Emin İslam TATLIM.Oğuzhan TOPGÜL

Cyber Security and Privacy Research Group

This presentation is based on our paper

The Past and Future of Mobile MalwaresM. Oğuzhan Topgül and Emin İ. TatlıThe 7th International Conference on Information Security and Cryptology (ISCTurkey’14), İstanbul, 17-18 October 2014.

Download the paper: https://www.researchgate.net/publication/265726834_The_Past_and_Future_of_Mobile_Malwares

http://cybersec.medipol.edu.tr

Software programs designed to Disrupt computer operations Gather sensitive info Gain access to private computer systems

Main Types Virus Trojan horse Worm Adware Spyware rootkit

256 MB RAM2 GB Flash HDD

200 MHz CPU

1GB RAM16GB Flash HDD

1,3 GHz Dual Core CPU

iPhone 5 vs. Curiosity Mars Rover

Gartner 2013 Q4 Report*:

* http://www.gartner.com/newsroom/id/2645115

2004

2005

2006

2007-

20092011

-2012

2013-

2014

SYMBIAN AGE

SYMBIAN AGEContinues

J2ME AGE

A New Era Begins(iOS & Android)

The Rise of

Smartphones

Advanced DevicesAdvanced Malwares

2010

SMARTPHONEERA

CARIBE / CABIR

Writer: 29A

Target: Symbian

Spreads: Bluetooth

Activity: Shows a message

Importance: The first mobile malware

* http://about-threats.trendmicro.com/us/archive/malware/symbos_cabir.a* https://www.securelist.com/en/analysis?pubid=201225789

DUST/ DUTS Writer: 29A

Target: Windows CE

Spreads: Bluetooth

Activity: ▪ Infects the files larger than

4K.

▪ Shows a message “Dear User, am I allowed to spread?”

* http://www.f-secure.com/v-descs/dtus.shtml

MOSQUITO Target: Symbian

Type: Premium SMS Trojan

Spreads: P2P

Activity: Sends Premium Service SMS messages

Importance: First instance of Premium SMS malwares

* http://www.symantec.com/security_response/writeup.jsp?docid=2004-081009-2533-99

SKULLS / SKULLER Target: Symbian

Type: Vandal Trojan

Spreads: Bluetooth

Activity: ▪ Deletes all files on the

device

▪ Changes all icons

Result: Device doesn’t boot again

* http://about-threats.trendmicro.com/us/archive/malware/symbos_skulls.A

PBSTEALER Target: Symbian Type: Spyware Spreads: Bluetooth Activity: Steals the phone

book and sends all contacts to the nearest device via Bluetooth

Importance: ▪ First instance of Spyware like

malwares▪ Caribe variant

* http://about-threats.trendmicro.com/us/archive/malware/symbos_pbsteal.a

COMMWARRIOR Target: Symbian Spreads: Bluetooth + MMS Activity:

▪ Spreads over Bluetooth during the days

▪ Spreads over MMS in the nights

Importance: ▪ First mobile malware uses

MMS to spread▪ One of the most spread

Symbian malware* http://www.f-secure.com/v-descs/commwarrior.shtml

REDBROWSER Type: Premium SMS

Spreads: P2P

Activity: ▪ Pretends to be a WAP

browser, which offers free WAP browsing using SMS messages

▪ Sends huge amount of SMS messages to Premium services

http://www.f-secure.com/v-descs/redbrowser_a.shtml

The birthday of iPhone - 2007

Android 0.5: The first Public Build -2007

Android 1.0: Google G1-2008

IOS_IKEE Target: iOS Activity:

▪ Infects Jailbroken devices by making an SSH connection with the default credentials (root:alpine, mobile:alpine)

▪ Scans the network for other jailbroken iOS devices to infect

▪ Changes also the wallpaper of the device to Rick Astley’sphoto - a pop singer of 80’s

Importance: First known iOS malware

http://about-threats.trendmicro.com/us/malware/ios_ikee.a

DROIDSMS Target: Android

Type: Premium SMS

Activity: ▪ Sends Premium SMS

messages

▪ Introduces itself as a movie player app

Importance: First known Android malware

http://about-threats.trendmicro.com/us/malware/androidos_droidsms.a

DROIDSNAKE

Target: Android

Type: Spyware

Activity: Spies GPS coordinates and forwards through Internet.

