SlideShare a Scribd company logo

OS-Project-Report-Team-8

S
shriram suryanarayanan
1 of 14
Download to read offline
Malware: Detection and Prevention for Smart devices Santa Clara University COEN-283: Operating System Team-8 Priyanka Rao Shweta Deshpande Shriram Suryanarayanan prao@scu.edu srdeshpande@scu.edu ssuryanarayanan@scu.edu “Cyber war is the battlefield of now.” - Geoff Livingston
May 28, 2015 Page 1 Content: Project Detail 1. Introduction 2 2. Security Models in current Smart Devices 3 3. Malware Analysis a. Static Analysis b. Dynamic Analysis 5 4. Malware Detection Techniques a. Signature Based b. Heuristic based 7 5. Security Measures and Defense Techniques 9 6. Conclusion 12 7. Future work 12 8. References 13
May 28, 2015 Page 2 1. Introduction The new generation of cyber attacks is far more disparate from scattershot attacks designed for mischief. Now the motivation behind it is gradually transmuted, and its authors use malware to gain financial benefits with voluminous scale by stealing individuals and organizations data. Cyber criminals successfully use advanced malware, zero-day exploits and other targeted advanced persistent threats (APTs) every day to compromise and breach organizations and individuals. Smartphones and tablets have long been established as popular personal electronics devices. According to IDC’s Q2 2014 report, the sales of such devices have, for the first time ever, passed the mark of 300,000,000 devices sold per quarter. This is an important milestone in the market that has been growing for several years. According to the same IDC report, the distribution of operating systems for mobile devices is shown below: source: kasperskylab As the diagram shows, nearly 85% of the mobile device market was occupied by Android in Q2 2014. Android operating system is free for device manufacturers and can be easily modified to match various business needs, which has helped it achieve popularity among smartphone and tablet developers as well as consumers across the world. This also means that Android-based devices inevitably attract the attention of cybercriminals who are creating and distributing malicious programs. It is estimated that 98.05% of all existing mobile malware targets the users of Android devices. Some of the active malware types: Trojans are malicious programs that perform actions that have not been authorized by the user. These actions can include: Deleting data, Blocking data, Modifying data, Copying data, Disrupting the performance of computers or computer networks. Trojan-SMS These programs can cost you money by sending text messages from your mobile device to premium rate phone numbers. Adware is form of malware(malicious software), that presents unwanted advertisements to the user of a computer. The advertisements produced by adware are sometimes in the form of a popup. Trojan-Downloader can download and install new versions of malicious programs onto your computer including Trojans and adware. Trojan-Banker programs are designed to steal your account data for online banking systems, e-payment systems, and credit or debit cards.
May 28, 2015 Page 3 Exploit are programs that contain data or code that takes advantage of vulnerability within application software that’s running on your computer. Backdoor trojan gives malicious users remote control over the infected computer. They enable the author to do anything they wish on the infected computer – including sending, receiving, launching, and deleting files, displaying data, and rebooting the computer. Backdoor Trojans are often used to unite a group of victim computers to form a botnet or zombie network that can be used for criminal purposes. Top 10 Malware Types 2. Security Models in Current Smart Devices In this section we provide an overview of the security models and protection measures incorporated in current smart devices, especially smart phones. There are two major mobile platforms iOS and Android OS , these are built upon traditional desktop Operating Systems (OS) and inherit some security features from them. We next provide an overview of some of the security features present in the five platforms that currently dominate the market. Symbian: Symbian OS security model is based on a basic permission system. Phone resources are controlled by the OS using a set of permissions called “capabilities”. Furthermore, applications run in user space, while the OS run in kernel space. Those applications requiring access to protected resources must be signed by Symbian or the device manufacturer, while all others can be self-signed. There is very little information about protection at the market level. Blackberry: BlackBerry security model is based on a coarse-grained permission protection model. Applications have very limited access to the device resources and, as in the case of BlackBerry OS, they must be signed by the manufacturer (RIM) to be able to access resources such as, for example, the user’s personal information. Additionally, applications must get user authorization to access resources such as the network. However, once the user grants access to an application to use the network, the application can both send SMSs and connect to Internet. Although applications are not executed in a sandbox, some basic process and memory protection is offered. For instance, a process cannot kill other processes nor access memory outside the app bounds. Android: Google’s Android OS security model relies on platform protection mechanism rather than on market protection, as users are free to download applications from any market. Applications declare the permissions they request at installation time through the so-called manifest. If the user accepts them,
May 28, 2015 Page 4 the operating system will be in charge of enforcing them at running time Security policies are here defined for each individual resource, instead of specifying permissions for each app. Furthermore, such definition can be done at a fine-grained level, allowing users to, for example, grant an app access to a part of the address book only. A major consequence is that security policies are therefore defined by the user, not by the developer. However, this approach can easily overwhelm users as they are held responsible of specifying security and privacy policies. Additionally, Android OS uses sandboxing technique and Address Space Layout Randomization (ASLR) to protect applications from malicious interference of others apps. Although Android OS isolates each running process, apps can still communicate with each other using ICC, a rich functionality that, however, introduces risks such as those discussed before. Furthermore, all Android OS applications must be signed with a certificate to identify the developer. However, the certificate can be self-signed, in which case no certificate authority verifies the identity of the developer. iOS: Apple’s iOS security model [Apple, 2012] relies on market protection mechanisms rather than enforcing complex permission policies on the device at installation time. Apple’s App Store is a walled- garden market with a rigorous review process. Those processes are essential for preventing malware from entering the device, as runtime security mechanisms are limited to sandboxing and user supervision. iOS isolates each third-party application in a sandbox. However, most of the device’s resources are accessible and misuse of a few of them—such as GPS, SMS, and phone calls—can only be detected by the user after installation Apple uses also static and dynamic analyses. Applications distributed on Apple’s App Store must be signed by a valid certificate issued by Apple. Developer certificates are issued to individuals and/or companies after obtaining a verified Apple credential. iOS dynamically verifies that the application is signed, and therefore it is trusted, before executing it. Nevertheless, iOS can be tampered with (jail broken) to install applications from alternative markets. This practice violates Apple policies, causes the device to lose its warranty, and allows the distribution of piggyback malware repackaged together with the original app. Latest versions of iOS provide a number of features to protect user data based on master encryption keys and protected by a passcode. The entire file system is encrypted using block-based encryption and can only be decrypted when the phone is unlocked. Additionally, iOS supports ASLR and Data Execution Prevention (DEP) to prevent the execution of arbitrary code at runtime. Windows Mobile: Microsoft’s market protection model for Windows Mobile systems is based on application review. Developers are also validated prior to application’s approval. Platform protection in Windows Mobile is similar to Android OS. It uses a trusted boot component and code signing to protect the integrity of the operating system. It also provides signed drivers and applications through the Windows Phone Store online market. Latest versions of Microsoft’s smartphone OS (Windows Phone 7 and 8) incorporate isolation among different sandboxes [Microsoft, 2012], and each app is executed in its own sandbox, named “chamber”. Chambers are defined and implemented using system policies, which restrict the access to other chambers. While chambers are defined and implemented using a number of system policies, each security policy defines what permissions are given to an app, known as capabilities. In this regard, users are informed of the capabilities of an application prior to install. Malware characterization: We classify malware for smart devices in terms of their features: Attack goals and behavior: Identifying malware’s motivation on smart devices is paramount to have a better understanding of its behavior and can be used to develop targeted detection strategies. Such
May 28, 2015 Page 5 goals range from fraud and service misuse driven by economic incentives, to spamming, espionage, data theft and sabotage. Distribution and Infection: Malware creators can use a variety of techniques to distribute malicious applications and infect devices, from self-propagation mechanisms based on vulnerabilities and misconfigurations, to simply tricking the user into installing it by means of social-engineering techniques. Privilege acquisition: Once the malicious code is installed on the device, it often needs to acquire enough privileges to carry out its goals. This is automatic in many cases, as the user might already have granted them to the app, whereas in other cases technical vulnerabilities and/or misconfigurations are exploited Malware analysis and Detection Smart devices are often compromised with malware; therefore its security is a major concern. To protect the device from activities of the malware, first we need to understand how to analyze and detect them. 3. Malware Analysis: It is a process of studying code, behavior and functionality of malware so that severity of attack can be measured. It can be done in two ways: A. Static Analysis B. Dynamic Analysis. A) Static Analysis (code analysis): is responsible for analyzing a software properties or a piece of code in order to find malicious code patterns or signatures. In static analysis, detection is done through the source code, binary or the API level without the execution of the code or file. In this technique reverse engineering is performed by decompressing, disassembling and searching for patterns in the APK files in order to understand structure of malware. Advantage: The method is fast and not very resource consuming. Low level of false positive (accuracy is high). Disadvantage: obfuscation and encryption techniques embedded in software makes static analysis difficult. It cannot detect new the malware. Obfuscation: is to hide the information such that others cannot find the true meaning. Binary obfuscation techniques transform the malware binaries into self compressed and uniquely structured binary files, which are designed to resist reverse engineering and thus make the static analysis very expensive and unreliable. Moreover, when utilizing binary executables (obtained by compiling source code) for static analysis, the information like size of data structures or variables gets lost thereby complicating the malware code analysis. Below is an example of Clean code vs. Obfuscated code. Clean code can be identified in static analysis. Obfuscated code cannot be easily identified unless the code is executed which will convert the ASCII into string. Obfuscated code can easily bypass in static analysis, as it do not able to match the pattern with the available data from the database.
May 28, 2015 Page 6 There are three types of Static analysis which are explained in the below Figures a) System call based b) Static taint analysis c) Source code analysis a. Malware analysis proposed for Symbian OS. This technique uses IDA Pro to disassemble the mobile application and extract system calls. It then use Centroid Machine, to classify the mobile application as either malicious or benign (anomaly detection). b. PiOS, a technique proposed for performing static taint analysis on iOS application binaries. PiOS disassembles the mobile application and constructs a control flow graph. The analysis considers paths originating from sensitive sources, such as the address book, current GPS coordinates, keyboard cache, unique device ID, and other phone-related information. Dataflow analysis checks for any sensitive data transmission for data leakage detection. c. Android malware analysis. It uses a Dalvik decompiler, to generate Java source code from the application’s installation image and then uses SCA, a static code analyzer, to evaluate the recovered source code. B) Dynamic Analysis (behavioral analysis): Analysis of infected file during its execution is known as dynamic analysis. It identifies malicious behaviors after deploying and executing the application on a simulated environment like a virtual machine, emulator, and sandbox. During execution of file its system interaction, its behavior & effect on the machine are monitored. These techniques require some human or automated interaction with the app, as malicious behavior is sometimes triggered only after certain events occur. It considers parameters like network traffic, native code and user interaction. It can be used both in the cloud for market protection or directly in the device. Advantage: Can analyze the obfuscated and polymorphic malware. Detect known as well as unknown malware. Disadvantage: Highly resource consuming. High level of false positive (accuracy is low).
May 28, 2015 Page 7 TaintDroid provides system-wide dynamic taint tracking for Android. The mobile application passes to the Dalvik Virtual machine to perform four granularities of taint propagation: variable, method, message, and file-level. Taint tracking marks any ambiguous data that originates from sensitive sources, such as location, microphone, camera, and other phone identifiers. This technique modifies the native library loader to ensure that all the native libraries are called from the virtual machine, thus preventing untrusted applications from executing native methods directly. 4. Malware Detection Techniques: These techniques are used to detect the malware and prevent the device from being infected, protecting it from potential information loss and system compromise. Few detection techniques are listed below: a) Signature-based malware Detection: This technique maintains the database of signature and detects malware by comparing pattern against the database. Commercial antivirus scanners look for signatures which are typically a sequence of bytes within the malware code to declare that the program scanned is malicious in nature. Most of the antivirus tools are based on the signature based detection techniques. These signatures are created by examining the disassembled code of malware binary. Disassembled code is analyzed and features are extracted. These features are used in constructing the signature of particular malware family. A library of known code signatures is updated and refreshed constantly by the antivirus software vendor so this technique can detect the known instances of malware accurately. The main advantages of this technique is that it can detect new instances of malware accurately, less amount of resources are required to detect the malware and it mainly focus on signature of attack. The major drawback is that it can’t detect the new, unknown instances of malware as no signature is available for such type of malware. Every kind of malware has some specific characteristics in their coding, which can be used for their detection. It’s like using photograph of criminals at airport in order to match them with the people and detect someone suspicious. b) Anomaly based detection: It is also called as profile-based intrusion / statistical detection. It assumes that malicious code will cause behaviors’ different from the ones normally observed in a system. In fact, anomaly detection is based on the definition of normality & classifies as malicious any activity that deviates from it. It observes the “normal” activities of the user and then creates behavior profiles that represent the threshold that divides normal from abnormal behaviors’. Classifying what is normal is a difficult task and involves technical factors as well as some sort of knowledge from expert users. It need machine learning techniques to detect unknown malware. Below is the machine learning mechanism. It helps in detecting the malwares which keeps on generating new mutants since they will always use the system resources and services in the similar manner.
