the past and future of mobile malwares
DESCRIPTION
This presentation explains the existing mobile malwares between 2004 and 2014 for different mobile technologies incl. Symbian, J2ME, Android and iOS. The future aspects of mobile malwares are discussed as well in the presentation.TRANSCRIPT
This presentation is based on our paper
The Past and Future of Mobile MalwaresM. Oğuzhan Topgül and Emin İ. TatlıThe 7th International Conference on Information Security and Cryptology (ISCTurkey’14), İstanbul, 17-18 October 2014.
Download the paper: https://www.researchgate.net/publication/265726834_The_Past_and_Future_of_Mobile_Malwares
Software programs designed to Disrupt computer operations Gather sensitive info Gain access to private computer systems
Main Types Virus Trojan horse Worm Adware Spyware rootkit
256 MB RAM2 GB Flash HDD
200 MHz CPU
1GB RAM16GB Flash HDD
1,3 GHz Dual Core CPU
iPhone 5 vs. Curiosity Mars Rover
2004
2005
2006
2007-
20092011
-2012
2013-
2014
SYMBIAN AGE
SYMBIAN AGEContinues
J2ME AGE
A New Era Begins(iOS & Android)
The Rise of
Smartphones
Advanced DevicesAdvanced Malwares
2010
SMARTPHONEERA
CARIBE / CABIR Writer: 29A Target: Symbian Spreads: Bluetooth Activity: Shows a message Importance: The first
mobile malware
* http://about-threats.trendmicro.com/us/archive/malware/symbos_cabir.a* https://www.securelist.com/en/analysis?pubid=201225789
DUST/ DUTS Writer: 29A Target: Windows CE Spreads: Bluetooth Activity:
▪ Infects the files larger than 4K.
▪ Shows a message “Dear User, am I allowed to spread?”
* http://www.f-secure.com/v-descs/dtus.shtml
MOSQUITO Target: Symbian Type: Premium SMS
Trojan Spreads: P2P Activity: Sends Premium
Service SMS messages Importance: First
instance of Premium SMS malwares
* http://www.symantec.com/security_response/writeup.jsp?docid=2004-081009-2533-99
SKULLS / SKULLER Target: Symbian Type: Vandal Trojan Spreads: Bluetooth Activity:
▪ Deletes all files on the device
▪ Changes all icons
Result: Device doesn’t boot again
* http://about-threats.trendmicro.com/us/archive/malware/symbos_skulls.A
PBSTEALER Target: Symbian Type: Spyware Spreads: Bluetooth Activity: Steals the phone
book and sends all contacts to the nearest device via Bluetooth
Importance: ▪ First instance of Spyware like
malwares▪ Caribe variant
* http://about-threats.trendmicro.com/us/archive/malware/symbos_pbsteal.a
COMMWARRIOR Target: Symbian Spreads: Bluetooth + MMS Activity:
▪ Spreads over Bluetooth during the days
▪ Spreads over MMS in the nights
Importance: ▪ First mobile malware uses
MMS to spread▪ One of the most spread
Symbian malware* http://www.f-secure.com/v-descs/commwarrior.shtml
REDBROWSER Type: Premium SMS Spreads: P2P Activity:
▪ Pretends to be a WAP browser, which offers free WAP browsing using SMS messages
▪ Sends huge amount of SMS messages to Premium services
http://www.f-secure.com/v-descs/redbrowser_a.shtml
IOS_IKEE Target: iOS Activity:
▪ Infects Jailbroken devices by making an SSH connection with the default credentials (root:alpine, mobile:alpine)
▪ Scans the network for other jailbroken iOS devices to infect
▪ Changes also the wallpaper of the device to Rick Astley’sphoto - a pop singer of 80’s
Importance: First known iOS malware
http://about-threats.trendmicro.com/us/malware/ios_ikee.a
DROIDSMS Target: Android Type: Premium SMS Activity:
▪ Sends Premium SMS messages
▪ Introduces itself as a movie player app
Importance: First known Android malware
http://about-threats.trendmicro.com/us/malware/androidos_droidsms.a
DROIDSNAKE Target: Android Type: Spyware Activity: Spies GPS
coordinates and forwards through Internet.
