Android Mobile Forensics, Recovery, & Debugging

Forensic Checklist: How to Identify and Eradicate Android Malware Persisting Through Factory Resets

By Antigravity Research Published May 30, 2026 ⏱️ 6 Min Read
Google AdSense Native Placement - Horizontal Top-Post banner

Introduction: The Illusion of a Factory Reset

For most Android users, a factory reset is the ultimate solution to performance issues, software glitches, or even suspected malware. It’s perceived as a clean slate, wiping all data and user-installed applications. However, this assumption can be dangerously false when dealing with sophisticated Android malware. Persistent malware can embed itself deeply within the operating system, bootloader, or even firmware, allowing it to survive a standard factory reset and re-infect the device or simply remain dormant, ready to reactivate. This article provides an expert-level forensic checklist and eradication guide for identifying and eliminating such tenacious threats.

Understanding Android Malware Persistence Mechanisms

To effectively combat persistent malware, it’s crucial to understand how it can bypass factory resets. These mechanisms typically involve modifying partitions not fully wiped during a standard reset.

System Partition Modification (Rootkits & Custom ROMs)

Malware with root privileges can modify critical system partitions (/system, /vendor, /boot, /recovery). This includes injecting malicious code into system binaries, altering init scripts, or even replacing core system applications. A factory reset typically only wipes the /data and /cache partitions, leaving the modified system intact.

Bootloader Compromise

An unlocked or compromised bootloader allows for the flashing of unsigned or malicious firmware components. If malware gains control over the bootloader, it can ensure its survival by preventing legitimate firmware flashes or re-introducing itself after a reset by modifying how the device boots.

Firmware/Hardware-Level Persistence

While less common for consumer-level malware, advanced threats can target lower-level components like the baseband processor firmware, Wi-Fi module firmware, or even exploit vulnerabilities in the TrustZone. Such modifications are extremely difficult to detect and eradicate without specialized tools and expertise, often requiring physical intervention or vendor-specific flashing utilities.

Recovery Partition Manipulation

The recovery partition is used for flashing updates, backups, and performing factory resets. Malware can replace the legitimate recovery image with a malicious one (e.g., a custom recovery that re-flashes the malware’s components every time a reset is performed or the device boots), effectively subverting the reset process.

Forensic Checklist: Identifying Persistent Android Malware

Identifying deeply embedded malware requires a methodical approach, going beyond typical app scans.

Step 1: Initial Assessment and Device Preparation

  • Observe Symptoms: Unusual battery drain, excessive data usage, unexpected pop-ups, device slowdowns, suspicious app installations.
  • Enable Developer Options: Go to Settings > About phone, tap ‘Build number’ seven times. Then, in Developer options, enable ‘USB debugging’.
  • Install ADB and Fastboot: Ensure you have the Android SDK Platform-Tools installed on your computer.
adb devices

Confirm your device is listed.

Step 2: Bootloader and Firmware Integrity Check

Malware often requires an unlocked bootloader to modify system partitions. Checking its status is crucial.

  • Reboot to Bootloader:
adb reboot bootloader
  • Check Bootloader Status:
fastboot devicesfastboot getvar all

Look for lines like (bootloader) unlocked: yes or (bootloader) device-state: unlocked. If it’s unlocked and you didn’t do it, that’s a red flag. Older devices might use `fastboot oem device-info`.

Step 3: System and Recovery Partition Verification

Compare your device’s current partition images or their hashes against a known-good stock factory image for your specific device model and build number.

  • Identify Current Partitions: While in fastboot, you can often dump current images if the bootloader permits, though this is device-specific. More practically, you can examine mounted system files.
adb shell mount | grep systemadb shell ls -l /system/binadb shell find /system -name "*suspicious_file*"

Manually inspecting system directories for unfamiliar executables or libraries, especially in /system/bin, /system/xbin, /system/priv-app, and /vendor/bin, can reveal anomalies. If you have access to official factory images, you can compare file lists and hashes.

Step 4: Analyzing Logs and Running Processes

Even if hidden, malware often leaves traces in system logs or runs processes.

  • Monitor Logs for Anomalies:
adb logcat -d | grep -i 'error'adb logcat -d | grep -i 'malicious'adb logcat -d | grep -i 'suspicious'

Look for repeated errors, unusual service startups, or connections to suspicious domains.

