After reading the paper, I emailed William, telling him about the paper. I was hoping he'd feel the same about it. A return email said he did. He also sent me two questions, plus explicit instructions -- make sure Adrienne gets them. The guy knows me, I was already pulling a list of questions together.
Classify mobile malware
I almost got ahead of myself. The research team grouped all mobile threats into three classifications. How they did it is a bit different, so it might be best to look at the breakdown before getting to the questions:
Malware: Gains access to a device for the purpose of stealing data, damaging the device, or annoying the user, etc. The attacker defrauds the user into installing the malicious application or gains unauthorized remote access by taking advantage of a device vulnerability. Malware provides no legal notice to the affected user.
This threat includes Trojans, worms, botnets, and viruses. Malware is illegal in many countries, including the United States, and the distribution of it may be punishable by jail time.
Personal Spyware: Collects personal information such as location or text message history over a period of time. With personal spyware, the attacker has physical access to the device and installs the software without the user's knowledge.
Personal spyware sends the victim's information to the person who installed the application onto the victim's device, rather than to the author of the application. For example, a person might install personal spyware onto a spouse's phone. It is legal to sell personal spyware in the U.S. because it does not defraud the purchaser (i.e., the attacker).
Personal spyware is honest about its purpose to the person who purchases and installs the application. However, it may be illegal to install personal spyware on another person's smartphone without his or her authorization.
Grayware: Legitimate applications collect user data for the purpose of marketing or user profiling. Grayware spies on users, but the companies that distribute grayware do not aim to harm users. Pieces of grayware provide real functionality and value to the users.
Even when the activity of grayware is legal, users may object to the data collection if they discover it. Application markets may choose to remove or allow grayware when detected on a case-by-case basis.
QuestionsKassner: William and I discussed how the paper classified mobile malware. We could not agree as to why it was done this way. Being older and wiser, I suggested that we let Adrienne explain. Porter Felt: We chose these three classifications because each requires a different defense:
- Malware can be fought with anti-virus software, marketplace security reviews, and permissions.
- The FTC can deter grayware by using legal means to pursue legitimate companies that are performing actions without sufficient consumer consent.
- With personal spyware, the underlying problem is that the "attacker" has physical access to the phone, so the best defenses are to lock your screen and keep the phone physically safe.
We focused on malware because that threat category can be approached from a purely technical perspective, which is our area of expertise.Kassner: I wanted to mention that Adrienne helped William and me when we needed malware samples for my article, "Android security apps playing catch-up to malcode". That's when I learned about the research team's collection of mobile malware.
I figured the researchers reverse-engineered the samples, and that was it. But, they were doing more. For example, they classified the captured malware samples according to behavior:
- Exfiltrates user information: 28
- Premium calls or SMS: 24
- Sends SMS advertisement spam: 8
- Novelty and amusement: 6
- Exfiltrates user credentials: 4
- Search engine optimization: 1
- Ransom: 1
William and I thought "exfiltrates user credentials" would have ranked higher, much higher. Curious now, I asked Adrienne if the results were what they expected.Porter Felt: We had expected to see more phishing attacks. I think we'll see more in the future. We compiled that data set over the summer (2011), and since then I've become aware of at least one new piece of malware that exfiltrates user credentials - a Netflix phishing app.
I also suspect that there's more SEO malware than we were able to discover, but it goes unreported because it does not directly harm the consumer.Kassner: I reread the section describing the benefits from selling exfiltrated user information. It seems money speaks:
"Legitimate applications with advertising libraries can expect to earn between $1.90 and $9.50 per user per month, which includes both the value of collecting user location data and displaying advertisements."
Per month? Is this why both good-intentioned and bad-intentioned developers are more inclined to create free apps and include advertising? They get a monthly return instead of a one-time payment.Porter Felt: More precisely, legitimate applications can expect to earn that much per month of use. If a developer can write an application that people will keep using, then the developer will make more money with ads than an up-front charge.
