Malware first appeared on smartphones in 2004 with worms, viruses, and trojans. Android malware saw major increases from 2010-2011 while iOS malware remained low. Notable Android malware included DroidDream, which infected apps on the Android Market, and fake Angry Birds apps that rooted devices. Plankton is sophisticated Android spyware that collects device information. Possible smartphone attacks include DoS on base stations, DDoS on call centers, remote wiretapping, and SMS spamming. Prevention methods involve app store screening, OS security features, anti-virus software, and user education.

2. MALWARES HISTORY
O Smart-phone worms, viruses, Trojan horses
appeared
O Cabir, June 14, 2004 (worm)
O Duts, July 17, 2004 (virus)
O Mosquito dialer, August 6, 2004 (trojan
horse)
O The source code of the Cabir has been
posted online by a Brazilian Programmer
O Various attacks to telecom infrastructures
and users become realityG
A
R
V
I
T

3. IOS/ANDROID MALWARE
O iOS malware: very little
O Juniper Networks: Major increase in Android
malware from 2010 to 2011
O Android malware growth keeps increasing ($$$)
O Main categories:
O Trojans
O Monitoring apps/spyware
O Adware
O Botnets
O We’ll look at notable malware examples
G
A
R
V
I
T

4. IOS MALWARE
O Malware, “fake apps” have hit iOS too
O iKee, first iPhone virus, “rickrolled” jailbroken
iDevices [25]
O Example “fake/similar” apps:
O Temple Run: Temple Climb, Temple Rush, Cave Run
O Angry Birds: Angry Zombie Birds, Shoot Angry Birds
O Not to mention “walkthroughs,” “reference” apps, etc.
O Google Play banned such apps…
O iOS, Android hit with “Find and Call” app
O SMS spammed contacts from central server
O Removed from App Store, Google Play
G
A
R
V
I
T

5. ANDROID: DROIDDREAM
• Infected 58 apps on Android
Market, March 2011
• 260,000 downloads in 4 days
• How it worked:
– Rooted phone via Android
Debug Bridge (adb)
vulnerability
– Sent premium-rate SMS
messages at night ($$$)
• Google removed apps 4 days
after release, banned 3
developers from Market
• More malware found since
G
A
R
V
I
T

6. ANDROID:FAKE ANGRY BIRDS
O Bot, Trojan
O Masquerades as game
O Roots Android 2.3
devices using
“Gingerbreak” exploit
O Device joins botnet
G
A
R
V
I
T

7. PLANKTON
O Plankton is sophisticated malware that can be
classified as a spyware due to the fact that its
main purpose is to collect private information
from the device and send it to a remote server.
O In some versions, Plankton includes the
functionality to download a payload that can be
loaded dynamically in runtime, adding new
functionalities in real time and making it harder
to detect, evading traditional static signatures.
G
A
R
V
I
T

8. O Plankton structure. O Plankton storing object
information about the
infected device.
G
A
R
V
I
T

9. ANDROID: SMS WORM
O Students of information security classes wrote
SMS worms, loggers on Android
O Worm spreads to all contacts via social engineering,
sideloading, etc.
O Logger stored/forwarded all received SMS
messages
O Only needed SEND_SMS, RECEIVE_SMS,
READ_SMS permissions
O Can send 100 SMS messages/hour
O One group put SMS logger on Google Play
G
A
R
V
I
T

10. POSSIBLE SMART-PHONE
ATTACKS
 DoS to base stations
 DDoS to call centers and switches
 Remote wiretapping
 Phone blocking
 SMS spamming
 Identity theft and spoofing
 Physical attack
 National Crisis
G
A
R
V
I
T

11. SPYWARE
O There are a number of apps that are the
equivalent to commercial keyloggers found
on PCs.
O Threats which have used these spying
techniques are NickySpy, Spitmo,
GGTracker and GoldenEagle. NickySpy is
interesting in that it utilizes the
MediaRecorder() class to turn on the
microphone and discretely record and save
conversations to the SDCard.
G
A
R
V
I
T

12. SPYWARE EXAMPLE
G
A
R
V
I
T

13. ATTACK VECTORS
G
A
R
V
I
T

14. ATTACK ANALYSIS
O Low-level attacks
O Stack implementations
O Malware as payload
O PC → Phone via USB
O High-level attacks
O Installing apps
O Physical accessG
A
R
V
I
T

15. LOW-LEVEL ATTACKS
O Advantage: unattended infection
O Disadvantage: efforts for the malware
developer:
 Malware developed in two stages
O Stage 1: Develop functionality (high-level, C) and
the machine code to be injected into buffer
(time consumption fixed, 13 weeks, fulltime)
O Stage 2: Find an application with buffer-
overflow vulnerability (time consumption variable)G
A
R
V
I
T

