The Past and Future of Mobile Malwares
-
Upload
dr-emin-islam-tatli -
Category
Education
-
view
162 -
download
1
Transcript of The Past and Future of Mobile Malwares
Emin İslam TATLIM.Oğuzhan TOPGÜL
Cyber Security and Privacy Research Group
This presentation is based on our paper
The Past and Future of Mobile MalwaresM. Oğuzhan Topgül and Emin İ. TatlıThe 7th International Conference on Information Security and Cryptology (ISCTurkey’14), İstanbul, 17-18 October 2014.
Download the paper: https://www.researchgate.net/publication/265726834_The_Past_and_Future_of_Mobile_Malwares
http://cybersec.medipol.edu.tr
Software programs designed to Disrupt computer operations Gather sensitive info Gain access to private computer systems
Main Types Virus Trojan horse Worm Adware Spyware rootkit
256 MB RAM2 GB Flash HDD
200 MHz CPU
1GB RAM16GB Flash HDD
1,3 GHz Dual Core CPU
iPhone 5 vs. Curiosity Mars Rover
Gartner 2013 Q4 Report*:
* http://www.gartner.com/newsroom/id/2645115
2004
2005
2006
2007-
20092011
-2012
2013-
2014
SYMBIAN AGE
SYMBIAN AGEContinues
J2ME AGE
A New Era Begins(iOS & Android)
The Rise of
Smartphones
Advanced DevicesAdvanced Malwares
2010
SMARTPHONEERA
CARIBE / CABIR
Writer: 29A
Target: Symbian
Spreads: Bluetooth
Activity: Shows a message
Importance: The first mobile malware
* http://about-threats.trendmicro.com/us/archive/malware/symbos_cabir.a* https://www.securelist.com/en/analysis?pubid=201225789
DUST/ DUTS Writer: 29A
Target: Windows CE
Spreads: Bluetooth
Activity: ▪ Infects the files larger than
4K.
▪ Shows a message “Dear User, am I allowed to spread?”
* http://www.f-secure.com/v-descs/dtus.shtml
MOSQUITO Target: Symbian
Type: Premium SMS Trojan
Spreads: P2P
Activity: Sends Premium Service SMS messages
Importance: First instance of Premium SMS malwares
* http://www.symantec.com/security_response/writeup.jsp?docid=2004-081009-2533-99
SKULLS / SKULLER Target: Symbian
Type: Vandal Trojan
Spreads: Bluetooth
Activity: ▪ Deletes all files on the
device
▪ Changes all icons
Result: Device doesn’t boot again
* http://about-threats.trendmicro.com/us/archive/malware/symbos_skulls.A
PBSTEALER Target: Symbian Type: Spyware Spreads: Bluetooth Activity: Steals the phone
book and sends all contacts to the nearest device via Bluetooth
Importance: ▪ First instance of Spyware like
malwares▪ Caribe variant
* http://about-threats.trendmicro.com/us/archive/malware/symbos_pbsteal.a
COMMWARRIOR Target: Symbian Spreads: Bluetooth + MMS Activity:
▪ Spreads over Bluetooth during the days
▪ Spreads over MMS in the nights
Importance: ▪ First mobile malware uses
MMS to spread▪ One of the most spread
Symbian malware* http://www.f-secure.com/v-descs/commwarrior.shtml
REDBROWSER Type: Premium SMS
Spreads: P2P
Activity: ▪ Pretends to be a WAP
browser, which offers free WAP browsing using SMS messages
▪ Sends huge amount of SMS messages to Premium services
http://www.f-secure.com/v-descs/redbrowser_a.shtml
The birthday of iPhone - 2007
Android 0.5: The first Public Build -2007
Android 1.0: Google G1-2008
IOS_IKEE Target: iOS Activity:
▪ Infects Jailbroken devices by making an SSH connection with the default credentials (root:alpine, mobile:alpine)
▪ Scans the network for other jailbroken iOS devices to infect
▪ Changes also the wallpaper of the device to Rick Astley’sphoto - a pop singer of 80’s
Importance: First known iOS malware
http://about-threats.trendmicro.com/us/malware/ios_ikee.a
DROIDSMS Target: Android
Type: Premium SMS
Activity: ▪ Sends Premium SMS
messages
▪ Introduces itself as a movie player app
Importance: First known Android malware
http://about-threats.trendmicro.com/us/malware/androidos_droidsms.a
DROIDSNAKE
Target: Android
Type: Spyware
Activity: Spies GPS coordinates and forwards through Internet.
