1 / 25

MalWare on mobile devices

CS239 – Fall 2010. MalWare on mobile devices. Stefano Emiliozzi , Simardeep Uppal. Introduction. Mobile devices, such as smart phone or PDA have became more and more widespread, and often essential in our everyday life.

duy
Download Presentation

MalWare on mobile devices

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CS239 – Fall 2010 MalWare on mobile devices Stefano Emiliozzi, SimardeepUppal

  2. Introduction • Mobile devices, such as smart phone or PDA have became more and more widespread, and often essential in our everyday life. • Usually they contain lots of sensitive information, like a list of contacts, ingoing/outgoing call, text messages, and on latest model a calendar of our schedule, emails, our current position (if the phone has embedded GPS). • A phone today is as powerful as a desktop PC of 5 years ago. • Latest models feature a complete OS, but for many people they are just phones, so there is a under-estimation of the risk connected to phone security. • This makes phones an interesting target for malicious users. • Damages that a user can sustain are financial loss, privacy and confidentiality, slowdown of processing speed, battery life.

  3. Some numbers…

  4. Malware Growth • On mobile devices there are a multitude of infection channels: • SMS, MMS • Infrared • Bluetooth • Email • Web • Malware for mobile is growing constantly:

  5. Do we have to worry? • Why we are not hearing about malware outbreaks, then? • OS Market Share of PC vs Mobile Phones (September 2010) • This doesn’t mean we don’t have to worry!

  6. Possible smart-phone attacks • Identity theft and spoofing • Smartphone System Compromise • DoS to base stations • DDoS to call centers and switches • Remote wiretapping • SMS spamming

  7. DoSto base stations • Radio spectrum sharing schemes include TDMA, FDMA, or logical “channels” • Cover all Base Station timeslots by ‘spoofed’ requests • Few smartphone zombies can block 1 frequency band Smart-phone zombies

  8. DDoS to call centers and switches • Why a problem only on smartphone? • Usage of APIs for calling phones through code • Spoofing the SIM easy: Smartphone Zombie

  9. Defenses • Internet side protection • Base station performs shielding for users? • Possible Challenges? • Telecom side protection • Behavior is highly predictable • Abnormal behavior detection : Easy data mining • Reaction building blocks already exist • Reactions (Rate limiting, Call filtering, Blacklist) • Smart-phone side protection • Analyze Malware and Prevent it from Executing

  10. Smart-phone hardening • Feature reduction • E.g., turn off Bluetooth when not active • OS hardening • E.g., always display callee number when making a phone call • Lighting up LCD display when dialing • Hardware hardening • SIM card to authenticate OS and applications

  11. Analysing Malware • If we want to get protection which option do we have? • Signature Based Detection • Useful mostly for post-infection cleanup • Mobile devices have limited resources such as CPU, memory, and battery power • Mobile OSes have important differences in the way file permissions and modifications to the OS are handled. Need to consider different OS differently. Is this feasable? Is a better solution possible • Are there other options available around? • Behavioral Analysis • Even if powerful a phone is still used primarily as a phone. • Emails or text messages are sent after manual user interaction. • Wi-fi or Bluetooth connection are opened manually by users. • We can be pretty suspicious if any of these activities are done in background. • This kind of analysis doesn’t cover web navigation, though.

  12. Mobile and Ubiquitous Malware • Main idea is to apply an anomaly detection model. • Instead of looking for malicious software, physically scanning mobile phone memory and comparing it to a signature database, we evaluate phone behavior, trying to identify anomalies. • Important concept of such model is the presence or absence of user interaction. • It is possible to infer user activity monitoring the frequencies of keystrokes on a keyboard or touches on a touch screen. • It is possible to have a threshold that tell us if a user is active or not: • GET UserInactivityTime • IF UserInactivityTime – 10s • RETURN User is inactive • ELSE • RETURN User is active

  13. Mobile and Ubiquitous Malware

  14. Ontology-based Malware Behavioral Analysis • We can apply very well known concepts in data mining and data analysis to build a model that will help us to understand the threat, and (possibly) to contrast it better. • Main idea here is to build an ontology, which can be seen as a hierarchy of concepts with attributes an relations, within a specific domain. • Analyzing behavior of 35 kinds of malware made it possible to categorize them, extracting features and finally build an ontology.

  15. Ontology-based Malware Behavioral Analysis

  16. Ontology-based Malware Behavioral Analysis

  17. Behavioral Detection • Run-time behavior of an application is monitored and compared against malicious and/or normal behavior profiles • Possible to detect exploits in linked libraries • More generic to handle the than API signatures • More resilient to polymorphic worms and code obfuscation • Database of behavior profiles is much smaller than that needed for storing signature-based profiles • Suitable for resource limited handsets • Has potential for detecting new malware

  18. Behavioral Detection Overview

  19. Detecting Malicious Behavior • Behavior Signature: Manifestation of a specification of resource accesses and events generated by applications • It is not sufficient to monitor a single event of a process in isolation in order to classify an activity to be malicious • Temporal Pattern: The precedence order of the events and resource accesses, is the key to detect malicious intent • Eg Consider a simple file transfer by calling the Bluetooth OBEX system call in Symbian OS • (received file is of type .SIS) and (that file is executed later) and (installer process seeks to overwrite files in the system directory) • On their own, any such call will appear harmless

  20. Representation of Malicious Behavior • Complex Behavior: specified using temporal logic instead of classical propositional logic • Specification language of TLCK(Temporal Logic of Causal Knowledge) is used to represent malicious behaviors within the context of a handset environment • A finite set of propositional variables interposed using TLCK • Each variable (when true) confirms the execution of either • A single or an aggregation of system calls • An event such as read/write access to a given file descriptor, directory structure or memory location

  21. Operators used to define Malicious Behavior Logical Operators: Temporal Operators:

  22. Atomic Propositional Variables

  23. Major Components of Monitoring System

  24. Essence of Behavior Classification Training Dataset Applications (Malwre + Legitimate) Set of Behavior Signatures Obtain Partial/ Full Signatures Remove Redundant Signatures Testing Dataset

  25. Essence of Behavior Detection • Due to fewer signatures, the malware database is compact and can be place on a handset • Can potentially detect new malware and their variants • Behavioral detection results in high detection rates

More Related