MobWorm (Mobile-Sandbox & ADEL)

1 2 3


Malware is defined as computer programs that are used by an attacker to execute malicious code on the computer of a victim. In today's Internet malware constitutes a major problem and effective safety measures against this harassment are necessary. This problem looms as a new and future threat to smartphones, too. They contain many information which are of great interest for attackers. Several hundred different versions of malware for this type of device have already been noticed and it is expected that this number will increase even further within next years. Thus, effective and efficient protection measures against malware on mobile devices (mobile malware) become necessary, in order to have procedures for detecting and repelling these threats right from the beginning. 

Mobile malware and the forensic analysis of smartphones were the focus of the project MobWorm which was funded from September 2010 to February 2013 by BMBF. Project partners were Ruhr-Universität Bochum (Thorsten Holz, project leader), Zynamics (Thomas Dullien), and Gdata (Ralf Benzmüller). We report here on some of the results.

Automated Malware Analyses

In the scope of MobWorm we developed a dynamic analysis plattform for Android apps called mobile sandbox. The plattform could monitor and log activities of an app. It could also be used as a security technology in that it could terminate an app directly if an unauthorized sequence of action occurs (e.g. the opening of a permitted network connection or the dialing of an expensive service number). Mobiel sandbox is documented in several publications (see below).

Mobile-Sandbox Logo

For several years mobile sandbox was available as a public service using the URL From the beginning of 2018 we stopped this service since management overhead was increasing and similar such services were available online. The source code of mobile sandbox is still available on github at the following address:

Mobile Phone Forensics

Within the frame of this research question we developed several methods to conduct forensic analysis on smart phones. In this context a major focus was put on Googles Android platform. In a first step various methods were researched how to create a memory dump of a mobile phone (e.g. with the help of Twister-Box, via JTAG or with specic software). These are documented in forensic processes, i.e. in detailed and exact activity rules. In a second step  the methods for analyzing memory dumps were developed. As a result the usability and effectiveness of standard procedures like le carving and hash-value databases in the area of mobile phones were investigated. The focus of the application examples is always put to the corresponding investigation of malware-infections. With respect to the development we put great emphasis on the compliance with forensic principles and the adherance of scientific standards. The resulting system was called ADEL (Android Data Extractor Lite) and is documented in several publications (see below).



  • Felix Freiling, Sven Schmitt, Michael Spreitzenbarth: Forensic Analysis of Smartphones: The Android Data Extractor Lite (ADEL). The 2011 ADFSL Conference on Digital Forensics, Security and Law , Richmond, Virginia USA, 2011-05-27.
  • Michael Spreitzenbarth. Tools and Processes for Forensic Analyses of Smartphones and Mobile Malware. In Sebastian Uellenbeck, editor, Proceedings of the Sixth GI SIG SIDAR Graduate Workshop on Reactive Security (SPRING). Technical Report SR-2011-01, page 10. GI FG SIDAR, Bochum, March 2011.
  • Michael Spreitzenbarth, Sven Schmitt, Felix Freiling: Forensic Acquisition of Location Data on Android smartphones. In: Peterson, Bert ; Shenoi, Sujeet (Hrsg.) : Advances in Digital Forensics VIII. New York : Springer Science+Business Media, 2012, S. 0-0.
  • Michael Spreitzenbarth, Sven Schmitt: Is data retention still necessary in the age of smartphones? In Hakin9 Extra 03/12.
  • Michael Spreitzenbarth, Thomas Schreck, Florian Echtler, Daniel Arp, Johannes Hoffmann: Mobile-Sandbox: Combining static and dynamic analysis with machine-learning techniques. Int. J. Inf. Sec. 14(2): 141-153 (2015).
  • Michael Spreitzenbarth: Dissecting the Droid: Forensic Analysis of Android and its malicious Applications (Sezierung eines Androiden). PhD thesis, University of Erlangen-Nuremberg, 2013.
  • Michael Spreitzenbarth, Felix C. Freiling, Florian Echtler, Thomas Schreck, Johannes Hoffmann: Mobile-Sandbox: Having a deeper look into Android applications. ACM SAC 2013: 1808-1815.