Importance:
▪ First known Android Spyware
▪ Spreads over Google’s official Android market
http://about-threats.trendmicro.com/us/malware/androidos_droisnake.a
ZITMO
Target: Android
Type: SMS Stealer
Activity:
▪ Poses as a password security app but steals online banking OTP SMS messages
▪ Cooperates with ZEUS for Windows malware
http://www.securelist.com/en/blog/208193029/ZeuS_in_the_Mobile_for_Android
DROIDDREAM / DROIDKUNGFU
Target: Android Activity:
▪ Use 2 Android vulnerabilities to gain root access
▪ Send device info to C&C server▪ Use code obfuscation to hide itself▪ Apply encryption to C&C server
communication.▪ DroidKungFu applies anti-virus
evasion additionally
Importance: ▪ One of the first instances of
advanced mobile malwares
https://blog.lookout.com/blog/2011/03/02/android-malware-droiddream-how-it-works/
ALSPAM / ALSALAH Target: Android
Type: Hacktivist
Activity: ▪ Sends SMS messages to all
contacts with the content of Mohamed Bouazizi’s protest who set himself on fire by the Arab Spring events
Importance: First known hacktivist malware
http://contagiominidump.blogspot.com.tr/2011/12/arspam-alsalah-android-malware-middle.html
FIND AND CALL
Target: Android & iOS
Type: Spyware
Activity:
▪ Sends its download link to each contact in the contact list.
▪ Sends the contacts list to a remote server
Importance: Appeared in iOS App Store
http://nakedsecurity.sophos.com/2012/07/06/find-call-ios-android-malware/
2011: The year of mobile malwares
2012: The year of Android malwares ~3000 new malware samples in every month
0
5000
10000
15000
20000
25000
30000
35000
40000
45000
1 2 3 4 5 6 7 8 9 10 11 12
STEALER Target: Android
Type: Botnet trojan
Activity: ▪ Spreads in the guise of a
legitimate app
▪ Receives commands from C&C server
Importance: Leader in terms of infection rate
https://www.securelist.com/en/blog/8208/New_threat_Trojan_SMS_AndroidOS_Stealer_a
RISKWARE / TRACER Target: Android, iOS,
Symbian, RIM Type: Spyware Activity:
▪ Infects Jailbroken and rooted devices
▪ Can access WhatsApp, Viber, Tango, Skype, Facebook chats and Facebook photos
▪ Has the botnet capabilities
Importance: Is sold for $79 annually with the C&C interface
http://contagiominidump.blogspot.com.tr/2013/07/trracer-commercial-spyware-pua-samples.html
OLDBOOT Target: Android Type: Bootkit Activity:
▪ Infects boot partition of the device
▪ GoogleKernel is detected as malware
Importance:▪ First known Android bootkit
malware▪ Can’t be cleaned by anti-virus
apps http://blogs.360.cn/360mobile/2014/01/17/oldboot-the-first-bootkit-on-android/
OBAD Target: Android Type: Trojan Activity:
▪ Retrieves sensitive info and executes C&C commands
Importance:▪ Known as the most advanced
Android malware▪ Contains Anti-decompile, Anti-VM
controls▪ Uses zero-day vulnerabilities to get
root access▪ Can’t be cleaned by anti-virus apps
https://www.comodo.com/resources/Android_OBAD_Tech_Reportv3.pdf
KOLER / SIMPLOCKER
Target: Android
Type: Ransomware
Activity:
▪ Locks mobile device and requests $300 to unlock.
▪ Shows a message if it comes from a police department
http://malware.dontneedcoffee.com/2014/05/police-locker-available-for-your.html
UNFLOD BABY PANDA Target: iOS
Type: Spyware
Activity: ▪ Infects Jailbroken iOS
devices
▪ Steals Apple-ID and password by hooking the SSL buffer
▪ It is signed by a registered iOS developer
https://www.sektioneins.de/en/blog/14-04-18-iOS-malware-campaign-unflod-baby-panda.html
DSENCRYPT Target: Android Type: Spyware Activity:
▪ Comes along with an encrypted malware inside of its assets folder
▪ Decrypts the encrypted part at runtime
▪ Steals bank accounts, signing certificates and SMS messages
▪ Pretends to be a legitimate “Google Play Store” app
http://www.fireeye.com/blog/technical/2014/06/what-are-you-doing-dsencrypt-malware.html
MALNOTES Target: Google Glass
Type: Spyware
Activity: ▪ Takes photo every 10 seconds
without the wearer knowing
Importance:▪ First known Google Glass
malware
▪ Proof of concept malware for academic research
http://mustangnews.net/using-your-eyes-to-spy/
The malware distribution of 2013
http://securelist.com/analysis/kaspersky-security-bulletin/58335/mobile-malware-evolution-2013/
Windows 8 and Blackberry OS 10 has app markets and developer programs too
Blackberry OS 10 supports runtime for Android apps
Smart home appliances like oven, fridge and etc. are available in the market (Android inside)
Wearable smart devices are the next target?
Governments and Intelligence Agencies develop advanced, targeted malwares
http://cybersec.medipol.edu.tr