Samsung Galaxy Z Fold — Spyware Detection & Forensic Analysis

The Samsung Galaxy Z Fold series represents a paradigm shift in mobile computing, acting as both a smartphone and a tablet.

This dual-screen architecture creates unique usage patterns. Users frequently multitask, run multiple instances of apps simultaneously, and utilize complex split-screen configurations.

Forensically, the Z Fold is a massive data repository. The way Android handles application states across folding and unfolding events creates unique artifacts that can be critical in an investigation.

The Z Fold is protected by the same formidable Samsung Knox architecture as the Galaxy S-series flagships.

It utilizes the Qualcomm Snapdragon processor, TrustZone isolation, and hardware-backed File-Based Encryption (FBE).

A unique security consideration for the Z Fold is its handling of application lifecycle states (App Continuity). When the device is folded or unfolded, apps are dynamically resized and transitioned between the cover screen and the main screen. This requires extensive, continuous logging by the Android Window Manager.

Furthermore, the device supports 'Multi-Active Window', allowing up to three apps to run simultaneously. This complicates the `UsageStats` logs, as multiple apps can hold 'foreground' status simultaneously, requiring specialized forensic interpretation.

Extracting data from a Z Fold involves standard Samsung methodologies, but analyzing that data requires specific attention to its form factor.

Logical Extraction: We utilize ADB or forensic agents to pull the comprehensive device logs, specifically targeting the `WindowManager` and `ActivityManager` logs to understand how the user interacted with the dual screens.

Physical Extraction: As with other modern Samsungs, physical extraction is highly restricted by Knox and FBE. We rely on highly specific, version-dependent bootloader exploits (EDL) if available.

Screen State Analysis: We parse the `dumpsys display` logs. This can tell us exactly when the device was folded or unfolded. If a suspicious background process (like an unauthorized camera app) only executes when the device is closed (cover screen active), it provides crucial context about the attacker's methodology.

The Z Fold faces standard Android threats, but its high price point makes it a target for sophisticated corporate espionage.

Executive Targeting: Because the Z Fold is frequently used by C-suite executives, it is a prime target for 'spear-phishing' campaigns designed to deploy advanced spyware (like Pegasus or Predator) to steal corporate secrets.

Multitasking Vulnerabilities: The complex nature of running multiple apps simultaneously increases the surface area for 'overlay attacks', where malware draws a fake screen over a legitimate banking or email app while the user is distracted by another window.

Physical 'Evil Maid' Attacks: Due to the device's size, it is often left on desks in an unfolded state. This makes it vulnerable to rapid, physical tampering if the device is left unlocked for even a few moments.

Our investigation of a Galaxy Z Fold is tailored to its unique usage profile and massive data footprint.

We prioritize the extraction of the `UsageStats` and `batterystats`, utilizing custom scripts to correlate app usage with the physical folding state of the device.

We conduct a deep audit of the Samsung 'Secure Folder', which is heavily utilized on Fold devices by executives to separate work and personal data.

We analyze the Android `Notification History` and clipboard logs, as users frequently copy and paste sensitive information across the dual screens, leaving behind volatile forensic artifacts.