May 28, 2015 Page 8 1. Data Collection: This component collects dynamic / static information. 2. Interpretation: This component converts the raw information collected by data collection module into intermediate representations. 3. Matching Algorithm: It is used to compare the representation with the behavior signature. Advantage: it can detect known as well as new instances of malware or obfuscated malware. Disadvantage: it needs to update the data describing the system behavior and the statistics in normal profile. It need more resources like CPU time, memory & disk space and level of false positive is high. Analysis and Detection Challenge: If system uses any one analysis or detection technique it will miss greater number of malicious samples. So to improve the detection, the system needs to combine different analysis and detection techniques. So researchers propose a solution called Hybrid Analysis. Hybrid Analysis: is a technique that overcomes the limitations of static and dynamic analysis techniques. It first, analyses the signature specification of any malware code & then combines it with the other behavioral parameters for enhancement of complete malware analysis. The Android Application Sandbox (AASandbox) system is another technique which offers two- step analysis for an android application. A mobile application passes to AASandbox, where it performs static and dynamic analysis in offline mode. Static analysis disables the application image binary and uses the disassembled code to search for suspicious patterns. Dynamic analysis executes the binary in an Android emulator and logs the system calls. Cloud Based Malware Detection (Replicas in the Cloud) uses hybrid analysis: Mobile devices have less resource and having a full-fledged detection system in a mobile device would be a resource overhead. To overcome this, a cloud based approach will be an efficient scheme. In this scheme a light-weight client application monitors the system calls in the device and sends it to the server in cloud to detect malicious behavior. Thus, offloading of powerful computation to the cloud will enable efficient detection. Paranoid Android is a cloud based android malware detection technique. It has a small component on user phone, it records all interactions of the application with various components. It transmits that
May 28, 2015 Page 9 information to cloud server. Server in the cloud reruns the application with same behaviors. Server deploys several security checks, such as dynamic malware analysis, memory scanners, system call anomaly detection, and commercial antivirus scanning, from the cloud’s ample resources. Paranoid uses a proxy to temporarily store inbound network traffic information so that the phone can save energy by not sending this data back to the server. Instead, the server can directly contact the proxy to get the network traffic information needed to successfully replay the execution. The advantages of having cloud based detection system are: Efficient detection system through dedicated specialized servers, less usage of device resources, less software complexity at the device. On other hand, a centralized solutions like cloud based detection needs to be always connected to the cloud to enable live detection. Also, privacy could be a concern as their data is being processed in a central server. 5. Mobile Malware and Defenses As phones have evolved to become full-fledged computing devices, they have also become attractive targets for malware such as Viruses, Worms and Trojans. Malware typically exploits vulnerabilities on interfaces unique to the Smartphone such as Bluetooth or vulnerabilities in applications running on the phone. Tools to detect mobile malware have adapted well-known techniques used on desktops, such as signature and behavior based detection algorithms, to operate in a resource-constrained environment. These algorithms use lesser memory, run faster, and consume lesser battery power than their desktop counterparts. Other approaches to detect mobile malware are to monitor and analyze untrusted software for anomalous behaviors that deplete energy. Mobile phones are likely targets of cross-service attacks. For example, an attack may be perpetrated and downloaded through the Internet onto a Smartphone via its data plan, and may access its telephony subsystem. Such threats are possible because of relax security mechanisms currently employed by mobile phones. For example, an arbitrary user-space process on the phone can issue AT commands to the GSM device. Such cross-service attacks can be prevented by labeling user space files and resources and enhancing access control mechanisms on smart phone operating systems. A multi-layer integrated security solution for mobile smart devices is proposed below: End-user: It is always essential for the end-user to be aware of the security measures of their mobile device. End-users should be aware of at least the following measures: 1. Install antivirus and antimalware solutions to protect the device against malware and viruses. Also ensure to turn on the automatic update. It is been shown that installing anti-virus and anti- malware is very effective to protect mobile devices from malicious applications. Install a personal firewall to protect mobile device interfaces from direct attack and illegal access. The effectiveness of mobile firewalls to increase a mobile device’s security.
May 28, 2015 Page 10 2. Install only applications from trusted sources that have legitimate contact information and a website. As the current Android Market (Google Play) does not adopt a certification process for applications, it is up to the end user to make sure he/she only installs trusted applications from trusted developers. Install only applications from the official and original developer (for example, if you are installing Instagram applications, make sure you download it from Instagram Inc.) 3. Ensure your OS and software are always up-to-date with the latest versions and update security patches regularly. 4. Install remote locate, track, lock, wipe, backup and restore software to retrieve, protect or restore a lost or stolen mobile device and the personal data on the device. 5. Only install applications that have a high number of download and positive reviews. 6. Never view sensitive data over public wireless networks which have no passwords or encryption. Mobile Network Operators (MNO): MNO has responsibility to create a more secure environment for their customers. MNOs need to install anti-virus and anti-malware software to scan outgoing and incoming SMS and MMS to the mobile network, as many malwares use SMS/MMS to propagate and contact the bot-master. MNO should also build a global partnership with related agencies such as other MNOs to prevent mobile malware propagation by exchanging information, knowledge, database and expertise. Apps Developers: Developers also need to take care of the security measures implemented in their application. They should ensure that private data is not being sent via an unencrypted channel; the data must be sent through HTTPS or TLS networks. Developers should minimize the use of built-in permissions in their applications, for example do not ask for full Internet access permission, unless it is essential for your applications to work properly. Android has about 100 built-in permissions that control operations such as dialing the phone (CALL_PHONE), sending short message (SEND_SMS), etc. In Android, there are three main “ security protection levels” for permission labels: a “normal” permission is granted to any application that requests it; a “dangerous” permission is only granted after user approval at install-time; and a “signature” permission is only granted to applications signed by the same developer key as the application defining the permission label. This “signature” protection level is integral in ensuring that third-party applications do not gain access affecting the Android’s trusted computing base (TCB)’s integrity. This is also useful to minimize repackaging attacks. It is shown that the repackaging technique is highly effective mainly because it is often difficult for end-users to tell the difference between a legitimate application and its malicious repackaged form. In fact, repackaging was the most prevalent type of social engineering attack used by Android malware developers. Defense techniques: People have long favored functionality over security and are unwilling to pay the price and inconvenience incurred by security schemes. Functionality demands extensibility, and extensibility invites malicious extensions. Given the current trend, unless legislature can effectively mandate limited
May 28, 2015 Page 11 extensibility for smart-phones, we don’t see the hope of reducing the powerfulness and functions of a smart-phone. Nevertheless, there are some strategies that we’d like to point out for hardening smart- phone which we discuss as follows: Attack surface reduction: One simple defense is to reduce the attack surface as much as possible. Although a smart-phone is always on, most of its features need not be active. For example, when users make an outgoing phone call or compose a SMS message, the PC part of the smartphones can be turned off (unless instructed otherwise, say, when a user is downloading a movie). OS hardening: Smart-phone OSes can enforce some security features, such as always displaying callee’s number and lighting up LCD display when dialing. This can be achieved by only exporting security enhanced APIs to applications. With hardened OSes, unless attackers can subvert the smart-phone OS without being noticed, attacking actions from malicious user-level code can be more easily detected by the smart-phone user. Hardware hardening: We believe one advantage we can leverage for smartphone hardening is that smart-phone already has an embedded smart-card, the SIM card. The SIM card has evolved to incorporate the use of the SIM Toolkit (STK) — an API for securely loading applications to the SIM. STK allows the mobile operator to create or provision services by loading them into the SIM card without changing anything in the GSM handset. One interesting approach therefore is to combine STK card and TCG’s Trusted Platform Module (TPM) for smart-phone hardware hardening. This way, no additional security chips will be needed. Internet Side Protection: The malware defense mechanisms that have been deployed or proposed for the Internet can be readily applied to smartphones. For example, more rigorous process in software patching or vulnerability-driven network traffic shielding will certainly strengthen the defense for smart- phones for known vulnerabilities, though not unknown ones. It would be desirable for smart-phone Internet Service Providers to ensure that devices that access them are properly patched or shielded — unpatched or unshielded ones should not be exposed to the wild Internet. Currently, majority of smartphones access the Internet through telecom data networks such as GPRS or CDMA 1X. In this scenario, base stations can first check whether smart-phones have been properly patched or shielded and they will be forced to patch or shield if not. Alternatively, base stations could even perform shielding on behalf of the smart-phones. This kind of strategy, however, faces challenges when smart- phones use 802.11 access points for Internet connectivity: many 802.11 access points have already been deployed; it would be very difficult, if possible at all, to upgrade all the access points to enforce patching or shielding. Further, such quarantining makes seamless handoff between access networks very challenging. This is an open research question. Cooperation between the Internet and Telecom Networks: Effective coordination between the Internet and telecom networks would be desirable. In this section, we discuss the opportunities and difficulties in coordinating the Internet and telecom networks for defending against smartphone attacks. Known vulnerability and attack information can be exchanged between the Internet and telecom networks. If specific attack target information, such as which call center will be attacked, becomes known from the Internet side, it can help the call center prepare for the attack and put its rate limiting and call filtering
May 28, 2015 Page 12 mechanisms in place. With the black list of smart-phone zombies from a telecom carrier, Internet access points (AP) could potentially reject those zombies from getting on the Internet. This means that SIM ID- based authentication needs to be in place for the APs. If GPRS is used for Internet access, this authentication is trivial. However, for 802.11-like APs, this is very challenging in that these APs are not just for smart-phones but general-purpose for all wireless Internet endpoints; state of-the-art APs cannot recognize which devices are smartphones, and which are not, since a smart-phone can always claim not being one. We identify the following approaches in addressing this issue: 1. since it is hard to differentiate between smart-phones and other endpoints; we could assign unique IDs to all Internet wireless endpoints, and then create the mapping between SIM IDs and Internet wireless IDs. This solution faces significant backward compatibility issues with the existing devices and 802.11 infrastructures. 2. We could design smart-phone OSes to submit SIM IDs to APs for authentication when accessing the Internet, as part of the OS hardening. This solution raises the bar for attackers significantly. To make OS tamper-proof, we could further harden the smart-phone hardware for OS authentication. 6. Conclusion Smart devices are increasingly being equipped with sophisticated hardware and software systems, which make them highest sellers in market. This increasing popularity makes them a perfect target for malware attackers. Therefore there is a constant growth in the presence of security risks among Smart devices. In our study, we explored security model in the current platforms of smart devices and found that among various platform, Android is favorite ones for Malware attacks. To protect the device you will first need to analyze and detect the malware to take further actions. We have highlighted various analysis and detection techniques like Static analysis, Dynamic Behavioral analysis, Cloud based system to name a few. The detection system analyzed covers both signature and anomaly based systems. Using any one technique will not assure you to increase the detection rate. To counter the trade-off between analysis speed and detecting obfuscated malwares, researches have adapted a technique incorporating a combination of static and dynamic features for detecting and classifying malwares. We have also mentioned potential security solutions in smart devices which identify the type of malware and in some situation it prevents the malware from running its own code on device. 7. Future work Natural hand gestures associated with three primary smartphone services—calling, snapping and tapping—can be detected and have the ability to withstand attacks using motion, position and ambient sensors available on most smartphones as well as machine learning classifiers. If a human user attempts to access a service, the gesture would be present and access will be allowed. In contrast, if the malware program makes an access request, the gesture will be missing and access will be blocked. Example: Suppose malicious program tries to send sms, the operating system will not service its request because the tap gesture required for sending sms is missing and OS can distinguish between malicious and legitimate requests.
May 28, 2015 Page 13 References: [1] Suarez-Tangil, Guillermo, et al. "Evolution, detection and analysis of malware for smart devices." Communications Surveys & Tutorials, IEEE 16.2 (2014): 961-987. [2] Ramu, Srikanth. "Mobile malware evolution, detection and defense." EECE 571B, TERM SURVEY PAPER (2012). [3] Moser, Andreas, Christopher Kruegel, and Engin Kirda. "Limits of static analysis for malware detection." Computer security applications conference, 2007. ACSAC 2007. Twenty-third annual. IEEE, 2007. [4] Mahinthan Chandramohan and Hee Beng Kuan Tan. “Detection of Mobile Malware in the Wild” InfoQ. Nov 05, 2012. [5] Guo, Chuanxiong, Helen J. Wang, and Wenwu Zhu. "Smart-phone attacks and defenses." HotNets III. 2004.

