Rootkits on Smart Phones:Attacks, Implications and Opportunities

Jeffrey Bickford, Ryan O’Hare, Arati Baliga, Vinod Ganapathy, and Liviu Iftode

Department of Computer Science, Rutgers University

2

Rise of the Smart Phone

HotMobile 2/23/2010

Rise of the Smart Phone

1993

• calendar, address book, e-mail• touch screen• on-screen "predictive" keyboard

Simon

HotMobile 2/23/2010 2

Rise of the Smart Phone

1993 2000

• Symbian OS

Ericsson R380

HotMobile 2/23/2010 2

Rise of the Smart Phone

1993 2000 2002

• Blackberry• Windows Pocket PC• Treo

Treo 180

BlackBerry 5810

HotMobile 2/23/2010 2

Rise of the Smart Phone

1993 2000 2002 2007

iPhone

HotMobile 2/23/2010 2

Rise of the Smart Phone

1993 2000 2002 2007 2008

• iPhone 3G/3GS• Android• App Stores

HotMobile 2/23/2010 2

HotMobile 2/23/2010 3

Smart Phone Users

HotMobile 2/23/2010 4

Smart Phone InterfacesA rich set of interfaces is now available

GSM

GPSBluetooth

AccelerometerMicrophone Camera

HotMobile 2/23/2010 5

Smart Phone Apps

Contacts

Email

Location

Banking

Over 140,000 apps today

Smart Phone Operating Systems

OS Lines of CodeLinux 2.6 Kernel 10 million

Android 20 millionSymbian 20 million

Complexity comparable to desktops

HotMobile 2/23/2010 6

HotMobile 2/23/2010 7

The Rise of Mobile Malware

2004

Cabir

• spreads via Bluetooth• drains battery

Receive message via Bluetooth?

Yes No

HotMobile 2/23/2010 7HotMobile 2/23/2010HotMobile 2/23/2010

The Rise of Mobile Malware

2004

• first J2ME malware• sends texts to premium numbers

RedBrowser

2006

HotMobile 2/23/2010 7HotMobile 2/23/2010HotMobile 2/23/2010HotMobile 2/23/2010

The Rise of Mobile Malware

2004

• Kaspersky Labs report:106 types of mobile malware514 modifications

2006 2009

HotMobile 2/23/2010 8

The Rise of Mobile Malware

“My iPhone is not jailbroken and it is running

iPhone OS 3.0”

HotMobile 2/23/2010 9

Contributions

• Introduce rootkits into the space of mobile malware

• Demonstrate with three proof-of concept rootkits

• Explore the design space for detection

HotMobile 2/23/2010 10

Rootkits

App App App

User Space

Kernel Space

Libraries

Kernel Code

SystemCall

TableDrivers Process

Lists

VirusAntiVirus

HotMobile 2/23/2010 11

Rootkits

App App App

User Space

Kernel Space

Libraries

Kernel Code

SystemCall

TableDrivers Process

Lists

AntiVirus

Rootkit

Virus

Proof of Concept Rootkits

HotMobile 2/23/2010 12

Note: We did not exploit vulnerabilities

• 1. Conversation Snooping Attack

• 2. Location Attack

• 3. Battery Depletion Attack

Openmoko Freerunner

HotMobile 2/23/2010 13

1. Conversation Snooping Attack

Attacker Send SMSRootkit Infected

Dial me “666-6666”

Call AttackerTurn on Mic

Delete SMS

Rootkit stops if user tries to dial

HotMobile 2/23/2010 14

1. Conversation Snooping Attack

Attacker Rootkit Infected

Call AttackerTurn on Mic

Calendar Notification

Attacker Send SMSRootkit Infected

Send Location “666-6666”

2. Location Attack

Query GPS

HotMobile 2/23/2010 15

N40°28', W074°26SMS Response

Delete SMS

3. Battery Depletion Attack

• Rootkit turns on high powered devices• Rootkit shows original device status

Battery Life For Different Smartphones

52 51

44

4 52

0

10

20

30

40

50

60

70

Verizon Touch ATT Tilt Neo FreeRunner

Phone Make and Model

Ho

urs

of

Bat

tery

Lif

e (i

dle

)

Normal IdleOperation

All PeripheralsActive

HotMobile 2/23/2010 16

Attack :

HotMobile 2/23/2010 17

Rootkit Detection

App App App

User Space

Kernel Space

Libraries

Kernel Code

SystemCall

TableDrivers Process

Lists

Rootkit Detector

RootkitDOES NOT WORK!

HotMobile 2/23/2010 18

Memory Introspection

Kernel

Sys CallTable

Monitor

Fetchand

Copy

Monitor Machine Target Machine

Training Phase

HotMobile 2/23/2010 19

Memory Introspection

KernelMonitor

Fetch

Monitor Machine Target Machine

Compare

System OK

Detection Phase

HotMobile 2/23/2010 20

Memory Introspection

KernelMonitor

Fetch

Monitor Machine Target Machine

Compare

Rootkit Detected

Rootkit

mal_write()

Detection Phase

HotMobile 2/23/2010 21

Monitoring Approaches

1. Hardware Approach

Monitor Machine Target Machine

Rootkit InfectedNIC with remote

DMA support

Smart Phone Challenge

Monitor Machine Rootkit Infected

HotMobile 2/23/2010 22

Problem:• Need interface allowing memory access

without OS intervention (FireWire?)

HotMobile 2/23/2010 23

Monitoring Approaches

Host Machine

Hypervisor

Dom0 OS

2. VMM-based Approach

Detector

Smart Phone Challenge

HotMobile 2/23/2010 24

Problem: CPU-intensive detection algorithms exhaust phone battery

Solution: Offload detection work to the service provider

Send Pages

Response

CPU intensive work

Optimizations for Energy-Efficiency

HotMobile 2/23/2010 25

Page TableMonitor

Fetch

Problem: Too many memory pages may have to be transferred

Optimizations for Energy-Efficiency

HotMobile 2/23/2010 26

Page Table000000

Monitor1

1Fetch

Solution: Only fetch and scan pages that have been recently modified

HotMobile 2/23/2010 27

Related Work (1/2)

Rootkit Detection • Enforcement of Kernel Data Structure Invariants [Baliga, et al., ACSAC 2008]• Virtual Machine Introspection [Garfinkel and Rosenblum, NDSS 2003] Mobile Security and Detection• Semantically Rich Application-Centric Security in Android [Ongtang, et al., ACSAC 2009]• Detecting Energy-Greedy Anomalies [Kim, et al., MobiSys 2008]

Related Work (2/2)

Mobile Malware• Cellular Botnets: Impact on Network Core [Traynor, et al., CCS 2009]• Exploiting MMS Vulnerabilities to Exhaust Battery [Racic, et al., SecureComm 2006]• Exploiting SMS-Capable Cellular Network [Enck, et al., CCS 2005]

HotMobile 2/23/2010 28

Conclusion and Future Work

Conclusions:• Rootkits are now a threat to smart phones

Future Work:• Energy efficient rootkit detection techniques

• Develop a rootkit detector for smart phone

HotMobile 2/23/2010 29

Thank You!

HotMobile 2/23/2010 30