Samsung Galaxy Z Flip — Spyware Detection & Forensic Analysis

The Samsung Galaxy Z Flip series combines the nostalgia of a flip phone with the power of a modern flagship Android device.

Its defining feature—the small external 'Cover Screen'—radically alters how users interact with their notifications and quick settings.

From a security perspective, this Cover Screen introduces unique vulnerabilities, as users frequently interact with sensitive data (messages, payments) without fully unlocking the main device.

Like all modern Samsung flagships, the Z Flip is protected by the defense-grade Samsung Knox architecture and hardware-backed File-Based Encryption (FBE).

The unique forensic element is the Cover Screen OS layer. Samsung has built specific APIs that allow 'widgets' to run on the external screen. These widgets must handle authentication states differently than main-screen apps.

When the phone is closed, it is typically in a locked state. However, the Cover Screen can be configured to display notification content or allow quick replies without requiring the full passcode, creating a potential vector for data exposure if the device is physically accessed.

Furthermore, the 'Flex Mode' (partially folded) triggers specific camera and application behaviors that are heavily logged by the Android system.

Our forensic extraction methods for the Z Flip align with the broader Samsung Galaxy ecosystem.

Logical Acquisition: We perform standard ADB or agent-based extractions to pull application databases, `UsageStats`, and system logs. The passcode is required for this level of access.

Physical Acquisition (Restricted): Due to Knox and FBE, physical extractions are highly dependent on the specific bootloader version and the availability of advanced EDL (Qualcomm) exploits.

Cover Screen Artifact Analysis: A critical part of the investigation involves parsing the `dumpsys notification` logs to determine exactly what information was displayed on the Cover Screen, and if any quick actions (like replying to a text) were executed while the device was folded.

The Z Flip faces standard Android malware, but physical access attacks are slightly nuanced.

Cover Screen Exposure: An abusive partner may not know the main passcode, but if the Cover Screen is configured to show message previews, they can read incoming 2FA codes or private messages simply by tapping the external screen.

Camera Exploitation: The Z Flip's design allows it to sit independently on a surface. Stalkerware can silently activate the camera while the device appears to be innocuously sitting on a desk in 'Flex Mode'.

Rogue Widgets: While Samsung tightly controls Cover Screen widgets, vulnerabilities in this unique UI layer could theoretically be exploited by malware to bypass the lock screen.

Our investigation of a Galaxy Z Flip heavily scrutinizes the device's physical state logging and notification handling.

We extract the `batterystats` and sensor logs to build a timeline of the device's physical orientation and folding state, correlating this with application activity.

We audit the device settings to determine the exact security configuration of the Cover Screen (e.g., are notifications hidden on the lock screen?).

We perform a deep analysis of the Android camera daemon logs (`cameraserver`) to detect any unauthorized photo or video captures that occurred while the device was folded.