Recommended

Evolutionand impactofhiddenmobilethreats wandera
Evolutionand impactofhiddenmobilethreats wanderaEvolutionand impactofhiddenmobilethreats wandera
Evolutionand impactofhiddenmobilethreats wanderaAnjoum .
 
BETTER- Threat Whitepaper- PoS
BETTER- Threat Whitepaper- PoSBETTER- Threat Whitepaper- PoS
BETTER- Threat Whitepaper- PoSPurna Bhat
 
ANDROID UNTRUSTED DETECTION WITH PERMISSION BASED SCORING ANALYSIS
ANDROID UNTRUSTED DETECTION WITH PERMISSION BASED SCORING ANALYSISANDROID UNTRUSTED DETECTION WITH PERMISSION BASED SCORING ANALYSIS
ANDROID UNTRUSTED DETECTION WITH PERMISSION BASED SCORING ANALYSISijitcs
 
Attribute-based Permission Model for Android Smartphones
Attribute-based Permission Model for Android SmartphonesAttribute-based Permission Model for Android Smartphones
Attribute-based Permission Model for Android SmartphonesIJCSIS Research Publications
 
Rapport X force 2014
Rapport X force 2014Rapport X force 2014
Rapport X force 2014Patrick Bouillaud
 
Report on Mobile security
Report on Mobile securityReport on Mobile security
Report on Mobile securityKavita Rastogi
 
Comparative Study on Intrusion Detection Systems for Smartphones
Comparative Study on Intrusion Detection Systems for SmartphonesComparative Study on Intrusion Detection Systems for Smartphones
Comparative Study on Intrusion Detection Systems for Smartphonesiosrjce
 
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updates
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updatesBriskinfosec - Threatsploit Report Augest 2021- Cyber security updates
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updatesBriskinfosec Technology and Consulting
 

Recommended

Evolutionand impactofhiddenmobilethreats wandera
Evolutionand impactofhiddenmobilethreats wanderaEvolutionand impactofhiddenmobilethreats wandera
Evolutionand impactofhiddenmobilethreats wanderaAnjoum .
 
