Security optimize

Mobile malware: A clear and present danger

A group of Berkeley researchers take a long, hard look at mobile malware. What they found should interest you.
William Francis -- fellow TechRepublic writer/Android investigative partner -- and I research Android permissions and Android malware. Every step of the way, we have the support and guidance of experts -- one being Adrienne Porter Felt. I just learned that Adrienne and fellow U.C. Berkeley researchers Matthew Finifter, Erika Chin, Steven Hanna, and David Wagner coauthored "A Survey of Mobile Malware in the Wild". Their point: Mobile malware is a clear and present danger. I normally avoid the dramatic, but a lot of good people are trying to raise awareness about the increased presence of mobile malware, and I want to help.

After reading the paper, I emailed William, telling him about the paper. I was hoping he'd feel the same about it. A return email said he did. He also sent me two questions, plus explicit instructions -- make sure Adrienne gets them. The guy knows me, I was already pulling a list of questions together.

Classify mobile malware

I almost got ahead of myself. The research team grouped all mobile threats into three classifications. How they did it is a bit different, so it might be best to look at the breakdown before getting to the questions:

Malware: Gains access to a device for the purpose of stealing data, damaging the device, or annoying the user, etc. The attacker defrauds the user into installing the malicious application or gains unauthorized remote access by taking advantage of a device vulnerability. Malware provides no legal notice to the affected user.

This threat includes Trojans, worms, botnets, and viruses. Malware is illegal in many countries, including the United States, and the distribution of it may be punishable by jail time.

Personal Spyware: Collects personal information such as location or text message history over a period of time. With personal spyware, the attacker has physical access to the device and installs the software without the user's knowledge.

Personal spyware sends the victim's information to the person who installed the application onto the victim's device, rather than to the author of the application. For example, a person might install personal spyware onto a spouse's phone. It is legal to sell personal spyware in the U.S. because it does not defraud the purchaser (i.e., the attacker).

Personal spyware is honest about its purpose to the person who purchases and installs the application. However, it may be illegal to install personal spyware on another person's smartphone without his or her authorization.

Grayware: Legitimate applications collect user data for the purpose of marketing or user profiling. Grayware spies on users, but the companies that distribute grayware do not aim to harm users. Pieces of grayware provide real functionality and value to the users.

The companies that distribute grayware may disclose their collection habits in their privacy policies, with varying degrees of clarity. Grayware sits at the edge of legality; its behavior may be legal or illegal depending on the jurisdiction of the complaint and the wording of its privacy policy. Unlike malware or personal spyware, illegal grayware is punished with corporate fines rather than personal sentences.

Even when the activity of grayware is legal, users may object to the data collection if they discover it. Application markets may choose to remove or allow grayware when detected on a case-by-case basis.

Questions

KassnerWilliam and I discussed how the paper classified mobile malware. We could not agree as to why it was done this way. Being older and wiser, I suggested that we let Adrienne explain. Porter Felt: We chose these three classifications because each requires a different defense:
  • Malware can be fought with anti-virus software, marketplace security reviews, and permissions.
  • The FTC can deter grayware by using legal means to pursue legitimate companies that are performing actions without sufficient consumer consent.
  • With personal spyware, the underlying problem is that the "attacker" has physical access to the phone, so the best defenses are to lock your screen and keep the phone physically safe.

We focused on malware because that threat category can be approached from a purely technical perspective, which is our area of expertise.

Kassner: I wanted to mention that Adrienne helped William and me when we needed malware samples for my article, "Android security apps playing catch-up to malcode". That's when I learned about the research team's collection of mobile malware.

I figured the researchers reverse-engineered the samples, and that was it. But, they were doing more. For example, they classified the captured malware samples according to behavior:

  • Exfiltrates user information: 28
  • Premium calls or SMS: 24
  • Sends SMS advertisement spam: 8
  • Novelty and amusement: 6
  • Exfiltrates user credentials: 4
  • Search engine optimization: 1
  • Ransom: 1

William and I thought "exfiltrates user credentials" would have ranked higher, much higher. Curious now, I asked Adrienne if the results were what they expected.

Porter Felt: We had expected to see more phishing attacks. I think we'll see more in the future. We compiled that data set over the summer (2011), and since then I've become aware of at least one new piece of malware that exfiltrates user credentials - a Netflix phishing app.

