Imagine someone contacting you saying they received a message from you that you never sent. You check your sent messages but the said message is not there. You get more suspicious when a second person in your contacts tells you the same, and you decide to investigate further.

Modern malware has become extremely stealthy and goes to great lengths to remain hidden, possibly for months. Sending messages is a convenient way for malware to spread to other victims or transmit private data from your phone. For example, WhatsApp Pink is a malicious application which has successfully spread itself through popular instant messaging apps (including Telegram, Signal, WhatsApp etc.) by posing as a pink-themed version of the popular messaging app.

Unfortunately, evidence of such an attack might not be found in your typical forensic mobile sources but can be found in memory. However, analysing the phone’s memory after a reported incident might not uncover anything of value because the evidence (such as sent messages) could have long been deleted by then. Our approach is different because we analyse that area in memory which is required by apps to perform computation on the phone during the incident – making it virtually impossible for the malware to evade detection when it executes.

Much like placing undercover police agents to collect evidence of potential criminal activity, several researchers within the Department of Computer Science have been working on inserting hidden probes within sensitive mobile applications that malware may target. The idea sounds simple enough but presents several challenges, mainly because engineering and inserting such probes is a delicate process which, at first glance, is not even compatible with stock devices and which, in any case, can easily upset the stability of the application and the phone in general.

Here are a few of the hurdles we overcame in this regard using an undercover operation as a metaphor:

• Undercover agents must blend in: Deploying probes in your phone might cause the application to stop working if they are too intrusive or hinder victims from using it if the process involves making drastic changes to their phones. Our probes, therefore, need to be deployed as seamlessly as possible by employing cutting-edge technology to collect evidence with negligible impact.

• Having undercover agents everywhere all the time might be useful but very costly. Instead, undercover agents are sent in only when and where there is a high probability of the operation being fruitful. Similarly, we have identified events of interest which would trigger our – otherwise dormant – probes to activate and take a copy of the phone’s memory.

• Due to the specialised nature of each job, undercover agents need to adapt and prepare for each situation. Similarly, engineering our probes requires much effort to cater to different scenarios. Our latest work revolves around creating super agents which can handle different situations with minimal adaptation.

While ensuring the security of mobile phones remains a very hard task for all involved, these improved techniques to obtain evidence can let you sleep easier, knowing that investigators have more tools at their disposal to collect digital evidence and respond to attacks.

Project DETECTIF is financed by the Malta Council for Science and Technology for and on behalf of the Foundation for Science and Technology through the Fusion: R&I Research Excellence Programme.

Christian Colombo, Jennifer Bellizzi and Mark Vella are computer scientists at the Computer Science Department within the Faculty of ICT, University of Malta.

Sound Bites

•        A new study has linked underground climate change to the shifting ground beneath urban areas. The phenomenon is affecting all major urban areas around the globe, causing civil structures and infrastructures to crack.

•        Researchers have discovered the most distant active supermassive black hole to date with the James Webb Space Telescope (JWST). The galaxy, CEERS 1019, existed about 570 million years after the Big Bang, and its black hole is less massive than any other yet identified in the early universe.

For more soundbites, listen to Radio Mocha


•        Aloe vera products are made using the jelly subsistence at the core of the leaf.

•        In 2015, tested 10 random aloe products in the US and found that half of them did not contain any aloe.

•        Aloe plants can survive for more than 100 years due to their hard and resilient nature.

•        Aloe is not a cactus but rather its own species of plant.

For more trivia, see:


Independent journalism costs money. Support Times of Malta for the price of a coffee.

Support Us