BETTER- Threat Whitepaper- PoS
BETTER- Threat Whitepaper- PoSBETTER- Threat Whitepaper- PoS
BETTER- Threat Whitepaper- PoSPurna Bhat
 
ANDROID UNTRUSTED DETECTION WITH PERMISSION BASED SCORING ANALYSIS
ANDROID UNTRUSTED DETECTION WITH PERMISSION BASED SCORING ANALYSISANDROID UNTRUSTED DETECTION WITH PERMISSION BASED SCORING ANALYSIS
ANDROID UNTRUSTED DETECTION WITH PERMISSION BASED SCORING ANALYSISijitcs
 
Attribute-based Permission Model for Android Smartphones
Attribute-based Permission Model for Android SmartphonesAttribute-based Permission Model for Android Smartphones
Attribute-based Permission Model for Android SmartphonesIJCSIS Research Publications
 
Rapport X force 2014
Rapport X force 2014Rapport X force 2014
Rapport X force 2014Patrick Bouillaud
 
Report on Mobile security
Report on Mobile securityReport on Mobile security
Report on Mobile securityKavita Rastogi
 
Comparative Study on Intrusion Detection Systems for Smartphones
Comparative Study on Intrusion Detection Systems for SmartphonesComparative Study on Intrusion Detection Systems for Smartphones
Comparative Study on Intrusion Detection Systems for Smartphonesiosrjce
 
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updates
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updatesBriskinfosec - Threatsploit Report Augest 2021- Cyber security updates
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updatesBriskinfosec Technology and Consulting
 
F-LOCKER: An Android Face Recognition Applocker Using Local Binary Pattern Hi...
F-LOCKER: An Android Face Recognition Applocker Using Local Binary Pattern Hi...F-LOCKER: An Android Face Recognition Applocker Using Local Binary Pattern Hi...
F-LOCKER: An Android Face Recognition Applocker Using Local Binary Pattern Hi...IJCSIS Research Publications
 
Comilion introduction presentation 26102012 (1)
Comilion introduction presentation 26102012 (1)Comilion introduction presentation 26102012 (1)
Comilion introduction presentation 26102012 (1)AP DealFlow
 
Report on Rogue Security Software
Report on Rogue Security SoftwareReport on Rogue Security Software
Report on Rogue Security SoftwareSymantec Italia
 
Malware Improvements in Android OS
Malware Improvements in Android OSMalware Improvements in Android OS
Malware Improvements in Android OSPranav Saini
 
IRJET - System to Identify and Define Security Threats to the users About The...
IRJET - System to Identify and Define Security Threats to the users About The...IRJET - System to Identify and Define Security Threats to the users About The...
IRJET - System to Identify and Define Security Threats to the users About The...IRJET Journal
 
How to reduce security risks to ensure user confidence in m-payments
How to reduce security risks to ensure user confidence in m-paymentsHow to reduce security risks to ensure user confidence in m-payments
How to reduce security risks to ensure user confidence in m-paymentsBMI Healthcare
 
I018145157
I018145157I018145157
I018145157IOSR Journals
 
Malware Bytes – Advanced Fault Analysis
Malware Bytes – Advanced Fault AnalysisMalware Bytes – Advanced Fault Analysis
Malware Bytes – Advanced Fault AnalysisIRJET Journal
 
IJET-V3I1P9
IJET-V3I1P9IJET-V3I1P9
IJET-V3I1P9IJET - International Journal of Engineering and Techniques
 
Article on Mobile Security
Article on Mobile SecurityArticle on Mobile Security
Article on Mobile SecurityTharaka Mahadewa
 
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updates
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updatesBriskinfosec - Threatsploit Report Augest 2021- Cyber security updates
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updatesBriskinfosec Technology and Consulting
 
Android Security: A Survey of Security Issues and Defenses
Android Security: A Survey of Security Issues and DefensesAndroid Security: A Survey of Security Issues and Defenses
Android Security: A Survey of Security Issues and DefensesIRJET Journal
 
Mobile Malware
Mobile MalwareMobile Malware
Mobile MalwareMartin Holovský
 
Modern malware and threats
Modern malware and threatsModern malware and threats
Modern malware and threatsMartin Holovský
 
SECON'2017, Чемёркин Юрий, Безопасность данных мобильных приложений
SECON'2017, Чемёркин Юрий, Безопасность данных мобильных приложенийSECON'2017, Чемёркин Юрий, Безопасность данных мобильных приложений
SECON'2017, Чемёркин Юрий, Безопасность данных мобильных приложенийSECON
 
Taxonomy mobile malware threats and detection techniques
Taxonomy mobile malware threats and detection techniquesTaxonomy mobile malware threats and detection techniques
Taxonomy mobile malware threats and detection techniquescsandit
 
How can we predict vulnerabilities to prevent them from causing data losses
How can we predict vulnerabilities to prevent them from causing data lossesHow can we predict vulnerabilities to prevent them from causing data losses
How can we predict vulnerabilities to prevent them from causing data lossesAbhishek BV
 
Mobile threat-report-mid-year-2018 en-us-1.0
Mobile threat-report-mid-year-2018 en-us-1.0Mobile threat-report-mid-year-2018 en-us-1.0
Mobile threat-report-mid-year-2018 en-us-1.0mobileironmarketing
 
State ofmobilesecurity
State ofmobilesecurityState ofmobilesecurity
State ofmobilesecurityGary Sandoval
 
Secure Android Apps- nVisium Security
Secure Android Apps- nVisium SecuritySecure Android Apps- nVisium Security
Secure Android Apps- nVisium SecurityJack Mannino
 
HinDroid
HinDroidHinDroid
HinDroidHinDroid
 
Whitepaper - CISO Guide_6pp
Whitepaper - CISO Guide_6ppWhitepaper - CISO Guide_6pp
Whitepaper - CISO Guide_6ppEric Zhuo
 

More Related Content

What's hot

F-LOCKER: An Android Face Recognition Applocker Using Local Binary Pattern Hi...
F-LOCKER: An Android Face Recognition Applocker Using Local Binary Pattern Hi...F-LOCKER: An Android Face Recognition Applocker Using Local Binary Pattern Hi...
F-LOCKER: An Android Face Recognition Applocker Using Local Binary Pattern Hi...IJCSIS Research Publications
 
Comilion introduction presentation 26102012 (1)
Comilion introduction presentation 26102012 (1)Comilion introduction presentation 26102012 (1)
Comilion introduction presentation 26102012 (1)AP DealFlow
 
Report on Rogue Security Software
Report on Rogue Security SoftwareReport on Rogue Security Software
Report on Rogue Security SoftwareSymantec Italia
 
Malware Improvements in Android OS
Malware Improvements in Android OSMalware Improvements in Android OS
Malware Improvements in Android OSPranav Saini
 
IRJET - System to Identify and Define Security Threats to the users About The...
IRJET - System to Identify and Define Security Threats to the users About The...IRJET - System to Identify and Define Security Threats to the users About The...
IRJET - System to Identify and Define Security Threats to the users About The...IRJET Journal
 
How to reduce security risks to ensure user confidence in m-payments
How to reduce security risks to ensure user confidence in m-paymentsHow to reduce security risks to ensure user confidence in m-payments
How to reduce security risks to ensure user confidence in m-paymentsBMI Healthcare
 
Malware Bytes – Advanced Fault Analysis
Malware Bytes – Advanced Fault AnalysisMalware Bytes – Advanced Fault Analysis
Malware Bytes – Advanced Fault AnalysisIRJET Journal
 
Article on Mobile Security
Article on Mobile SecurityArticle on Mobile Security
Article on Mobile SecurityTharaka Mahadewa
 
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updates
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updatesBriskinfosec - Threatsploit Report Augest 2021- Cyber security updates
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updatesBriskinfosec Technology and Consulting
 
Android Security: A Survey of Security Issues and Defenses
Android Security: A Survey of Security Issues and DefensesAndroid Security: A Survey of Security Issues and Defenses
Android Security: A Survey of Security Issues and DefensesIRJET Journal
 
Modern malware and threats
Modern malware and threatsModern malware and threats
Modern malware and threatsMartin Holovský
 
SECON'2017, Чемёркин Юрий, Безопасность данных мобильных приложений
SECON'2017, Чемёркин Юрий, Безопасность данных мобильных приложенийSECON'2017, Чемёркин Юрий, Безопасность данных мобильных приложений
SECON'2017, Чемёркин Юрий, Безопасность данных мобильных приложенийSECON
 
Taxonomy mobile malware threats and detection techniques
Taxonomy mobile malware threats and detection techniquesTaxonomy mobile malware threats and detection techniques
Taxonomy mobile malware threats and detection techniquescsandit
 
How can we predict vulnerabilities to prevent them from causing data losses
How can we predict vulnerabilities to prevent them from causing data lossesHow can we predict vulnerabilities to prevent them from causing data losses
How can we predict vulnerabilities to prevent them from causing data lossesAbhishek BV
 
Mobile threat-report-mid-year-2018 en-us-1.0
Mobile threat-report-mid-year-2018 en-us-1.0Mobile threat-report-mid-year-2018 en-us-1.0
Mobile threat-report-mid-year-2018 en-us-1.0mobileironmarketing
 
State ofmobilesecurity
State ofmobilesecurityState ofmobilesecurity
State ofmobilesecurityGary Sandoval
 
Secure Android Apps- nVisium Security
Secure Android Apps- nVisium SecuritySecure Android Apps- nVisium Security
Secure Android Apps- nVisium SecurityJack Mannino
 

What's hot (20)

F-LOCKER: An Android Face Recognition Applocker Using Local Binary Pattern Hi...
F-LOCKER: An Android Face Recognition Applocker Using Local Binary Pattern Hi...F-LOCKER: An Android Face Recognition Applocker Using Local Binary Pattern Hi...
F-LOCKER: An Android Face Recognition Applocker Using Local Binary Pattern Hi...
 