  • Examine Running Processes:
adb shell ps -ef | grep -i 'unknown'adb shell cat /proc/cmdline

Look for unfamiliar processes running with root privileges or unusual kernel parameters.

Step 5: Network Traffic Analysis

Persistent malware needs to communicate. Monitoring network traffic can expose C2 (Command and Control) server communication.

  • Use Network Monitoring Tools: On a Wi-Fi network, use tools like Wireshark on a connected computer to capture traffic from the Android device. Look for connections to unusual IP addresses or domains.
  • Android-Side Monitoring: While limited, you can check apps’ data usage or use a VPN app that logs connections (be cautious, as this could itself be a vector).
adb shell netstat -an

This can show active connections and their states.

Eradication Strategy: Eliminating Persistent Android Malware

The most robust method for eradicating deeply embedded Android malware is a full re-flash of official stock firmware.

Step 1: Download Official Stock Firmware

Crucially, download the complete factory image for your *exact* device model and region directly from the manufacturer’s official website or a trusted developer resource (e.g., Google’s factory images for Pixel devices). Do not use third-party repositories unless explicitly verified.

Step 2: Prepare for Flashing

  • Ensure your device is at least 80% charged.
  • Have ADB and Fastboot tools set up.
  • Extract the downloaded factory image to a known directory.

Step 3: Full Stock Firmware Re-flash

This process will overwrite all critical partitions, including bootloader, radio, system, vendor, and recovery, effectively wiping away any malicious modifications. The exact commands may vary slightly by manufacturer and device, but the general procedure is as follows:

  • Reboot to Bootloader:
adb reboot bootloader
  • Unlock Bootloader (if necessary): If your bootloader is locked, you might need to unlock it using a command like `fastboot flashing unlock` or `fastboot oem unlock`. WARNING: This will factory reset your device again and void your warranty. Only proceed if absolutely necessary.
  • Flash Partitions: Navigate to the directory where you extracted the factory image. Execute the flashing script provided by the manufacturer (e.g., flash-all.sh on Linux/macOS or flash-all.bat on Windows for Google Pixel devices). If no script, flash partitions manually:
fastboot flash boot boot.imgfastboot flash recovery recovery.imgfastboot flash system system.imgfastboot flash vendor vendor.imgfastboot flash radio radio.img (if applicable)fastboot flash userdata userdata.img (optional, for explicit data wipe)

After flashing all relevant images, clear user data:

fastboot -w
  • Reboot Device:
fastboot reboot

Step 4: Post-Eradication Measures

  • Re-lock Bootloader (Optional but Recommended): If you unlocked the bootloader, consider re-locking it after verifying the device is clean. This enhances security by preventing unsigned images from being flashed.
fastboot flashing lock
  • Change Passwords: Assume all passwords stored on the device were compromised. Change them for all critical accounts (Google, banking, social media, etc.).
  • Enable Two-Factor Authentication (2FA): Where available, enable 2FA on all important accounts.
  • Install Reputable Security Software: While not a silver bullet, a good antivirus can help detect common threats and monitor app behavior.
  • Be Vigilant: Only install apps from trusted sources (Google Play Store), scrutinize app permissions, and keep your device software updated.

Conclusion

Persistent Android malware poses a significant challenge, undermining the security assurances of a standard factory reset. By understanding its persistence mechanisms and employing a rigorous forensic approach combined with a full stock firmware re-flash, users can effectively identify and eradicate even the most deeply embedded threats, restoring their device to a truly clean and secure state.

Android Mobile Specs & Compare Directory

Are you researching mobile hardware properties, processor SoCs, GPU chipsets, or RAM configurations? Access our complete specs catalog to compare up to 5 devices side-by-side!

Compare Devices Specs →
Google AdSense Inline Placement - Content Footer banner
Tags: #Android Forensics #Android Security #Bootloader #Factory Reset #Malware Eradication

Related Technical Guides

OpenOCD for Android JTAG/ISP Forensic Imaging: From Setup to Full Flash Dump

May 30, 2026

Mastering Android Secure Boot Bypass: A Forensics Investigator’s How-To Guide

May 30, 2026

Troubleshooting Script: Recovering Deleted Chrome Incognito Sessions from Android (Advanced)

May 30, 2026