I also suspect that there's more SEO malware than we were able to discover, but it goes unreported because it does not directly harm the consumer.

Kassner: I reread the section describing the benefits from selling exfiltrated user information. It seems money speaks:

"Legitimate applications with advertising libraries can expect to earn between $1.90 and $9.50 per user per month, which includes both the value of collecting user location data and displaying advertisements."

Per month? Is this why both good-intentioned and bad-intentioned developers are more inclined to create free apps and include advertising? They get a monthly return instead of a one-time payment.

Porter Felt: More precisely, legitimate applications can expect to earn that much per month of use. If a developer can write an application that people will keep using, then the developer will make more money with ads than an up-front charge.

On the other hand, most applications go unused after the first day or two. So, legitimate developers have to bet on how "sticky" (i.e., addictive) their applications will be. Malicious applications, however, can use unfair tactics, loading even when the user doesn't want the application.

Kassner: I also noticed "novelty and amusement" ranked higher on the list than my choice. I mentioned my bewilderment to Adrienne. Porter Felt: When some people see wet concrete, they carve their initials into it. It's the same thing with new computer systems; certain people can't resist the temptation to exploit obvious weaknesses, just for the fun of it. Kassner: The paper put a lot of onus on the application stores, being the main repositories for apps. Do you feel it is their responsibility to make sure all apps are free of malware? Porter Felt: Apple's review process seems to be highly effective at either deterring or finding malware. However, I don't think it's the long-term solution to smartphone malware. I'm not sure how well their review process can scale to tens of millions of applications. Basically, I think the review process works well right now, but we need other approaches. Francis: There's a lot of time spent describing the concept of mobile markets for downloading apps, as well as the review processes the various market places do (or don't) enforce.

I didn't find any number in terms of how many of the Android malware apps examined actually made it to the official market, and how long those threats were present before they were pulled. I think that would be an extremely interesting data point, because I suspect only loading apps from an official market, even one that is un-policed like Android, dramatically decreases your window of vulnerability.

Porter Felt: I agree completely. Only four pieces of malware in our data set made it into the official Android Market. Furthermore, the Android security team removed them immediately upon learning about them. Yet, the malware still remains in unofficial markets.

Unfortunately, I do not know the exact amount of time each malware was in Android Market before being removed.

Kassner: Both William and I were impressed. The paper required lateral thought. For example, the team's prediction of what future mobile malware could look like:
  • Advertising click fraud
  • Invasive advertising
  • In-application billing fraud
  • Governments
  • E-mail spam
  • Distributed denial-of-service
  • Near-field communication and credit cards

Two predictions stand out - one, in an odd way, creative; and one, downright scary. First, would you explain how "in-application billing fraud" works? Next, why are governments of concern?

Porter Felt: There are a few ways for in-application billing fraud to happen. One is phishing. A user might try to purchase an item and then see a fraudulent "verify your password" screen. Another potential attack vector is the application that handles the billing (i.e., the App Store). It might have vulnerabilities that an application could exploit to trick it into thinking the user agreed to a purchase.

With respect to the governmental threat model, some governments are willing to censor and monitor their citizens. For example, the UAE government got an ISP to push a "fake update" to Blackberry phones that copied citizens' e-mails.

Kassner: The paper mentions that both malware creators and smartphone owners want to "jailbreak" smart mobile devices. Bad guys need to sidestep security and owners want to customize their phones.

To prove their assertion, the team created the following table and timeline from collected data:

The findings suggest jailbreaking is inevitable. And, jailbreaking exploits are available shortly after the release of a phone or new firmware.

Even the mighty Apple iOS4 succumbs. Two days after it was released, jailbreaking how-to's were all over the Internet.

I mentioned earlier that I was impressed with the avant-garde conclusions. One such denouement is their idea on how to eliminate jailbreaking. I'll let Adrienne explain.

Porter Felt: Currently, smartphone manufacturers and network providers are indirectly (and accidentally) aiding malware authors by selling "locked" phones. There's strong demand among certain segments of the market for unlocked phones, so expert users are motivated to find exploits.

We think manufacturers and network providers should sell phones that can be easily unlocked by their owners -- without using exploits. This would remove the incentive for tech-savvy individuals to find and publish exploits.