On the other hand, most applications go unused after the first day or two. So, legitimate developers have to bet on how "sticky" (i.e., addictive) their applications will be. Malicious applications, however, can use unfair tactics, loading even when the user doesn't want the application.Kassner: I also noticed "novelty and amusement" ranked higher on the list than my choice. I mentioned my bewilderment to Adrienne. Porter Felt: When some people see wet concrete, they carve their initials into it. It's the same thing with new computer systems; certain people can't resist the temptation to exploit obvious weaknesses, just for the fun of it. Kassner: The paper put a lot of onus on the application stores, being the main repositories for apps. Do you feel it is their responsibility to make sure all apps are free of malware? Porter Felt: Apple's review process seems to be highly effective at either deterring or finding malware. However, I don't think it's the long-term solution to smartphone malware. I'm not sure how well their review process can scale to tens of millions of applications. Basically, I think the review process works well right now, but we need other approaches. Francis: There's a lot of time spent describing the concept of mobile markets for downloading apps, as well as the review processes the various market places do (or don't) enforce.
I didn't find any number in terms of how many of the Android malware apps examined actually made it to the official market, and how long those threats were present before they were pulled. I think that would be an extremely interesting data point, because I suspect only loading apps from an official market, even one that is un-policed like Android, dramatically decreases your window of vulnerability.Porter Felt: I agree completely. Only four pieces of malware in our data set made it into the official Android Market. Furthermore, the Android security team removed them immediately upon learning about them. Yet, the malware still remains in unofficial markets.
Unfortunately, I do not know the exact amount of time each malware was in Android Market before being removed.Kassner: Both William and I were impressed. The paper required lateral thought. For example, the team's prediction of what future mobile malware could look like:
- Advertising click fraud
- Invasive advertising
- In-application billing fraud
- E-mail spam
- Distributed denial-of-service
- Near-field communication and credit cards
Two predictions stand out - one, in an odd way, creative; and one, downright scary. First, would you explain how "in-application billing fraud" works? Next, why are governments of concern?Porter Felt: There are a few ways for in-application billing fraud to happen. One is phishing. A user might try to purchase an item and then see a fraudulent "verify your password" screen. Another potential attack vector is the application that handles the billing (i.e., the App Store). It might have vulnerabilities that an application could exploit to trick it into thinking the user agreed to a purchase.
With respect to the governmental threat model, some governments are willing to censor and monitor their citizens. For example, the UAE government got an ISP to push a "fake update" to Blackberry phones that copied citizens' e-mails.Kassner: The paper mentions that both malware creators and smartphone owners want to "jailbreak" smart mobile devices. Bad guys need to sidestep security and owners want to customize their phones.
To prove their assertion, the team created the following table and timeline from collected data:
The findings suggest jailbreaking is inevitable. And, jailbreaking exploits are available shortly after the release of a phone or new firmware.
Even the mighty Apple iOS4 succumbs. Two days after it was released, jailbreaking how-to's were all over the Internet.
I mentioned earlier that I was impressed with the avant-garde conclusions. One such denouement is their idea on how to eliminate jailbreaking. I'll let Adrienne explain.Porter Felt: Currently, smartphone manufacturers and network providers are indirectly (and accidentally) aiding malware authors by selling "locked" phones. There's strong demand among certain segments of the market for unlocked phones, so expert users are motivated to find exploits.
We think manufacturers and network providers should sell phones that can be easily unlocked by their owners -- without using exploits. This would remove the incentive for tech-savvy individuals to find and publish exploits.Francis: There is much discussion about root exploits, particularly those involving Android devices. I'd be curious to know if besides the unlocked boot loader, you were pro/con or indifferent on the subject of open-source and its affect on mobile security. Porter Felt: As far as I am aware, none of the Android privilege escalation vulnerabilities come from the Android Open Source Project. Security experts can find vulnerabilities in software whether it's open source or not. Lack of source code isn't a challenge for an experienced hacker. As mentioned earlier, iOS versions are typically broken within days of release, just like Android versions. Kassner: It appears the battle between malware and computing equipment has reached our portables. How would you rate mobile devices - hardware and software - compared to other form-factors? Porter Felt: Smartphone security is going in the right direction. Smartphone OS designers were able to look back and avoid the problems plaguing desktop software. Consequently, smartphones have tools to protect consumers, like permissions and application-review processes.
And, the successful smartphone technology is now migrating to desktops. The Apple App Store for OS X is a great example. I think future desktop web browsers will also likely incorporate elements from current smartphone platforms.
The research team invested significant effort cataloging existing mobile malware and predicting what's coming. It seems that bad people are working harder than ever to make digital life difficult.
Kudos to the U.C. of Berkeley research team for a great paper. And a special thanks to Adrienne for helping William and me navigate the minefields.
Michael Kassner is currently a systems manager for an international company. Together with his son, he runs MKassner Net, a small IT publication consultancy.