malware on mobile devices
DESCRIPTION
CS239 – Fall 2010. MalWare on mobile devices. Stefano Emiliozzi , Simardeep Uppal. Introduction. Mobile devices, such as smart phone or PDA have became more and more widespread, and often essential in our everyday life. - PowerPoint PPT PresentationTRANSCRIPT
CS239 – Fall 2010
MALWARE ON MALWARE ON MOBILE DEVICESMOBILE DEVICES
Stefano Emiliozzi, Simardeep Uppal
◦ Mobile devices, such as smart phone or PDA have became more and more widespread, and often essential in our everyday life.
◦ Usually they contain lots of sensitive information, like a list of contacts, ingoing/outgoing call, text messages, and on latest model a calendar of our schedule, emails, our current position (if the phone has embedded GPS).
◦ A phone today is as powerful as a desktop PC of 5 years ago.
◦ Latest models feature a complete OS, but for many people they are just phones, so there is a under-estimation of the risk connected to phone security.
◦ This makes phones an interesting target for malicious users.
◦ Damages that a user can sustain are financial loss, privacy and confidentiality, slowdown of processing speed, battery life.
IntroductionIntroduction
Some numbers…Some numbers…
◦ On mobile devices there are a multitude of infection channels:
• SMS, MMS• Infrared• Bluetooth• Email• Web
◦ Malware for mobile is growing constantly:
Malware GrowthMalware Growth
◦ Why we are not hearing about malware outbreaks, then?
◦ OS Market Share of PC vs Mobile Phones (September 2010)
◦ This doesn’t mean we don’t have to worry!
Do we have to worry?Do we have to worry?
Possible smart-phone Possible smart-phone attacksattacks
◦Identity theft and spoofing◦Smartphone System Compromise◦DoS to base stations◦DDoS to call centers and switches◦Remote wiretapping◦SMS spamming
DoS to base stationsDoS to base stations
Smart-phone zombies
Radio spectrum sharing schemes include TDMA, FDMA, or logical “channels”
Cover all Base Station timeslots by ‘spoofed’ requests
Few smartphone zombies can block 1 frequency band
DDoS to call centers and DDoS to call centers and switchesswitches
◦Why a problem only on smartphone? Usage of APIs for calling phones
through code Spoofing the SIM easy: Smartphone
Zombie
Defenses Defenses ◦ Internet side protection
Base station performs shielding for users? Possible Challenges?
◦ Telecom side protection Behavior is highly predictable Abnormal behavior detection : Easy data mining Reaction building blocks already exist Reactions (Rate limiting, Call filtering, Blacklist)
◦ Smart-phone side protection◦ Analyze Malware and Prevent it from Executing
Smart-phone hardeningSmart-phone hardeningFeature reduction
◦E.g., turn off Bluetooth when not activeOS hardening
◦E.g., always display callee number when making a phone call
◦Lighting up LCD display when dialingHardware hardening
◦SIM card to authenticate OS and applications
◦ If we want to get protection which option do we have?
o Signature Based Detection• Useful mostly for post-infection cleanup• Mobile devices have limited resources such as CPU, memory, and battery power• Mobile OSes have important differences in the way file permissions and modifications to the OS are handled. Need to consider different OS differently. Is this feasable? Is a better solution possible• Are there other options available around?
o Behavioral Analysis• Even if powerful a phone is still used primarily as a phone.• Emails or text messages are sent after manual user interaction.• Wi-fi or Bluetooth connection are opened manually by users.• We can be pretty suspicious if any of these activities are done in background.
o This kind of analysis doesn’t cover web navigation, though.
Analysing MalwareAnalysing Malware
◦ Main idea is to apply an anomaly detection model.
◦ Instead of looking for malicious software, physically scanning mobile phone memory and comparing it to a signature database, we evaluate phone behavior, trying to identify anomalies.
◦ Important concept of such model is the presence or absence of user interaction.
◦ It is possible to infer user activity monitoring the frequencies of keystrokes on a keyboard or touches on a touch screen.
◦ It is possible to have a threshold that tell us if a user is active or not:
GET UserInactivityTimeIF UserInactivityTime – 10s
RETURN User is inactiveELSE
RETURN User is active
Mobile and Ubiquitous Mobile and Ubiquitous MalwareMalware
Mobile and Ubiquitous MalwareMobile and Ubiquitous Malware
◦ We can apply very well known concepts in data mining and data analysis to build a model that will help us to understand the threat, and (possibly) to contrast it better.
◦ Main idea here is to build an ontology, which can be seen as a hierarchy of concepts with attributes an relations, within a specific domain.
◦ Analyzing behavior of 35 kinds of malware made it possible to categorize them, extracting features and finally build an ontology.
Ontology-based Malware Behavioral Ontology-based Malware Behavioral AnalysisAnalysis
Ontology-based Malware Behavioral Ontology-based Malware Behavioral AnalysisAnalysis
Ontology-based Malware Behavioral Ontology-based Malware Behavioral AnalysisAnalysis
Behavioral DetectionBehavioral Detectiono Run-time behavior of an application is monitored and compared
against malicious and/or normal behavior profileso Possible to detect exploits in linked libraries o More generic to handle the than API signatureso More resilient to polymorphic worms and code obfuscationo Database of behavior profiles is much smaller than that needed
for storing signature-based profileso Suitable for resource limited handsetso Has potential for detecting new malware
Behavioral DetectionBehavioral Detection OverviewOverview
Detecting Malicious Behavior Detecting Malicious Behavior o Behavior Signature: Manifestation of a specification of resource
accesses and events generated by applications
• It is not sufficient to monitor a single event of a process in isolation in order to classify an activity to be malicious
o Temporal Pattern: The precedence order of the events and resource accesses, is the key to detect malicious intent
• Eg Consider a simple file transfer by calling the Bluetooth OBEX system call in Symbian OS
• (received file is of type .SIS) and (that file is executed later) and (installer process seeks to overwrite files in the system directory)
• On their own, any such call will appear harmless
Representation of Malicious BehaviorRepresentation of Malicious Behavior
o Complex Behavior: specified using temporal logic instead of classical propositional logic
o Specification language of TLCK(Temporal Logic of Causal Knowledge) is used to represent malicious behaviors within the context of a handset environment
o A finite set of propositional variables interposed using TLCK
o Each variable (when true) confirms the execution of either
• A single or an aggregation of system calls
• An event such as read/write access to a given file descriptor, directory structure or memory location
Operators used to define Malicious Operators used to define Malicious BehaviorBehavior
Logical Operators:
Temporal Operators:
Atomic Propositional VariablesAtomic Propositional Variables
Major Components of Monitoring SystemMajor Components of Monitoring System
Essence of Behavior Essence of Behavior Classification Classification
Applications
(Malwre + Legitimate)
Set of Behavior
Signatures
Obtain Partial/ Full
Signatures
Remove Redundant Signatures
Training Dataset
Testing Dataset
Essence of Behavior Essence of Behavior DetectionDetectiono Due to fewer signatures, the malware
database is compact and can be place on a handset
o Can potentially detect new malware and their variants
o Behavioral detection results in high detection rates