Comilion introduction presentation 26102012 (1)
Comilion introduction presentation 26102012 (1)Comilion introduction presentation 26102012 (1)
Comilion introduction presentation 26102012 (1)
 
Report on Rogue Security Software
Report on Rogue Security SoftwareReport on Rogue Security Software
Report on Rogue Security Software
 
Malware Improvements in Android OS
Malware Improvements in Android OSMalware Improvements in Android OS
Malware Improvements in Android OS
 
IRJET - System to Identify and Define Security Threats to the users About The...
IRJET - System to Identify and Define Security Threats to the users About The...IRJET - System to Identify and Define Security Threats to the users About The...
IRJET - System to Identify and Define Security Threats to the users About The...
 
How to reduce security risks to ensure user confidence in m-payments
How to reduce security risks to ensure user confidence in m-paymentsHow to reduce security risks to ensure user confidence in m-payments
How to reduce security risks to ensure user confidence in m-payments
 
I018145157
I018145157I018145157
I018145157
 
Malware Bytes – Advanced Fault Analysis
Malware Bytes – Advanced Fault AnalysisMalware Bytes – Advanced Fault Analysis
Malware Bytes – Advanced Fault Analysis
 
IJET-V3I1P9
IJET-V3I1P9IJET-V3I1P9
IJET-V3I1P9
 
Article on Mobile Security
Article on Mobile SecurityArticle on Mobile Security
Article on Mobile Security
 
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updates
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updatesBriskinfosec - Threatsploit Report Augest 2021- Cyber security updates
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updates
 
Android Security: A Survey of Security Issues and Defenses
Android Security: A Survey of Security Issues and DefensesAndroid Security: A Survey of Security Issues and Defenses
Android Security: A Survey of Security Issues and Defenses
 
Mobile Malware
Mobile MalwareMobile Malware
Mobile Malware
 
Modern malware and threats
Modern malware and threatsModern malware and threats
Modern malware and threats
 
SECON'2017, Чемёркин Юрий, Безопасность данных мобильных приложений
SECON'2017, Чемёркин Юрий, Безопасность данных мобильных приложенийSECON'2017, Чемёркин Юрий, Безопасность данных мобильных приложений
SECON'2017, Чемёркин Юрий, Безопасность данных мобильных приложений
 
Taxonomy mobile malware threats and detection techniques
Taxonomy mobile malware threats and detection techniquesTaxonomy mobile malware threats and detection techniques
Taxonomy mobile malware threats and detection techniques
 
How can we predict vulnerabilities to prevent them from causing data losses
How can we predict vulnerabilities to prevent them from causing data lossesHow can we predict vulnerabilities to prevent them from causing data losses
How can we predict vulnerabilities to prevent them from causing data losses
 
Mobile threat-report-mid-year-2018 en-us-1.0
Mobile threat-report-mid-year-2018 en-us-1.0Mobile threat-report-mid-year-2018 en-us-1.0
Mobile threat-report-mid-year-2018 en-us-1.0
 
State ofmobilesecurity
State ofmobilesecurityState ofmobilesecurity
State ofmobilesecurity
 
Secure Android Apps- nVisium Security
Secure Android Apps- nVisium SecuritySecure Android Apps- nVisium Security
Secure Android Apps- nVisium Security
 

Similar to OS-Project-Report-Team-8

Whitepaper - CISO Guide_6pp
Whitepaper - CISO Guide_6ppWhitepaper - CISO Guide_6pp
Whitepaper - CISO Guide_6ppEric Zhuo
 
Unicom Conference - Mobile Application Security
Unicom Conference - Mobile Application SecurityUnicom Conference - Mobile Application Security
Unicom Conference - Mobile Application SecuritySubho Halder
 
Android open-source operating System for mobile devices
Android open-source operating System for mobile devicesAndroid open-source operating System for mobile devices
Android open-source operating System for mobile devicesIOSR Journals
 
Challenges in Testing Mobile App Security
Challenges in Testing Mobile App SecurityChallenges in Testing Mobile App Security
Challenges in Testing Mobile App SecurityCygnet Infotech
 
Review on mobile threats and detection techniques
Review on mobile threats and detection techniquesReview on mobile threats and detection techniques
Review on mobile threats and detection techniquesijdpsjournal
 
Android Malware: Study and analysis of malware for privacy leak in ad-hoc net...
Android Malware: Study and analysis of malware for privacy leak in ad-hoc net...Android Malware: Study and analysis of malware for privacy leak in ad-hoc net...
Android Malware: Study and analysis of malware for privacy leak in ad-hoc net...IOSR Journals
 
Running head mobile application security1mobile application se.docx
Running head mobile application security1mobile application se.docxRunning head mobile application security1mobile application se.docx
Running head mobile application security1mobile application se.docxtodd581
 
Running head mobile application security1mobile application se.docx
Running head mobile application security1mobile application se.docxRunning head mobile application security1mobile application se.docx
Running head mobile application security1mobile application se.docxglendar3
 
How to Build Secure Mobile Apps.pdf
How to Build Secure Mobile Apps.pdfHow to Build Secure Mobile Apps.pdf
How to Build Secure Mobile Apps.pdfvenkatprasadvadla1
 
Mobile App Security: Enterprise Checklist
Mobile App Security: Enterprise ChecklistMobile App Security: Enterprise Checklist
Mobile App Security: Enterprise ChecklistJignesh Solanki
 
SecurityWhitepaper 7-1-2015
SecurityWhitepaper 7-1-2015SecurityWhitepaper 7-1-2015
SecurityWhitepaper 7-1-2015Francisco Anes
 
Securing Mobile Apps - Appfest Version
Securing Mobile Apps - Appfest VersionSecuring Mobile Apps - Appfest Version
Securing Mobile Apps - Appfest VersionSubho Halder
 
Security testing of mobile applications
Security testing of mobile applicationsSecurity testing of mobile applications
Security testing of mobile applicationsGTestClub
 
Detection of Android Third Party Libraries based attacks
Detection of Android Third Party Libraries based attacksDetection of Android Third Party Libraries based attacks
Detection of Android Third Party Libraries based attacksAmina WADDIZ
 

Similar to OS-Project-Report-Team-8 (20)

HinDroid
HinDroidHinDroid
HinDroid
 
Whitepaper - CISO Guide_6pp
Whitepaper - CISO Guide_6ppWhitepaper - CISO Guide_6pp
Whitepaper - CISO Guide_6pp
 
Unicom Conference - Mobile Application Security
Unicom Conference - Mobile Application SecurityUnicom Conference - Mobile Application Security
Unicom Conference - Mobile Application Security
 
Android open-source operating System for mobile devices
Android open-source operating System for mobile devicesAndroid open-source operating System for mobile devices
Android open-source operating System for mobile devices
 
Challenges in Testing Mobile App Security
Challenges in Testing Mobile App SecurityChallenges in Testing Mobile App Security
Challenges in Testing Mobile App Security
 
Review on mobile threats and detection techniques
Review on mobile threats and detection techniquesReview on mobile threats and detection techniques
Review on mobile threats and detection techniques
 
A017360104
A017360104A017360104
A017360104
 
Android Malware: Study and analysis of malware for privacy leak in ad-hoc net...
Android Malware: Study and analysis of malware for privacy leak in ad-hoc net...Android Malware: Study and analysis of malware for privacy leak in ad-hoc net...
Android Malware: Study and analysis of malware for privacy leak in ad-hoc net...
 
