Introduction to Mobile Malware

Outline Introduction Types of Malware Malware examples How Malware Spreads Prevention AndroRAT Hands-on Lab

Introduction Mobile Security has become a fast growing issue Nearly 100,000 new malicious programs for mobile devices were detected in 2013 (Kaspersky Lab) More than twice the number detected in 2012

Types of Malware In terms of functionality, there are three types: Mobile Device Data Stealers Rooting Capable Malware Premium Service Abuser

Mobile Device Data Stealers Mobile Device Data Stealers – Malware that steals personal information such as contacts, phone logs, browsing habbit, SMS and GPS data.

Mobile Device Data Stealer Example: NickiBot NickiBot – a malware with client and server components Can perform (GPS-based) location monitoring, sound recording, email-based uploading, as well as call log collection. After installation it will obtain the phone’s International Mobile Equipment Identity (IMEI) and runs in the background while trying to connect to a server. It only works on phones that have the ability to connect to a particular server. if the phone does not connect to the server, NickiBot will automatically terminate. NickiBot will only execute certain function when it receives commands from the server or through SMS.

Nickibot Permission Review Permissions needed: android.permission.INTERNET android.permission.ACCESS_FINE_LOCATION android.permission.ACCESS_COARSE_LOCATION android.permission.READ_PHONE_STATE android.permission.READ_CONTACTS

NikiBot Code Example: Stealing Contacts Pseudo code: Uri CONTENT_URI = ContactsContract.Contacts.CONTENT_URI; Cursor cursor = contentResolver.query (CONTENT_URI, null, null, null, null); // cursor points to a contact String name, num; while(cursor.next != null){ name = c.name; // get the contact name num = c.num; // get the contact phone number } Print name and num;

Mobile Device Data Stealer Example: Find and Call Find and Call – a malware on iOS and Android devices When it is started on your device, it will ask you to register your device online Once registration is completed it will begin spreading to the contacts in the phone By sending SMS spam messages embedding an URL in the message It will also upload the contact book to a remote server

Rooting Capable Malware Rooting capable Malware – Malware that controls a device by obtaining root access. Once malware has root access to your phone it becomes very challenging to remove it.

Rooting Rooting allows higher level of customization Installing from unofficial markets System Backups Tethering- the connection of one device to another via cable or wireless Uninstalling apps However, malwares can take advantage of root commands to obtain permissions

Rooting Capable Malware Example 1– DroidDream DroidDream is a high threat level malware that has rooting capability It can infect many legitimate applications. It has client and server components The application that is infected with DroidDream client can root the device and send sensitive information like the IMEI to a remote server. IMEI (International Mobile Station Equipment Identifier)

Rooting Capable Malware Example 2 – DroidKungFu DroidKungFu obtains absolute control of the phone in order to access arbitrary files in the phone Has the capability to install or remove any packages which will result in certain applications not working. Some minor variants of the DroidKungFu have the ability to change the user homepage without the user knowing.

Premium Service Abusers Premium Service abusers – Malware that will send SMS messages or dial premium services that will charge the device owner.

Premium Service Abusers Example 1 -Zsone Zsone: found in China. Once the user runs the app on their phone, the app will send an SMS message to subscribe the user to a premium-rate SMS service.. Txtnation is an example of premium-rate SMS service It provides Bulk SMS alerts and reminders, SMS Billing for Premium Rate SMS for content services

Premium Service Code Example Permissions needed: android.permission.SEND_SMS Sending SMS: public void sendSMS() { String phoneNumber = "0123456789"; String message = "Hello World!"; SmsManager smsManager = SmsManager.getDefault(); smsManager.sendTextMessage(add parameter); }

How mobile malware spreads Infect via Bluetooth Malware can spread to other Bluetooth devices in surrounding areas User Download from suspicious sites Malware authors create fake websites to cause their malware being downloaded Repackage as Trojan Malware author disassemble a popular app, enclose malicious payloads, re-assemble and submit to App Store Apps automatically download updates During the update, malicious commands are downloaded to the phone

Mobile Malware Prevention Google Play store's Protection against Mobile Malware Anti-virus software Best Practices for Mobile Device Users to Defend against Malware Malware Prevention and Detection Using Sandbox

Google Play Store’s Protection Against Mobile Malware Google play store does not allow worms, virus, Trojan horses or malware to be updated to google play store However, the process of uploading apps does not completely prevent malware being uploaded to the Google play store Google’s bouncer software is a measure to prevent malware in Google play store

Google’s Bouncer Software Bouncer is a dynamic analyzer that scans new and old malware on the play store periodically. 40% of malware was detected and removed Problems: Each time it only runs for 5 minutes on one app and only does dynamic analysis Therefore if a malware did not misbehave during the scan it will not be removed

Anti-virus When a new software is downloaded, anti-virus software will automatically scan When an external drive is used, the drive will be automatically scanned If no virus is found, scan will continue to its destination. If virus is found in a file The infected file can be disinfected and the scan will continue to its destination while alerting the user The infected file cannot be disinfected and will be moved to a sandbox. Popular antivirus software: AVG, Lookout, Norton and Mobile Care.

Best Practices for Mobile Device Users to Defend against Malware Always look at the permissions requested by the app and check to see if the app really needs that function of the phone. Download from Reliable Sources Install updates as soon as they are released If device is infected with malware, remove as quickly as possible. Use password-based authorization on the device Install security software and antivirus Do not root device. Rooting may give malware control to the device Encrypt your data – some android devices have full encryption.

Malware Prevention and Detection Using Sandbox - 1 An area that is separated from critical resources of a system, in which untested code is run Static and dynamic analysis tools can be run within sandbox Mobile Sandbox (proposed by Spreitzenbarth et al.) Static analysis to check for dangerous function calls (such as connecting to premium service) Dynamic analysis to monitor whether sensitive information leaves the phone

Malware Prevention and Detection Using Sandbox - 2 A mechanism to identify malware that uses packing and obfuscation to avoid Antivirus (Lee et. al) The API call sequence o the malware is converted to a call graph, which is reduced to a code graph A code graph is used to uniquely identify the malware Airmid A prototype tool that automatically identifies and responds to mobile malware based on their network behavior Network sensors detect malicious traffic and alerts the device A program on the device identifies the executable code responsible and creates a plan of action to repair the device Filtering the traffic at the device, sandboxing or removing the app, patching the device, or restoring the device to its factory settings

AndroRAT It is a remote administration tool (RAT) for Android devices It allows an attacker to remotely gain control over another device and steal information from it It has client and server components The client is Android APK file running on an Android device The server is java file running on a server Client can be injected into another Android application to become a Trojan by using AndroRAT APK binder

AndroRAT Features Retrieve call log and place a calls Retrieve and send SMS messages Retrieve contact information Retrieve and download files from mobile device Capture and stream sound/video Get device location Open a URL in the default browser

AndroRat Implementation The client side: runs on a mobile device as a simple application A button “start service” initiates the communication between the device and the server The server side: socket programming is used for client/server communication using TCP

AndroRat Binder Implementation