16. HIGH-LEVEL ATTACKS
O Advantage: malware developer can focus on
functionality (use high-level API)
O Disadvantage:
O Manual installation by the user, grant requested
access rights
O But: User will assume apps from the official
store are safe
O Costs incurred to publish app in official store
O But: Costs usually low compared to earnings (even
with Apple's app-store fee of $99)
G
A
R
V
I
T

17. DOS TO BASE STATIONS
 Compromised
smart-phones use
up radio resource
at a base station
 Even a handful of
zombies can
increase call
blocking rate
(0.01% required)
dramatically or
put the system
out of serviceSmart-phone zombies
G
A
R
V
I
T

18. N
B
C
A
PLMN: Public land mobile network PSTN: Public switched telephone network
PLMN PSTN Call Center
DDOS TO CALL CENTERS AND
SWITCHES
G
A
R
V
I
T

19. GSM
User A
Internet
User B
WLAN
GSM
Voice
stream
voice packet
wiretapper
PSTN
REMOTE WIRETAPPING
G
A
R
V
I
T

20. IOS DATA PROTECTION
MEASURES
O Each iDevice has hardware-accelerated
crypto operations (AES-256)
O Effaceable Storage: securely removes
crypto keys from flash memory
O “Erase all content and settings” wipes user data
using Effaceable Storage (locally or remotely)
O Interact with mobile device management
(MDM), Exchange ActiveSync servers
O Developers can use APIs for secure file,
database storage
O Passcodes:
O Admins can require numeric, alphanumeric, etc.
O Wipe device after 10 failed login attempts.
G
A
R
V
I
T

21. ANDROID ARCHITECTURE
G
A
R
V
I
T

22. ANDROID SECURITY (1)
• Android built on Linux kernel, which provides
– User permissions model
– Process isolation
• Each app is assigned unique user/group IDs,
run as a separate process ⇒ app sandbox
• System partition mounted read-only
• Android 3.0+ enables filesystem encryption
using Linux dmcrypt (AES-128)
• Device admins can require passwords with
specific criteria, remote wipe devices, etc.
G
A
R
V
I
T

23. ANDROID SECURITY (2)
O Android device
administration (3.0+):
O Remote wipe
O Require strong
password
O Full device encryption
O Disable camera
G
A
R
V
I
T

24. ANDROID SECURITY (3)
• Other protection mechanisms:
– Android 1.5+: stack buffer, integer overflow
protection; double free, chunk consolidation attack
prevention
– Android 2.3+: format string protection, NX, null
pointer dereference mitigation
– Android 4.0+: ASLR implemented
– Android 4.1+: ASLR strengthened, plug kernel leaks
• Capability-based permissions mechanism:
– Many APIs are not invoked without permission, e.g.,
camera, GPS, wireless, etc.
– Every app must declare the permissions it needs
– Users need to allow these permissions when installing
app
G
A
R
V
I
T

25. ANDROID SECURITY (4)
O All Android apps need
to be signed: by the
developer, not Google
O Google Play app store
less regulated
O Apps available rapidly
after publishing
O Bouncer service scans
for malware in store
Google Play permissions interface
G
A
R
V
I
T

26. PREVENTION OF
INFECTION I
O Operator of the app-store : introduction of
static and dynamic analyses to reduce chance of
malware being published
O Programmer of OS : tighter default values for
security framework
O Network provider : collaborate with AV
specialists to minimize infection over provider
controlled channels (SMS, MMS, 3G internet)G
A
R
V
I
T

27. PREVENTION OF
INFECTION II
O User:
O Use anti-virus software
O Disable BlueTooth (avoid proximity malware)
O Use locking mechanisms (prevent 3rd party
infecting the phone physically)
O Society:
O Advertise the threat of malware to mobile
phones.
O Apply knowledge from the PC world to the mobile
phone.
G
A
R
V
I
T

28.  Feature reduction
 E.g., turn off bluetooth when not
active
 OS hardening
 E.g., always display caller number
when making a phone call
 Lighting up LCD display when dialing
 Hardware hardening
 SIM card to authenticate OS and
applications
SMART-PHONE HARDENING
G
A
R
V
I
T

29.  Internet side protection
 NIDS, Firewalls, Patching, Shielding, …
 Base station performs shielding for users
• Make seamless handoff challenging
• Difficult to change deployed 802.11 APs
 Telecom side protection
 Abnormal behavior detection
 Reactions (Rate limiting, Call filtering, Blacklist)
 Advantage to take: Behavior of telecom users is
highly predictable and most of the reaction
building blocks already exist
 Smart-phone side protection
 Cooperation among the three parties
DEFENSES
G
A
R
V
I
T

30. G
A
R
V
I
T