Course 5 - Full Mobile Hacking | Episode 8: Technical Check for Mobile Indicators of Compromise using ADB and Command Line

In this lesson, you’ll learn about:Goal — verifying if an Android device is compromised (conceptual):How investigators look for Indicators of Compromise (IoCs) on a device by inspecting network activity and running processes; emphasis on performing all checks only with explicit authorization and on isolated lab devices.Network‑level indicators:Look for unexpected outbound or long‑lived connections to remote IPs or uncommon ports (examples of suspicious patterns, not how‑to).High‑risk signals include connections to unknown foreign IPs, repeated reconnect attempts, or traffic to ports commonly associated with remote shells/listeners.Correlate network findings with timing (when the connection started) and with other telemetry (battery spikes, data usage) to prioritize investigation.Process & runtime indicators:Unusual processes or services running on the device (unexpected shells, daemons, or package names) are strong red flags.Signs include processes that appear to be interactive shells, packages with strange or obfuscated names, or processes that persist after reboots.Correlate process names with installed package lists and binary locations to determine provenance (signed store app vs. side‑loaded package).Behavioral symptoms to watch for:Sudden battery drain, unexplained data usage, spikes in CPU, or device sluggishness.Unexpected prompts for permissions, new apps appearing without user consent, or developer options/USB debugging enabled unexpectedly.Forensic collection & triage (high level):Capture volatile telemetry (network connections, running processes, recent logs) and preserve evidence with careful documentation (timestamps, commands run, who authorized the collection).Preserve a copy/snapshot of the device state (emulator/VM snapshot or filesystem image) before further analysis to avoid contaminating evidence.Export logs and network captures to an isolated analyst workstation for deeper correlation and timeline building.Correlation & investigation workflow (conceptual):Cross‑reference suspicious outbound connections with running processes and installed packages to identify likely malicious artifacts.Use process metadata (package name, signing certificate, install time) and network metadata (destination domain, ASN, geolocation) to assess intent and scope.Prioritize containment (isolate device/network) if active exfiltration or ongoing C2 is suspected.Containment & remediation guidance:Isolate the device from networks (airplane mode / disconnect) and, where appropriate, block suspicious destinations at the network perimeter.Preserve evidence, then follow a remediation plan: revoke credentials, wipe/restore from a known‑good image, reinstall OS from trusted media, and rotate any secrets that may have been exposed.Report incidents per organizational policy and involve legal/compliance if sensitive data was involved.Safe lab & teaching suggestions:Demonstrate IoCs using emulators or instructor‑controlled devices in an isolated lab network; never create or deploy real malicious payloads.Provide students with sanitized capture files and pre‑built scenarios so they can practice correlation and investigation without touching live systems.Key takeaway:Detecting device compromise relies on correlating suspicious network activity with anomalous processes and device behavior. Always investigate within legal/ethical bounds, preserve evidence, and prioritize containment before remediation.You can listen and download our episodes for free on more than 10 different platforms:https://linktr.ee/cybercode_academy