Automated Remote Repair for
Mobile Malware
Yacin Nadji, Jonathon Giffin,
Patrick Traynor
Georgia Institute of Technology
ACSAC’ 11
Outline
•
•
•
•
•
•
•
Introduction
Related Work
Mobile Malware
Airmid Architecture
Implementation
Discussion
Conclusion
Introduction
• 70000 new mobile malware samples per day
Introduction
• Cellular providers will not be able to rely solely
upon the rapid identification and removal of
malware by mobile market operators
Introduction
• A system for automated detection of and
response to malicious software infections on
handheld mobile devices – Airmid
• Airmid: the goddess of healing
Introdution
• We developed laboratory samples of mobile
malware
▫ Leak private data
▫ Dial premium numbers
▫ Participate in botnet activity
And…
▫ Detect the presence of an emulated environment
▫ Change their behavior, create hidden background
process, scrub logs, and restart on reboot
Introduction
• Contribution
▫ Identification of current remediation shortcomings
▫ Design and implementation of advanced prototype
malware
▫ Cooperatively neutralize malware on infected
mobile phones
Related Work
• Traynor et al. On Cellular Botnets: Measuring
the Impact of Malicious Devices on a Cellular
Network Core
• Xu et al. Stealthy Video Capturer: A New Videobased Spyware in 3G Smartphones
• TaintDroid
• PiOS
Mobile Malware
• In the wild…
▫
▫
▫
▫
Privilege escalation to root (DroidDream)
Bots (Drad.A)
Data exfiltration (DroidKungFu, StreamyScr.A)
Backdoor triggered via SMS (Bgyoulu.A)
• Jailbroken iPhone
▫ iKee.B Bot
Mobile Malware
• Deficiencies of marketplaces:
▫ Malware authors can write their apps with logic to
evade detection of analysis
▫ The Android platform allows users to install apps
from third-party marketplaces
Mobile Malware
• Enhanced prototype malware
▫ Loudmouth
 a Twitter client that leaks private data
▫ 2Faced
 A Facebook client sync app that dials premium
numbers
▫ Thor
 A mobile bot
Mobile Malware
• Loudmouth
▫ Malicious mobile functionality
 Data exfiltration
▫ Evasive functionality
 Malware analysis environment detection
▫ Benign host app
 Twitter client
Mobile Malware
• 2Faced
▫ Malicious mobile functionality
 Premium number dialer
▫ Evasive functionality
 Log sanitization and a hidden native process
▫ Benign host app
 Facebook sync
Mobile Malware
• Thor
▫ Malicious mobile functionality
 Bot client
▫ Evasive functionality
 Persistence across reboot
▫ Benign host app
 Weather display
Mobile Malware
• Permissions use:
Architecture
• Threat model
▫ Install malware via a variety of usual mechanisms
 Drive-by downloads or automated propagation
 Distribution on marketplaces
▫ Attackers can subvert the correct execution of a
benign app
 Exploiting a security defect in the app’s design
Architecture
• Assume…
▫ A protected software layer on the device lower
than the level at which the malware executes
 Kernel (if kernel-level malware can be prevented)
 Hypervisor (if virtualized environments can be
created on a mobile device)
▫ A communication channel between the network
and each device
▫ Detectable malicious behavior in the network
Architecture
• Remote repair
Architecture
• Side-effects:
▫
▫
▫
▫
▫
▫
Process termination
On-device traffic filtering
App update
Device update
File removal
Factory reset
Architecture
• Authenticated communication
▫
▫
▫
▫
[UMTS Security Wiki]
[REF]
[SPEC]
[AKA Mechanism RFC]
Implementation
• Hardware
▫ HTC Dream with Android 1.6
Implementation
• Network component
▫ Snort
▫ Airmid Server by using Python packet creation
library Scapy
Implementation
• Device component
▫ A modified Linux kernel 2.6.29
▫ Disable dynamically load kernel modules
▫ 1200 lines of C
Implementation
• Infection provenance
Implementation
• Infection provenance
Implementation
• Remediation strategies
▫
▫
▫
▫
▫
Block the malicious traffic
Termination of process
Removal of the apk owned by the UID
Removal of all files owned by the UID
UID < 10000  system user ID
 Only block the malicious traffic
▫ UID ≧ 10000
 Terminate & Remove
▫ Any native ARM processes?
 If yes  full scan !
Implementation
• Performance evaluation
Discussion
• Airmid control
▫ Some may not trust a cellular network provider
▫ Airmid is not a “one size fits all” solution
▫ Proxied via VPN
▫ Roaming?
▫ Relaying on IDS
Discussion
• Device hardening
▫ Disable LKM
▫ Virtualization?
 L4Android