Automated Remote Repair for Mobile Malware Yacin Nadji, Jonathon Giffin, Patrick Traynor Georgia Institute of Technology ACSAC’ 11
Outline Introduction Related Work Mobile Malware Airmid Architecture Implementation Discussion Conclusion
Introduction new mobile malware samples per day70000 new mobile malware samples per day
Introduction Cellular providers will not be able to rely solely upon the rapid identification and removal of malware by mobile market operators
Introduction A system for automated detection of and response to malicious software infections on handheld mobile devices – Airmid Airmid: the goddess of healing
Introdution We developed laboratory samples of mobile malware ▫Leak private data ▫Dial premium numbers ▫Participate in botnet activity And… ▫Detect the presence of an emulated environment ▫Change their behavior, create hidden background process, scrub logs, and restart on reboot
Introduction Contribution ▫Identification of current remediation shortcomings ▫Design and implementation of advanced prototype malware ▫Cooperatively neutralize malware on infected mobile phones
Related Work Traynor et al. On Cellular Botnets: Measuring the Impact of Malicious Devices on a Cellular Network CoreOn Cellular Botnets: Measuring the Impact of Malicious Devices on a Cellular Network Core Xu et al. Stealthy Video Capturer: A New Video- based Spyware in 3G SmartphonesStealthy Video Capturer: A New Video- based Spyware in 3G Smartphones TaintDroid PiOS
Mobile Malware In the wild… ▫Privilege escalation to root (DroidDream) ▫Bots (Drad.A) ▫Data exfiltration (DroidKungFu, StreamyScr.A) ▫Backdoor triggered via SMS (Bgyoulu.A) Jailbroken iPhone ▫iKee.B BotiKee.B Bot
Mobile Malware Deficiencies of marketplaces: ▫Malware authors can write their apps with logic to evade detection of analysis ▫The Android platform allows users to install apps from third-party marketplaces
Mobile Malware Enhanced prototype malware ▫Loudmouth a Twitter client that leaks private data ▫2Faced A Facebook client sync app that dials premium numbers ▫Thor A mobile bot
Mobile Malware Loudmouth ▫Malicious mobile functionality Data exfiltration ▫Evasive functionality Malware analysis environment detection ▫Benign host app Twitter client
Mobile Malware 2Faced ▫Malicious mobile functionality Premium number dialer ▫Evasive functionality Log sanitization and a hidden native process ▫Benign host app Facebook sync
Mobile Malware Thor ▫Malicious mobile functionality Bot client ▫Evasive functionality Persistence across reboot ▫Benign host app Weather display
Mobile Malware Permissions use:
Architecture Threat model ▫Install malware via a variety of usual mechanisms Drive-by downloads or automated propagation Distribution on marketplaces ▫Attackers can subvert the correct execution of a benign app Exploiting a security defect in the app’s design
Architecture Assume… ▫A protected software layer on the device lower than the level at which the malware executes Kernel (if kernel-level malware can be prevented) Hypervisor (if virtualized environments can be created on a mobile device) ▫A communication channel between the network and each device ▫Detectable malicious behavior in the network
Architecture Remote repair
Architecture Side-effects: ▫Process termination ▫On-device traffic filtering ▫App update ▫Device update ▫File removal ▫Factory reset
Architecture Authenticated communication ▫[UMTS Security Wiki][UMTS Security Wiki] ▫[REF][REF] ▫[SPEC][SPEC] ▫[AKA Mechanism RFC][AKA Mechanism RFC]
Implementation Hardware ▫HTC Dream with Android 1.6
Implementation Network component ▫SnortSnort ▫Airmid Server by using Python packet creation library ScapyScapy
Implementation Device component ▫A modified Linux kernel ▫Disable dynamically load kernel modules ▫1200 lines of C
Implementation Infection provenance
Implementation Infection provenance
Implementation Remediation strategies ▫Block the malicious traffic ▫Termination of process ▫Removal of the apk owned by the UID ▫Removal of all files owned by the UID ▫UID < system user ID Only block the malicious traffic ▫UID ≧ Terminate & Remove ▫Any native ARM processes? If yes full scan !
Implementation Performance evaluation
Discussion Airmid control ▫Some may not trust a cellular network provider ▫Airmid is not a “one size fits all” solution ▫Proxied via VPN ▫Roaming? ▫Relaying on IDS
Discussion Device hardening ▫Disable LKM ▫Virtualization? L4Android L4Android