Francis: There is much discussion about root exploits, particularly those involving Android devices. I'd be curious to know if besides the unlocked boot loader, you were pro/con or indifferent on the subject of open-source and its affect on mobile security. Porter Felt: As far as I am aware, none of the Android privilege escalation vulnerabilities come from the Android Open Source Project. Security experts can find vulnerabilities in software whether it's open source or not. Lack of source code isn't a challenge for an experienced hacker. As mentioned earlier, iOS versions are typically broken within days of release, just like Android versions. Kassner: It appears the battle between malware and computing equipment has reached our portables. How would you rate mobile devices - hardware and software - compared to other form-factors? Porter Felt: Smartphone security is going in the right direction. Smartphone OS designers were able to look back and avoid the problems plaguing desktop software. Consequently, smartphones have tools to protect consumers, like permissions and application-review processes.

And, the successful smartphone technology is now migrating to desktops. The Apple App Store for OS X is a great example. I think future desktop web browsers will also likely incorporate elements from current smartphone platforms.

Final thoughts

The research team invested significant effort cataloging existing mobile malware and predicting what's coming. It seems that bad people are working harder than ever to make digital life difficult.

Kudos to the U.C. of Berkeley research team for a great paper. And a special thanks to Adrienne for helping William and me navigate the minefields.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

24 comments
Michael Kassner
Michael Kassner

"Currently, both malware authors and smartphone users are incentivized to nd root exploits. The homebrew com-munity publishes root exploits to help smartphone owners customize their phones. However, malware can use these same root exploits to circumvent smartphone security mechanisms; indeed, 4 pieces of malware in our data set do this. We consider the impact of the homebrew community and that root exploits are available between 74% and 100% of phones' lifetimes. We recommend that phone manufacturers support smartphone customization so that the homebrew community does not need to seek root exploits."

mymulticast
mymulticast

This is such a great article - some of us are not tech geeks, I am more of a end user & some of us learn through your folks and truly appreciate your view points. thank you

Michael Kassner
Michael Kassner

Unlock all of them was my interpretation of the paper.

wdewey@cityofsalem.net
wdewey@cityofsalem.net

I disagree with the assumption that selling unlocked smart phones would make the mobile ecosystem more secure. Unless they are all unlocked, then I still see there being a segment of highly motivated and talented individuals that will work to find ways to bypass security measures. It may not be as highly publicized as it is now, but that could work as a disadvantage because publicity can also educates users that they should be careful. I have found that an educated user is a smaller security risk than one who is not aware of the risks they are taking. Bill

Gromanon
Gromanon

I simply can't see Android being a reliable ecosystem for business mobile development. I think the development direction that Microsoft is taking with fairly young Windows Phone OS provides much more security and stability. New features that were brought to Mango clearly showed that basic consumer is not the only market Microsoft is targeting, so I am expecting them to bring even more business ready features with next releases. But it remains to see how it all turns out.

Craig_B
Craig_B

Which came first, the thief or the lock? It seems like all technology changes should put security first. Of course when you are trying to be first out of the gate sometimes things slip. As always, thanks for the education Michael.

Michael Kassner
Michael Kassner

New posting Whether you prefer Justice Oliver Wendell Holmes' take or Tom Clancy's, mobile malware is a "clear and present danger".

wdewey@cityofsalem.net
wdewey@cityofsalem.net

That's security through obscurity. If the exploits are there then it's likely someone will find them whether it is the homebrew community or some malware maker. If the homebrew community doesn't find and publish them then people will not be aware that their phone is vulnerable until it's taken over and maybe not even then. Bill

Michael Kassner
Michael Kassner

I learn right along with you. It's the experts like Adrienne and William that do all the heavy lifting.

wdewey@cityofsalem.net
wdewey@cityofsalem.net

So if all phones are unlocked then what structure is in place to keep a phone from being exploited? From what I understand of mobile security, a rooted phone (unlocked) is much easier to compromise because there is nothing to stop a process from modifying system files. Bill

Michael Kassner
Michael Kassner

I have heard several experts say that Android is on a path similar to MS -- trying to be everything to everyone,

Michael Kassner
Michael Kassner

Your insight is always welcome. I always like questions like the one you asked. Life is mysterious.

