• Toes♀@ani.social
    link
    fedilink
    English
    arrow-up
    28
    ·
    6 months ago

    You could setup debugging and monitor all the traffic from the phone over a long period of time. Inspect it and confirm (or deny) your hypothesis.

    • Socsa
      link
      fedilink
      English
      arrow-up
      2
      ·
      6 months ago

      This wouldn’t be conclusive since it would be pretty easy to just hide these payloads in some other traffic stream to a compromised node, which is a super common way cyberthreat command and control functions. If the user never initiates a connection to the host, the payloads just wait around so as not to generate suspicious traffic.

      Obviously the threat model for advertising is a bit different, but there’s no reason someone trying to hide this functionality wouldn’t take similar steps.

      • Toes♀@ani.social
        link
        fedilink
        English
        arrow-up
        2
        ·
        6 months ago

        Oh sure, you could be extra careful and attempt to detect any obfuscation or encrypted payloads that weren’t decrypted. Then there’s the concern that the malware watches for this behaviour and you’ll need to further modify the environment.