device: Apple provides a guide for transferring photos and videos from iOS devices to a Mac or PC.

However, if your iPhone is completely unresponsive, your options are limited. Unfortunately, consumer data recovery software is not capable of returning results — recovering the files requires low-level access to the device’s data storage, which isn’t feasible outside of a professional data recovery laboratory.

Typically, iPhone data recovery tools don’t actually access the iPhone’s storage: The software recovers files directly from the user’s iCloud Drive. Of course, you don’t need to pay for extra software to download files from your own iCloud, so we recommend saving your money.

Related: A Guide to Mobile Phone Text Message Recovery

My iPhone is broken, and I don’t have a backup. What do I do?

Don’t put the iPhone into Recovery Mode unless you’re 100% sure that you have a backup. Take the following steps to maximize your chances of a full recovery:

• Gather information about the failure. Does the iPhone boot? Is the touchscreen responsive? What happens when you plug it into your computer?
• Try to make a list of important files or file types. For instance, if you just need your photos and videos, that information could be extremely useful for a data recovery engineer.
• Keep the device turned off. Don’t pay for data recovery software — if your phone runs iOS 13 or later, software will not address the problem.
• Work with an experienced data recovery company. Accessing the data will require advanced logical techniques and specialized hardware, so find a provider with an established reputation.

Datarecovery.com is a world leader in iPhone data recovery, and our no data, no charge guarantee gives you peace of mind as your case progresses. To discuss iPhone recovery, call our team at 1-800-237-4200 or click here to submit a case online.

The post Does Recovery Mode Erase Data on an iPhone? appeared first on Datarecovery.com.

As we regularly deal with difficult security issues, we wanted to present both sides of the argument and provide an analysis of some of the technical claims present in the case.

What Is the FBI Asking of Apple?

The FBI is asking for help, but what exactly are they asking for?

Contrary to some reports, they are not asking for Apple to break the encryption on a particular phone, provide the encryption keys for it, or provide some backdoor entrance to the phone. Apple has stressed that they cannot directly help anyone get into a specific phone. They do not save encryption keys, and they cannot create a backdoor to individual units.

The FBI is asking for a customized version of iOS, the operating system used by the iPhone, iPad, and iPod Touch.

But before declaring that this is the same thing as asking for a backdoor, let’s back up and provide some information about Apple products and their encryption standards.

iPhone Encryption and Passcode Attempts

Recent iPhones and iOS versions have had a solid encryption that doesn’t appear to have any serious weak points.

This is unlike the iPhone 4 and older, which aren’t hardware encrypted and can be cracked relatively easily. This has been problematic for law enforcement for some time.

A user unlocks their phone with their fingerprint on the button or by entering a passcode, which by default is 6-digits but may be just 4-digits.

This trigger allows for access to other encryption keys stored in the phone’s hardware, and iOS uses those to allow for normal operation of the phone.

A 4-digit passcode is really short, as you might know if you’re interested in tech security. Many web forms with “password strength” indicators would automatically call a four digit code “weak.”

In fact, there are only 10 * 10 * 10 * 10 = 10,000 possibilities. A person could sit down and try them all over the period of perhaps just 14 hours (10,000 tries * 5 seconds/try / 60 seconds/minute / 60 minutes/hour). For a 6-digit passcode, this would take over 57 days.

They key protection here is that iOS has a limit for the maximum failed passcode attempts. After five incorrect attempts, it will delay your next attempt for 1 minute. After another failed attempt, you’ll have to wait 5 minutes. The timeout keeps increasing with 15 minute delays, then 60 minute delays.

Finally, after the 10th try, iOS will trigger a complete wipe of the phone. It doesn’t technically have to wipe the phone’s storage, but the result is identical. By resetting one of the required encryption keys, it permanently prevents decryption.

The FBI’s Request for A New iOS

That brings us back to the FBI’s request.

The FBI says that they’re asking for something reasonable, given current technologies in the worlds of encryption, customer privacy, and business interests. They’re asking for a customized version of iOS, digitally signed by Apple, that can be loaded into the phone’s random access memory (not the main storage) so that the custom iOS can control the phone.

This version would have the lockout and wipe feature disabled, so it will not erase the encryption key after 10 failed tries at the passcode and will not introduce delays.

The FBI also requests that this customized version of iOS include code requiring that it can only be run on an iPhone with the exact unique identifier of Syed Rizwan Farook’s iPhone. Once the operating system is functional, the FBI simply has to try various passcodes until they have the phone unlocked.

They could do this physically, which may take the aforementioned 14 hours, or if they can input codes electronically, they could input an attempt every second.

Some would argue that the FBI would then do the actual hacking, not Apple. To us, it still seems like a team effort.

Apple’s Security Concerns Regarding The FBI’s Request

That part about the unique identifier seemingly limits the effect of this request to only this one iPhone in FBI custody, but Apple has bigger things to worry about. Leaks are always a danger, so just having their employees work on this project may be a risk to Apple.

The possibility of a source code leak is nothing new. Apple’s code in iOS is proprietary, not open sourced like Android, so they protect it vigorously. However, if they complete this specialized new version of the system, they might inadvertently increase the chances for a leak of the original code.

There’s also a chance that the final compiled product may be leaked – and that’s likely a more significant risk, since more parties are involved. In this case, it may be possible (if difficult) for someone to find a way to modify the unique identifier. That would mean that the modified version of iOS may be used on any iPhone, and Apple’s products would be less secure as a result. The iPhone’s requirement of signed firmware may mitigate this (maybe the possible leak of Apple’s signing key is yet another risk). But it doesn’t at all help the next concern…

What Apple really doesn’t want is for a precedent to be set that they’ll help law enforcement crack into the phones of their customers. That is bad PR. It would likely occur over and over in the future. But also law enforcement will see this precedent, and then ask for slightly more technical help the next time. Apple would be required to argue their case again in hopes of drawing the line for what help they provide.