Running head mobile application security1mobile application se.docx
Running head mobile application security1mobile application se.docxRunning head mobile application security1mobile application se.docx
Running head mobile application security1mobile application se.docx
 
Running head mobile application security1mobile application se.docx
Running head mobile application security1mobile application se.docxRunning head mobile application security1mobile application se.docx
Running head mobile application security1mobile application se.docx
 
How to Build Secure Mobile Apps.pdf
How to Build Secure Mobile Apps.pdfHow to Build Secure Mobile Apps.pdf
How to Build Secure Mobile Apps.pdf
 
Mobile App Security: Enterprise Checklist
Mobile App Security: Enterprise ChecklistMobile App Security: Enterprise Checklist
Mobile App Security: Enterprise Checklist
 
Android security
Android securityAndroid security
Android security
 
Untitled 1
Untitled 1Untitled 1
Untitled 1
 
SecurityWhitepaper 7-1-2015
SecurityWhitepaper 7-1-2015SecurityWhitepaper 7-1-2015
SecurityWhitepaper 7-1-2015
 
Top 6-Security-Threats-on-iOS
Top 6-Security-Threats-on-iOSTop 6-Security-Threats-on-iOS
Top 6-Security-Threats-on-iOS
 
Securing Mobile Apps - Appfest Version
Securing Mobile Apps - Appfest VersionSecuring Mobile Apps - Appfest Version
Securing Mobile Apps - Appfest Version
 
Security testing of mobile applications
Security testing of mobile applicationsSecurity testing of mobile applications
Security testing of mobile applications
 
Detection of Android Third Party Libraries based attacks
Detection of Android Third Party Libraries based attacksDetection of Android Third Party Libraries based attacks
Detection of Android Third Party Libraries based attacks
 