Importance:

▪ First known Android Spyware

▪ Spreads over Google’s official Android market

http://about-threats.trendmicro.com/us/malware/androidos_droisnake.a

ZITMO

Target: Android

Type: SMS Stealer

Activity:

▪ Poses as a password security app but steals online banking OTP SMS messages

▪ Cooperates with ZEUS for Windows malware

http://www.securelist.com/en/blog/208193029/ZeuS_in_the_Mobile_for_Android

DROIDDREAM / DROIDKUNGFU

Target: Android Activity:

▪ Use 2 Android vulnerabilities to gain root access

▪ Send device info to C&C server▪ Use code obfuscation to hide itself▪ Apply encryption to C&C server

communication.▪ DroidKungFu applies anti-virus

evasion additionally

Importance: ▪ One of the first instances of

advanced mobile malwares

https://blog.lookout.com/blog/2011/03/02/android-malware-droiddream-how-it-works/

ALSPAM / ALSALAH Target: Android

Type: Hacktivist

Activity: ▪ Sends SMS messages to all

contacts with the content of Mohamed Bouazizi’s protest who set himself on fire by the Arab Spring events

Importance: First known hacktivist malware

http://contagiominidump.blogspot.com.tr/2011/12/arspam-alsalah-android-malware-middle.html

FIND AND CALL

Target: Android & iOS

Type: Spyware

Activity:

▪ Sends its download link to each contact in the contact list.

▪ Sends the contacts list to a remote server

Importance: Appeared in iOS App Store

http://nakedsecurity.sophos.com/2012/07/06/find-call-ios-android-malware/

2011: The year of mobile malwares

2012: The year of Android malwares ~3000 new malware samples in every month

0

5000

10000

15000

20000

25000

30000

35000

40000

45000

1 2 3 4 5 6 7 8 9 10 11 12

STEALER Target: Android

Type: Botnet trojan

Activity: ▪ Spreads in the guise of a

legitimate app

▪ Receives commands from C&C server

Importance: Leader in terms of infection rate

https://www.securelist.com/en/blog/8208/New_threat_Trojan_SMS_AndroidOS_Stealer_a

RISKWARE / TRACER Target: Android, iOS,

Symbian, RIM Type: Spyware Activity:

▪ Infects Jailbroken and rooted devices

▪ Can access WhatsApp, Viber, Tango, Skype, Facebook chats and Facebook photos

▪ Has the botnet capabilities

Importance: Is sold for $79 annually with the C&C interface

http://contagiominidump.blogspot.com.tr/2013/07/trracer-commercial-spyware-pua-samples.html

OLDBOOT Target: Android Type: Bootkit Activity:

▪ Infects boot partition of the device

▪ GoogleKernel is detected as malware

Importance:▪ First known Android bootkit

malware▪ Can’t be cleaned by anti-virus

apps http://blogs.360.cn/360mobile/2014/01/17/oldboot-the-first-bootkit-on-android/

OBAD Target: Android Type: Trojan Activity:

▪ Retrieves sensitive info and executes C&C commands

Importance:▪ Known as the most advanced

Android malware▪ Contains Anti-decompile, Anti-VM

controls▪ Uses zero-day vulnerabilities to get

root access▪ Can’t be cleaned by anti-virus apps

https://www.comodo.com/resources/Android_OBAD_Tech_Reportv3.pdf

KOLER / SIMPLOCKER

Target: Android

Type: Ransomware

Activity:

▪ Locks mobile device and requests $300 to unlock.

▪ Shows a message if it comes from a police department

http://malware.dontneedcoffee.com/2014/05/police-locker-available-for-your.html

UNFLOD BABY PANDA Target: iOS

Type: Spyware

Activity: ▪ Infects Jailbroken iOS

devices

▪ Steals Apple-ID and password by hooking the SSL buffer

▪ It is signed by a registered iOS developer

https://www.sektioneins.de/en/blog/14-04-18-iOS-malware-campaign-unflod-baby-panda.html

DSENCRYPT Target: Android Type: Spyware Activity:

▪ Comes along with an encrypted malware inside of its assets folder

▪ Decrypts the encrypted part at runtime

▪ Steals bank accounts, signing certificates and SMS messages

▪ Pretends to be a legitimate “Google Play Store” app

http://www.fireeye.com/blog/technical/2014/06/what-are-you-doing-dsencrypt-malware.html

MALNOTES Target: Google Glass

Type: Spyware

Activity: ▪ Takes photo every 10 seconds

without the wearer knowing

Importance:▪ First known Google Glass

malware

▪ Proof of concept malware for academic research

http://mustangnews.net/using-your-eyes-to-spy/

The malware distribution of 2013

http://securelist.com/analysis/kaspersky-security-bulletin/58335/mobile-malware-evolution-2013/

Windows 8 and Blackberry OS 10 has app markets and developer programs too

Blackberry OS 10 supports runtime for Android apps

Smart home appliances like oven, fridge and etc. are available in the market (Android inside)

Wearable smart devices are the next target?

Governments and Intelligence Agencies develop advanced, targeted malwares

http://cybersec.medipol.edu.tr