The FBI may win out, since this case involves terrorism and mass murder; in the court of public opinion, national security usually trumps personal privacy. The Bureau have purposely made a narrow, specialized request in order to avoid claims that this constitutes unreasonably burdensome technical assistance (we’re not lawyers, so we’ll leave that argument to the attorney blogs).

But if Apple does claim that this is too difficult, the FBI may then move to request the iOS source code so that they can make the modifications themselves. We don’t want to speculate on how that might go. The law enforcement community is watching extremely closely because there are plenty of other iPhones that authorities would love to be able to access.

Possible Future Changes to Squash Decryption Efforts

Looking to the future, Apple may choose to adjust their phone unlocking scheme to prevent such requests before they even occur. They made great strides in iOS 8 to strengthen the iPhone’s encryption and to prevent this exact type of situation with law enforcement. Additional changes might strengthen their case in future claims.

If the passcode was 10 digits, for instance, then a brute force attack could take thousands of years. That might be a little unreasonable for users, as the human mind can typically remember only seven random digits.

The fingerprint unlocking mechanism is probably much more difficult than a 4-digit passcode as well, since the fingerprint has many more points. That means more required digits (no pun intended). Apple could eliminate the passcode entirely and just use the fingerprint, although some users might not like this. Alternately, they could switch to a completely different unlocking mechanism.

In the end, it comes down to the age-old conflict of privacy vs. law enforcement. Without speculating or taking sides, we’ll say that this is an interesting case to say the least, and it’s certainly worthy of all of the mainstream attention.

The post Apple vs FBI Over iPhone Security in San Bernardino Shooting Case appeared first on Datarecovery.com.

We’re also called upon to recover text messages as evidence for court cases and other legal processes, and cell phone recovery is one of the fastest-growing segments of our business. In this article, I’ll detail some of the methods that we use to recover text messages from damaged cell phones. Some of these techniques are also used for other types of data associated with smartphones.

Getting Access to the Data On a Damaged Cell Phone

Of course, if someone’s calling Datarecovery.com, there’s a good chance that their cell phone has been damaged (either intentionally or accidentally). In order to start recovering text messages, we need to get access to the data on the phone, and that can be a difficult process.

Engineers use advanced tools and techniques to recover data from the device in wide ranging types of failures and damage. Depending on the damage, sometimes we can restore the device to a temporary functioning state to access the data somewhat natively (meaning that we can just plug in the phone and read the data as the manufacturer intended).

However, if there’s a severe underlying problem, the actual data may be damaged. Crippling damage to text message data may occur not only through physical or electrical means, but also through overwriting due to deletion, corruption, operating system updates, or factory resets. When native access is not an option, we’ll do whatever it takes to obtain a data image and work from there. Many repair techniques necessitate an ISO 5 cleanroom and other expensive equipment, so we’ll avoid a lengthy discussion of those methods for now.

Where are Text Messages Stored on a Modern Cell Phone?

Text messages are generally stored in smartphones in an SQLite database. This is true across various manufacturers, but unfortunately for our engineers, the database type is where the similarities end.

Each different cell phone model will typically have a different database schema, or table structure, in which it stores text message data. Now, commercial software tools exist that can help recover text message data from functioning SQLite databases — but options are slim when there is damage to the database.

To obtain as many text messages as possible from a damaged phone, we work with the raw data image and we use special software (developed in house) along with some manual data evaluation and analysis.

The first step is determining the definition of the database table containing the messages. This process will include deciphering how each of the components of a text message record are stored, including associated phone numbers, service center number, timestamps, and the message body.

The Text Message Record and Cell Phone Message Recovery

The second step includes the identification of a text message record. There can even be more than one format to account for. After we have a grip on this, we need to write the definition so that our recovery program will be able to identify message records, and interpret the various components correctly from raw data.

The identification of a text message record is crucial because in the uncertainty of raw data, defining the method used to find text messages will determine whether all the text messages are recovered; if the text message record is improperly defined, a significant number of messages may be missed.

We are extremely careful to ensure that our methods will not miss any potentially valuable text message, including damaged partial message records. We do this by using the lowest possible minimum requirements for identification in our algorithm while still ensuring that there are few false positives.

We then perform rigorous testing, performing numerous checks on known text message data areas we’ve discovered in separate analysis. Finally, after we’ve run our software, we complete a final comparison check between the text messages extracted and the text messages known in raw data. This allows our engineers to make sure that they have everything.

I need to stress that this thorough process and custom software solution really separates our service from the hardware and software products available commercially, and also from other forensic companies and law enforcement agencies that use them. We certainly have many commercial hardware/software products available in our laboratories, and we use them when appropriate.

However, our process allows us to recover more than any commercial product when required by the situation; by using a combination manual techniques and tailored software processing, we can perform a much more thorough text message recovery than any individual software or hardware tool. In a recent case, the best commercial software was able to find 2,098 text messages, while we recovered 3,756 valid messages – 79% more. I think this shows the value of experience; if you have a cellphone and need to recover missing text messages and other mobile data, you can be assured that Datarecovery.com will give you the best possible result.

For more information on our cell phone related services visit this page, or call us at 1.800.237.4200.

The post A Guide to Mobile Phone Text Message Recovery appeared first on Datarecovery.com.