Edward D
Edward D

... a great eye opener, Michael. Thank you. In the back of my mind, malware seemed capable of attacking mobile devices, but I never pulled the idea out to examine it. The only mobile device that I own is a cell phone, and I use it as if it were a a desk phone in my pocket. Lately, I have begun to appreciate the date and time function, and I do use the self-created phone directory. Partly, I avoid electromagnetic fields, and therefore minimize use of wireless devices. Yes, a shallow existence in this modern age, I know. 8-/ And I work in a company that manufactures RF and microwave test and measurement instruments. Considering the subject matter of your excellent article, why do you think we don't hear more in the news about malware attacks on mobile devices? Thanks again, Ed

AnsuGisalas
AnsuGisalas

Of course, it's not just malware that has trouble; legit apps too... and in the App(le) store, no less: http://justthestork .blogspot .com/2010/11/scam-that-is-smurfs-village.html Link unlinked for your inconvenience (TR won't post a live link to blogspot, it seems)

Michael Kassner
Michael Kassner

Adrienne explained how it would work in her comment.

seanferd
seanferd

It gets the phone unlocked, but by no means is this the best method of producing and unlocked phone. If the phone is not artificially locked down against service provider choice or application choice, there is no reason to use an exploit to give you that choice, and possibly introduce new vulnerabilities in the process. I'll admit that I don't much buy into the security through obscurity idea of "if the user doesn't need to crack it for reasons of choice, less people will find exploits to introduce malware". It might lower the amount of fast-onset community effort to find exploits, but it isn't going to stop the dedicated criminals who are going to look for exploits themselves anyway. A locked phone is locked for commercial reasons of the vendor and service provider. A locked phone is not synonymous with the phrase "locked down" used in a security context. They obviously are not locked down, as they are commonly exploitable.

Michael Kassner
Michael Kassner

It depends on how the user looks at it. And, more importantly, if the user is even aware of what is happening.

Michael Kassner
Michael Kassner

The update process sucks. William and I have been working on this and I wrote about it earlier.

wdewey@cityofsalem.net
wdewey@cityofsalem.net

Adrienne's comment above does not address the community publishing root exploits. Rather it says that you need physical access to use the built in unlock process. Just because there is a built in unlock process does not mean that there are no root exploits and just because root exploits are not published does not mean that they are not being used to take over phones. "Providing incentives" only publicizes what is already there, it doesn't make the phone more secure. Personally what I think needs to happen to protect phones is a better update process. The OS vendor, the phone manufacturer and the cell provider need to develop a better process for pushing out patches. These need to be small specific fixes for vulnerabilities rather than major changes to the phone. Since I have owned my thunderbolt (6 or 7 months) I have only received one update to the phone OS and that was a fairly major update that changed functionality. Let's look at this in a different way. If Microsoft or Apple had an escalation to system (or root) level vulnerability publicly known and unpatched for 3 to 4 months how much of an uproar would that be? Bill

wdewey@cityofsalem.net
wdewey@cityofsalem.net

That clarifies things quite a bit. Sounds reasonable to me! After making changes to the Nexus One is it possible to lock it again? I think having a user definable root password for phones would be a good thing in my opinion. Bill

Adrienne Porter Felt
Adrienne Porter Felt

Hi Bill, Our suggestion is that all phones should come with the *ability* to be unlocked, although not necessarily come unlocked by default. The Nexus One is an example of an "unlockable" phone. By default, it comes locked. However, if you have physical access to the phone, you can enter a certain mode to "unlock" the phone, which gives you access to everything. Once you unlock the phone, you do put yourself at risk of malware that targets unlocked phones. However, remote attackers cannot use the same mechanism to unlock the phone, so only the phones that are untentionally unlocked are put at risk. Also, it is possible to develop a phone where entering "root" mode requires a password, which would make it so that unlocking the phone is less dangerous. Adrienne

wdewey@cityofsalem.net
wdewey@cityofsalem.net

So, maybe I am misunderstanding what unlocked means. I was understanding unlocked to mean that it is possible for the user to make any modifications to the phone that they want (replace file browser, add/remove any application including system applications, upgrade/downgrade OS based on preference). If a user can do these types of changes what keeps an malicious application from making the same changes? If unlocked means a generic android build without the vendor required applications than this is a much different definition that what I pictured. If a "root" application can exploit a vulnerability to gain access then it doesn't matter how many additional vulnerabilities are introduced in the process because the main initial vulnerability is still there. Why would I build a malicious application to use a vulnerability introduced by a root exploit (small percentage of phones) when all phone are vulnerable to the exploit the root kit already compromised? Bill

Michael Kassner
Michael Kassner

It is more a matter of money than exploitation, I fear.