Android security
Android securityAndroid security
Android security
 

OS-Project-Report-Team-8

  • 1. Malware: Detection and Prevention for Smart devices Santa Clara University COEN-283: Operating System Team-8 Priyanka Rao Shweta Deshpande Shriram Suryanarayanan prao@scu.edu srdeshpande@scu.edu ssuryanarayanan@scu.edu “Cyber war is the battlefield of now.” - Geoff Livingston
  • 2. May 28, 2015 Page 1 Content: Project Detail 1. Introduction 2 2. Security Models in current Smart Devices 3 3. Malware Analysis a. Static Analysis b. Dynamic Analysis 5 4. Malware Detection Techniques a. Signature Based b. Heuristic based 7 5. Security Measures and Defense Techniques 9 6. Conclusion 12 7. Future work 12 8. References 13
  • 3. May 28, 2015 Page 2 1. Introduction The new generation of cyber attacks is far more disparate from scattershot attacks designed for mischief. Now the motivation behind it is gradually transmuted, and its authors use malware to gain financial benefits with voluminous scale by stealing individuals and organizations data. Cyber criminals successfully use advanced malware, zero-day exploits and other targeted advanced persistent threats (APTs) every day to compromise and breach organizations and individuals. Smartphones and tablets have long been established as popular personal electronics devices. According to IDC’s Q2 2014 report, the sales of such devices have, for the first time ever, passed the mark of 300,000,000 devices sold per quarter. This is an important milestone in the market that has been growing for several years. According to the same IDC report, the distribution of operating systems for mobile devices is shown below: source: kasperskylab As the diagram shows, nearly 85% of the mobile device market was occupied by Android in Q2 2014. Android operating system is free for device manufacturers and can be easily modified to match various business needs, which has helped it achieve popularity among smartphone and tablet developers as well as consumers across the world. This also means that Android-based devices inevitably attract the attention of cybercriminals who are creating and distributing malicious programs. It is estimated that 98.05% of all existing mobile malware targets the users of Android devices. Some of the active malware types: Trojans are malicious programs that perform actions that have not been authorized by the user. These actions can include: Deleting data, Blocking data, Modifying data, Copying data, Disrupting the performance of computers or computer networks. Trojan-SMS These programs can cost you money by sending text messages from your mobile device to premium rate phone numbers. Adware is form of malware(malicious software), that presents unwanted advertisements to the user of a computer. The advertisements produced by adware are sometimes in the form of a popup. Trojan-Downloader can download and install new versions of malicious programs onto your computer including Trojans and adware. Trojan-Banker programs are designed to steal your account data for online banking systems, e-payment systems, and credit or debit cards.
  • 4. May 28, 2015 Page 3 Exploit are programs that contain data or code that takes advantage of vulnerability within application software that’s running on your computer. Backdoor trojan gives malicious users remote control over the infected computer. They enable the author to do anything they wish on the infected computer – including sending, receiving, launching, and deleting files, displaying data, and rebooting the computer. Backdoor Trojans are often used to unite a group of victim computers to form a botnet or zombie network that can be used for criminal purposes. Top 10 Malware Types 2. Security Models in Current Smart Devices In this section we provide an overview of the security models and protection measures incorporated in current smart devices, especially smart phones. There are two major mobile platforms iOS and Android OS , these are built upon traditional desktop Operating Systems (OS) and inherit some security features from them. We next provide an overview of some of the security features present in the five platforms that currently dominate the market. Symbian: Symbian OS security model is based on a basic permission system. Phone resources are controlled by the OS using a set of permissions called “capabilities”. Furthermore, applications run in user space, while the OS run in kernel space. Those applications requiring access to protected resources must be signed by Symbian or the device manufacturer, while all others can be self-signed. There is very little information about protection at the market level. Blackberry: BlackBerry security model is based on a coarse-grained permission protection model. Applications have very limited access to the device resources and, as in the case of BlackBerry OS, they must be signed by the manufacturer (RIM) to be able to access resources such as, for example, the user’s personal information. Additionally, applications must get user authorization to access resources such as the network. However, once the user grants access to an application to use the network, the application can both send SMSs and connect to Internet. Although applications are not executed in a sandbox, some basic process and memory protection is offered. For instance, a process cannot kill other processes nor access memory outside the app bounds. Android: Google’s Android OS security model relies on platform protection mechanism rather than on market protection, as users are free to download applications from any market. Applications declare the permissions they request at installation time through the so-called manifest. If the user accepts them,
  • 5. May 28, 2015 Page 4 the operating system will be in charge of enforcing them at running time Security policies are here defined for each individual resource, instead of specifying permissions for each app. Furthermore, such definition can be done at a fine-grained level, allowing users to, for example, grant an app access to a part of the address book only. A major consequence is that security policies are therefore defined by the user, not by the developer. However, this approach can easily overwhelm users as they are held responsible of specifying security and privacy policies. Additionally, Android OS uses sandboxing technique and Address Space Layout Randomization (ASLR) to protect applications from malicious interference of others apps. Although Android OS isolates each running process, apps can still communicate with each other using ICC, a rich functionality that, however, introduces risks such as those discussed before. Furthermore, all Android OS applications must be signed with a certificate to identify the developer. However, the certificate can be self-signed, in which case no certificate authority verifies the identity of the developer. iOS: Apple’s iOS security model [Apple, 2012] relies on market protection mechanisms rather than enforcing complex permission policies on the device at installation time. Apple’s App Store is a walled- garden market with a rigorous review process. Those processes are essential for preventing malware from entering the device, as runtime security mechanisms are limited to sandboxing and user supervision. iOS isolates each third-party application in a sandbox. However, most of the device’s resources are accessible and misuse of a few of them—such as GPS, SMS, and phone calls—can only be detected by the user after installation Apple uses also static and dynamic analyses. Applications distributed on Apple’s App Store must be signed by a valid certificate issued by Apple. Developer certificates are issued to individuals and/or companies after obtaining a verified Apple credential. iOS dynamically verifies that the application is signed, and therefore it is trusted, before executing it. Nevertheless, iOS can be tampered with (jail broken) to install applications from alternative markets. This practice violates Apple policies, causes the device to lose its warranty, and allows the distribution of piggyback malware repackaged together with the original app. Latest versions of iOS provide a number of features to protect user data based on master encryption keys and protected by a passcode. The entire file system is encrypted using block-based encryption and can only be decrypted when the phone is unlocked. Additionally, iOS supports ASLR and Data Execution Prevention (DEP) to prevent the execution of arbitrary code at runtime. Windows Mobile: Microsoft’s market protection model for Windows Mobile systems is based on application review. Developers are also validated prior to application’s approval. Platform protection in Windows Mobile is similar to Android OS. It uses a trusted boot component and code signing to protect the integrity of the operating system. It also provides signed drivers and applications through the Windows Phone Store online market. Latest versions of Microsoft’s smartphone OS (Windows Phone 7 and 8) incorporate isolation among different sandboxes [Microsoft, 2012], and each app is executed in its own sandbox, named “chamber”. Chambers are defined and implemented using system policies, which restrict the access to other chambers. While chambers are defined and implemented using a number of system policies, each security policy defines what permissions are given to an app, known as capabilities. In this regard, users are informed of the capabilities of an application prior to install. Malware characterization: We classify malware for smart devices in terms of their features: Attack goals and behavior: Identifying malware’s motivation on smart devices is paramount to have a better understanding of its behavior and can be used to develop targeted detection strategies. Such
  • 6. May 28, 2015 Page 5 goals range from fraud and service misuse driven by economic incentives, to spamming, espionage, data theft and sabotage. Distribution and Infection: Malware creators can use a variety of techniques to distribute malicious applications and infect devices, from self-propagation mechanisms based on vulnerabilities and misconfigurations, to simply tricking the user into installing it by means of social-engineering techniques. Privilege acquisition: Once the malicious code is installed on the device, it often needs to acquire enough privileges to carry out its goals. This is automatic in many cases, as the user might already have granted them to the app, whereas in other cases technical vulnerabilities and/or misconfigurations are exploited Malware analysis and Detection Smart devices are often compromised with malware; therefore its security is a major concern. To protect the device from activities of the malware, first we need to understand how to analyze and detect them. 3. Malware Analysis: It is a process of studying code, behavior and functionality of malware so that severity of attack can be measured. It can be done in two ways: A. Static Analysis B. Dynamic Analysis. A) Static Analysis (code analysis): is responsible for analyzing a software properties or a piece of code in order to find malicious code patterns or signatures. In static analysis, detection is done through the source code, binary or the API level without the execution of the code or file. In this technique reverse engineering is performed by decompressing, disassembling and searching for patterns in the APK files in order to understand structure of malware. Advantage: The method is fast and not very resource consuming. Low level of false positive (accuracy is high). Disadvantage: obfuscation and encryption techniques embedded in software makes static analysis difficult. It cannot detect new the malware. Obfuscation: is to hide the information such that others cannot find the true meaning. Binary obfuscation techniques transform the malware binaries into self compressed and uniquely structured binary files, which are designed to resist reverse engineering and thus make the static analysis very expensive and unreliable. Moreover, when utilizing binary executables (obtained by compiling source code) for static analysis, the information like size of data structures or variables gets lost thereby complicating the malware code analysis. Below is an example of Clean code vs. Obfuscated code. Clean code can be identified in static analysis. Obfuscated code cannot be easily identified unless the code is executed which will convert the ASCII into string. Obfuscated code can easily bypass in static analysis, as it do not able to match the pattern with the available data from the database.
  • 7. May 28, 2015 Page 6 There are three types of Static analysis which are explained in the below Figures a) System call based b) Static taint analysis c) Source code analysis a. Malware analysis proposed for Symbian OS. This technique uses IDA Pro to disassemble the mobile application and extract system calls. It then use Centroid Machine, to classify the mobile application as either malicious or benign (anomaly detection). b. PiOS, a technique proposed for performing static taint analysis on iOS application binaries. PiOS disassembles the mobile application and constructs a control flow graph. The analysis considers paths originating from sensitive sources, such as the address book, current GPS coordinates, keyboard cache, unique device ID, and other phone-related information. Dataflow analysis checks for any sensitive data transmission for data leakage detection. c. Android malware analysis. It uses a Dalvik decompiler, to generate Java source code from the application’s installation image and then uses SCA, a static code analyzer, to evaluate the recovered source code. B) Dynamic Analysis (behavioral analysis): Analysis of infected file during its execution is known as dynamic analysis. It identifies malicious behaviors after deploying and executing the application on a simulated environment like a virtual machine, emulator, and sandbox. During execution of file its system interaction, its behavior & effect on the machine are monitored. These techniques require some human or automated interaction with the app, as malicious behavior is sometimes triggered only after certain events occur. It considers parameters like network traffic, native code and user interaction. It can be used both in the cloud for market protection or directly in the device. Advantage: Can analyze the obfuscated and polymorphic malware. Detect known as well as unknown malware. Disadvantage: Highly resource consuming. High level of false positive (accuracy is low).
  • 8. May 28, 2015 Page 7 TaintDroid provides system-wide dynamic taint tracking for Android. The mobile application passes to the Dalvik Virtual machine to perform four granularities of taint propagation: variable, method, message, and file-level. Taint tracking marks any ambiguous data that originates from sensitive sources, such as location, microphone, camera, and other phone identifiers. This technique modifies the native library loader to ensure that all the native libraries are called from the virtual machine, thus preventing untrusted applications from executing native methods directly. 4. Malware Detection Techniques: These techniques are used to detect the malware and prevent the device from being infected, protecting it from potential information loss and system compromise. Few detection techniques are listed below: a) Signature-based malware Detection: This technique maintains the database of signature and detects malware by comparing pattern against the database. Commercial antivirus scanners look for signatures which are typically a sequence of bytes within the malware code to declare that the program scanned is malicious in nature. Most of the antivirus tools are based on the signature based detection techniques. These signatures are created by examining the disassembled code of malware binary. Disassembled code is analyzed and features are extracted. These features are used in constructing the signature of particular malware family. A library of known code signatures is updated and refreshed constantly by the antivirus software vendor so this technique can detect the known instances of malware accurately. The main advantages of this technique is that it can detect new instances of malware accurately, less amount of resources are required to detect the malware and it mainly focus on signature of attack. The major drawback is that it can’t detect the new, unknown instances of malware as no signature is available for such type of malware. Every kind of malware has some specific characteristics in their coding, which can be used for their detection. It’s like using photograph of criminals at airport in order to match them with the people and detect someone suspicious. b) Anomaly based detection: It is also called as profile-based intrusion / statistical detection. It assumes that malicious code will cause behaviors’ different from the ones normally observed in a system. In fact, anomaly detection is based on the definition of normality & classifies as malicious any activity that deviates from it. It observes the “normal” activities of the user and then creates behavior profiles that represent the threshold that divides normal from abnormal behaviors’. Classifying what is normal is a difficult task and involves technical factors as well as some sort of knowledge from expert users. It need machine learning techniques to detect unknown malware. Below is the machine learning mechanism. It helps in detecting the malwares which keeps on generating new mutants since they will always use the system resources and services in the similar manner.
