The most important step towards determining if a device is infected is to determine if there are any active processes. Then you can scan the entire memory, using either a whitelist or blacklist approach. But how can you tell with certainty whether there are other active processes, when such a process can modify your response? (This is how rootkits avoid detection.)
We therefore need to establish that there is only one active process on the client machine, namely (an unmodified version of) the audit process. We reach this goal this by performing a process called memory-printing. This is a process that is configured to require all of free RAM to complete its computation in the expected amount of time. (Here free RAM is the RAM that should be free after all active processes have been swapped out.) It has the property that any reduction of space leads to measurable slowdowns of the computation. Moreover, it is configured to access memory in a manner that results in a notable slowdown if the process is modified to sometimes access secondary storage instead of RAM. Therefore, if a malware agent is active – i.e., takes up any free RAM – then the process will be slowed down. By measuring the time it takes to compute the result, it is determined whether the client machine is infected or not. This assessment is made by an external server.
FatSkunk patented memory-printing technology works for any type of device, whether mobile or not.