Importance: ▪ First known Android Spyware▪ Spreads over Google’s official
Android markethttp://about-threats.trendmicro.com/us/malware/androidos_droisnake.a
ZITMO Target: Android Type: SMS Stealer Activity:
▪ Poses as a password security app but steals online banking OTP SMS messages
▪ Cooperates with ZEUS for Windows malware
http://www.securelist.com/en/blog/208193029/ZeuS_in_the_Mobile_for_Android
DROIDDREAM / DROIDKUNGFU Target: Android Activity:
▪ Use 2 Android vulnerabilities to gain root access
▪ Send device info to C&C server▪ Use code obfuscation to hide itself▪ Apply encryption to C&C server
communication.▪ DroidKungFu applies anti-virus
evasion additionally Importance:
▪ One of the first instances of advanced mobile malwares
https://blog.lookout.com/blog/2011/03/02/android-malware-droiddream-how-it-works/
ALSPAM / ALSALAH Target: Android Type: Hacktivist Activity:
▪ Sends SMS messages to all contacts with the content of Mohamed Bouazizi’s protest who set himself on fire by the Arab Spring events
Importance: First known hacktivist malware
http://contagiominidump.blogspot.com.tr/2011/12/arspam-alsalah-android-malware-middle.html
FIND AND CALL Target: Android & iOS Type: Spyware Activity:
▪ Sends its download link to each contact in the contact list.
▪ Sends the contacts list to a remote server
Importance: Appeared in iOS App Store
http://nakedsecurity.sophos.com/2012/07/06/find-call-ios-android-malware/
2012: The year of Android malwares ~3000 new malware samples in every month
05000
1000015000200002500030000350004000045000
1 2 3 4 5 6 7 8 9 10 11 12
STEALER Target: Android Type: Botnet trojan Activity:
▪ Spreads in the guise of a legitimate app
▪ Receives commands from C&C server
Importance: Leader in terms of infection rate
https://www.securelist.com/en/blog/8208/New_threat_Trojan_SMS_AndroidOS_Stealer_a
RISKWARE / TRACER Target: Android, iOS,
Symbian, RIM Type: Spyware Activity:
▪ Infects Jailbroken and rooted devices
▪ Can access WhatsApp, Viber, Tango, Skype, Facebook chats and Facebook photos
▪ Has the botnet capabilities Importance: Is sold for $79
annually with the C&C interface
http://contagiominidump.blogspot.com.tr/2013/07/trracer-commercial-spyware-pua-samples.html
OLDBOOT Target: Android Type: Bootkit Activity:
▪ Infects boot partition of the device
▪ GoogleKernel is detected as malware
Importance:▪ First known Android bootkit
malware▪ Can’t be cleaned by anti-virus
apps http://blogs.360.cn/360mobile/2014/01/17/oldboot-the-first-bootkit-on-android/
OBAD Target: Android Type: Trojan Activity:
▪ Retrieves sensitive info and executes C&C commands
Importance:▪ Known as the most advanced
Android malware▪ Contains Anti-decompile, Anti-VM
controls▪ Uses zero-day vulnerabilities to get
root access▪ Can’t be cleaned by anti-virus apps
https://www.comodo.com/resources/Android_OBAD_Tech_Reportv3.pdf
KOLER / SIMPLOCKER Target: Android Type: Ransomware Activity:
▪ Locks mobile device and requests $300 to unlock.
▪ Shows a message if it comes from a police department
http://malware.dontneedcoffee.com/2014/05/police-locker-available-for-your.html
UNFLOD BABY PANDA Target: iOS Type: Spyware Activity:
▪ Infects Jailbroken iOS devices
▪ Steals Apple-ID and password by hooking the SSL buffer
▪ It is signed by a registered iOS developer
https://www.sektioneins.de/en/blog/14-04-18-iOS-malware-campaign-unflod-baby-panda.html
DSENCRYPT Target: Android Type: Spyware Activity:
▪ Comes along with an encrypted malware inside of its assets folder
▪ Decrypts the encrypted part at runtime
▪ Steals bank accounts, signing certificates and SMS messages
▪ Pretends to be a legitimate “Google Play Store” app
http://www.fireeye.com/blog/technical/2014/06/what-are-you-doing-dsencrypt-malware.html
MALNOTES Target: Google Glass Type: Spyware Activity:
▪ Takes photo every 10 seconds without the wearer knowing
Importance:▪ First known Google Glass
malware▪ Proof of concept malware for
academic research
http://mustangnews.net/using-your-eyes-to-spy/
The malware distribution of 2013
http://securelist.com/analysis/kaspersky-security-bulletin/58335/mobile-malware-evolution-2013/