  • 9. May 28, 2015 Page 8 1. Data Collection: This component collects dynamic / static information. 2. Interpretation: This component converts the raw information collected by data collection module into intermediate representations. 3. Matching Algorithm: It is used to compare the representation with the behavior signature. Advantage: it can detect known as well as new instances of malware or obfuscated malware. Disadvantage: it needs to update the data describing the system behavior and the statistics in normal profile. It need more resources like CPU time, memory & disk space and level of false positive is high. Analysis and Detection Challenge: If system uses any one analysis or detection technique it will miss greater number of malicious samples. So to improve the detection, the system needs to combine different analysis and detection techniques. So researchers propose a solution called Hybrid Analysis. Hybrid Analysis: is a technique that overcomes the limitations of static and dynamic analysis techniques. It first, analyses the signature specification of any malware code & then combines it with the other behavioral parameters for enhancement of complete malware analysis. The Android Application Sandbox (AASandbox) system is another technique which offers two- step analysis for an android application. A mobile application passes to AASandbox, where it performs static and dynamic analysis in offline mode. Static analysis disables the application image binary and uses the disassembled code to search for suspicious patterns. Dynamic analysis executes the binary in an Android emulator and logs the system calls. Cloud Based Malware Detection (Replicas in the Cloud) uses hybrid analysis: Mobile devices have less resource and having a full-fledged detection system in a mobile device would be a resource overhead. To overcome this, a cloud based approach will be an efficient scheme. In this scheme a light-weight client application monitors the system calls in the device and sends it to the server in cloud to detect malicious behavior. Thus, offloading of powerful computation to the cloud will enable efficient detection. Paranoid Android is a cloud based android malware detection technique. It has a small component on user phone, it records all interactions of the application with various components. It transmits that
  • 10. May 28, 2015 Page 9 information to cloud server. Server in the cloud reruns the application with same behaviors. Server deploys several security checks, such as dynamic malware analysis, memory scanners, system call anomaly detection, and commercial antivirus scanning, from the cloud’s ample resources. Paranoid uses a proxy to temporarily store inbound network traffic information so that the phone can save energy by not sending this data back to the server. Instead, the server can directly contact the proxy to get the network traffic information needed to successfully replay the execution. The advantages of having cloud based detection system are: Efficient detection system through dedicated specialized servers, less usage of device resources, less software complexity at the device. On other hand, a centralized solutions like cloud based detection needs to be always connected to the cloud to enable live detection. Also, privacy could be a concern as their data is being processed in a central server. 5. Mobile Malware and Defenses As phones have evolved to become full-fledged computing devices, they have also become attractive targets for malware such as Viruses, Worms and Trojans. Malware typically exploits vulnerabilities on interfaces unique to the Smartphone such as Bluetooth or vulnerabilities in applications running on the phone. Tools to detect mobile malware have adapted well-known techniques used on desktops, such as signature and behavior based detection algorithms, to operate in a resource-constrained environment. These algorithms use lesser memory, run faster, and consume lesser battery power than their desktop counterparts. Other approaches to detect mobile malware are to monitor and analyze untrusted software for anomalous behaviors that deplete energy. Mobile phones are likely targets of cross-service attacks. For example, an attack may be perpetrated and downloaded through the Internet onto a Smartphone via its data plan, and may access its telephony subsystem. Such threats are possible because of relax security mechanisms currently employed by mobile phones. For example, an arbitrary user-space process on the phone can issue AT commands to the GSM device. Such cross-service attacks can be prevented by labeling user space files and resources and enhancing access control mechanisms on smart phone operating systems. A multi-layer integrated security solution for mobile smart devices is proposed below: End-user: It is always essential for the end-user to be aware of the security measures of their mobile device. End-users should be aware of at least the following measures: 1. Install antivirus and antimalware solutions to protect the device against malware and viruses. Also ensure to turn on the automatic update. It is been shown that installing anti-virus and anti- malware is very effective to protect mobile devices from malicious applications. Install a personal firewall to protect mobile device interfaces from direct attack and illegal access. The effectiveness of mobile firewalls to increase a mobile device’s security.
  • 11. May 28, 2015 Page 10 2. Install only applications from trusted sources that have legitimate contact information and a website. As the current Android Market (Google Play) does not adopt a certification process for applications, it is up to the end user to make sure he/she only installs trusted applications from trusted developers. Install only applications from the official and original developer (for example, if you are installing Instagram applications, make sure you download it from Instagram Inc.) 3. Ensure your OS and software are always up-to-date with the latest versions and update security patches regularly. 4. Install remote locate, track, lock, wipe, backup and restore software to retrieve, protect or restore a lost or stolen mobile device and the personal data on the device. 5. Only install applications that have a high number of download and positive reviews. 6. Never view sensitive data over public wireless networks which have no passwords or encryption. Mobile Network Operators (MNO): MNO has responsibility to create a more secure environment for their customers. MNOs need to install anti-virus and anti-malware software to scan outgoing and incoming SMS and MMS to the mobile network, as many malwares use SMS/MMS to propagate and contact the bot-master. MNO should also build a global partnership with related agencies such as other MNOs to prevent mobile malware propagation by exchanging information, knowledge, database and expertise. Apps Developers: Developers also need to take care of the security measures implemented in their application. They should ensure that private data is not being sent via an unencrypted channel; the data must be sent through HTTPS or TLS networks. Developers should minimize the use of built-in permissions in their applications, for example do not ask for full Internet access permission, unless it is essential for your applications to work properly. Android has about 100 built-in permissions that control operations such as dialing the phone (CALL_PHONE), sending short message (SEND_SMS), etc. In Android, there are three main “ security protection levels” for permission labels: a “normal” permission is granted to any application that requests it; a “dangerous” permission is only granted after user approval at install-time; and a “signature” permission is only granted to applications signed by the same developer key as the application defining the permission label. This “signature” protection level is integral in ensuring that third-party applications do not gain access affecting the Android’s trusted computing base (TCB)’s integrity. This is also useful to minimize repackaging attacks. It is shown that the repackaging technique is highly effective mainly because it is often difficult for end-users to tell the difference between a legitimate application and its malicious repackaged form. In fact, repackaging was the most prevalent type of social engineering attack used by Android malware developers. Defense techniques: People have long favored functionality over security and are unwilling to pay the price and inconvenience incurred by security schemes. Functionality demands extensibility, and extensibility invites malicious extensions. Given the current trend, unless legislature can effectively mandate limited
  • 12. May 28, 2015 Page 11 extensibility for smart-phones, we don’t see the hope of reducing the powerfulness and functions of a smart-phone. Nevertheless, there are some strategies that we’d like to point out for hardening smart- phone which we discuss as follows: Attack surface reduction: One simple defense is to reduce the attack surface as much as possible. Although a smart-phone is always on, most of its features need not be active. For example, when users make an outgoing phone call or compose a SMS message, the PC part of the smartphones can be turned off (unless instructed otherwise, say, when a user is downloading a movie). OS hardening: Smart-phone OSes can enforce some security features, such as always displaying callee’s number and lighting up LCD display when dialing. This can be achieved by only exporting security enhanced APIs to applications. With hardened OSes, unless attackers can subvert the smart-phone OS without being noticed, attacking actions from malicious user-level code can be more easily detected by the smart-phone user. Hardware hardening: We believe one advantage we can leverage for smartphone hardening is that smart-phone already has an embedded smart-card, the SIM card. The SIM card has evolved to incorporate the use of the SIM Toolkit (STK) — an API for securely loading applications to the SIM. STK allows the mobile operator to create or provision services by loading them into the SIM card without changing anything in the GSM handset. One interesting approach therefore is to combine STK card and TCG’s Trusted Platform Module (TPM) for smart-phone hardware hardening. This way, no additional security chips will be needed. Internet Side Protection: The malware defense mechanisms that have been deployed or proposed for the Internet can be readily applied to smartphones. For example, more rigorous process in software patching or vulnerability-driven network traffic shielding will certainly strengthen the defense for smart- phones for known vulnerabilities, though not unknown ones. It would be desirable for smart-phone Internet Service Providers to ensure that devices that access them are properly patched or shielded — unpatched or unshielded ones should not be exposed to the wild Internet. Currently, majority of smartphones access the Internet through telecom data networks such as GPRS or CDMA 1X. In this scenario, base stations can first check whether smart-phones have been properly patched or shielded and they will be forced to patch or shield if not. Alternatively, base stations could even perform shielding on behalf of the smart-phones. This kind of strategy, however, faces challenges when smart- phones use 802.11 access points for Internet connectivity: many 802.11 access points have already been deployed; it would be very difficult, if possible at all, to upgrade all the access points to enforce patching or shielding. Further, such quarantining makes seamless handoff between access networks very challenging. This is an open research question. Cooperation between the Internet and Telecom Networks: Effective coordination between the Internet and telecom networks would be desirable. In this section, we discuss the opportunities and difficulties in coordinating the Internet and telecom networks for defending against smartphone attacks. Known vulnerability and attack information can be exchanged between the Internet and telecom networks. If specific attack target information, such as which call center will be attacked, becomes known from the Internet side, it can help the call center prepare for the attack and put its rate limiting and call filtering
  • 13. May 28, 2015 Page 12 mechanisms in place. With the black list of smart-phone zombies from a telecom carrier, Internet access points (AP) could potentially reject those zombies from getting on the Internet. This means that SIM ID- based authentication needs to be in place for the APs. If GPRS is used for Internet access, this authentication is trivial. However, for 802.11-like APs, this is very challenging in that these APs are not just for smart-phones but general-purpose for all wireless Internet endpoints; state of-the-art APs cannot recognize which devices are smartphones, and which are not, since a smart-phone can always claim not being one. We identify the following approaches in addressing this issue: 1. since it is hard to differentiate between smart-phones and other endpoints; we could assign unique IDs to all Internet wireless endpoints, and then create the mapping between SIM IDs and Internet wireless IDs. This solution faces significant backward compatibility issues with the existing devices and 802.11 infrastructures. 2. We could design smart-phone OSes to submit SIM IDs to APs for authentication when accessing the Internet, as part of the OS hardening. This solution raises the bar for attackers significantly. To make OS tamper-proof, we could further harden the smart-phone hardware for OS authentication. 6. Conclusion Smart devices are increasingly being equipped with sophisticated hardware and software systems, which make them highest sellers in market. This increasing popularity makes them a perfect target for malware attackers. Therefore there is a constant growth in the presence of security risks among Smart devices. In our study, we explored security model in the current platforms of smart devices and found that among various platform, Android is favorite ones for Malware attacks. To protect the device you will first need to analyze and detect the malware to take further actions. We have highlighted various analysis and detection techniques like Static analysis, Dynamic Behavioral analysis, Cloud based system to name a few. The detection system analyzed covers both signature and anomaly based systems. Using any one technique will not assure you to increase the detection rate. To counter the trade-off between analysis speed and detecting obfuscated malwares, researches have adapted a technique incorporating a combination of static and dynamic features for detecting and classifying malwares. We have also mentioned potential security solutions in smart devices which identify the type of malware and in some situation it prevents the malware from running its own code on device. 7. Future work Natural hand gestures associated with three primary smartphone services—calling, snapping and tapping—can be detected and have the ability to withstand attacks using motion, position and ambient sensors available on most smartphones as well as machine learning classifiers. If a human user attempts to access a service, the gesture would be present and access will be allowed. In contrast, if the malware program makes an access request, the gesture will be missing and access will be blocked. Example: Suppose malicious program tries to send sms, the operating system will not service its request because the tap gesture required for sending sms is missing and OS can distinguish between malicious and legitimate requests.
  • 14. May 28, 2015 Page 13 References: [1] Suarez-Tangil, Guillermo, et al. "Evolution, detection and analysis of malware for smart devices." Communications Surveys & Tutorials, IEEE 16.2 (2014): 961-987. [2] Ramu, Srikanth. "Mobile malware evolution, detection and defense." EECE 571B, TERM SURVEY PAPER (2012). [3] Moser, Andreas, Christopher Kruegel, and Engin Kirda. "Limits of static analysis for malware detection." Computer security applications conference, 2007. ACSAC 2007. Twenty-third annual. IEEE, 2007. [4] Mahinthan Chandramohan and Hee Beng Kuan Tan. “Detection of Mobile Malware in the Wild” InfoQ. Nov 05, 2012. [5] Guo, Chuanxiong, Helen J. Wang, and Wenwu Zhu. "Smart-phone attacks and defenses." HotNets III. 2004.