A Study on Architecture of Malicious Code Blocking Scheme with White List in Smartphone Environment* Kijeong Lee, Randy S. Tolentino, Gil-Cheol Park, and Yong-Tae Kim** Department of Multimedia Engineering, Hannam University 133 Ojeong-dong, Daeduk-gu, Daejeon, Korea
[email protected],
[email protected], {gcpark,ky7762}@hnu.kr
Abstract. Recently, the interest and demands for mobile communications are growing so fast because of the increasing prevalence of smartphones around the world. In addition, the existing feature phones were replaced by smartphones and it has widely improved while using the explosive growth of Internet users using smartphones, e-commerce enabled Internet banking transactions and the importance of protecting personal information. Therefore, the development of smartphones antivirus products was developed and launched in order to prevent malicious code or virus infection. In this paper, we proposed a new scheme to protect the smartphone from malicious codes and malicious applications that are element of security threats in mobile environment and to prevent information leakage from malicious code infection. The proposed scheme is based on the white list smartphone application which only allows installing authorized applications and to prevent the installation of malicious and untrusted mobile applications which can possibly infect the applications and programs of smartphones. Keywords: White List, Smart Phone, Mobile Malicious Code.
1 Introduction Portable mobile devices and communications infrastructure have evolved, so mobile Internet using cell phones, laptops and other portable mobile devices became available. According to the various needs and demands of mobile users, smartphones were released. Smartphone which consists of various and interactive functions, just like a personal computer that allows us to use various applications with interactive interface and can access Internet in mobile device environment. Smartphone brought a big impact in mobile telecommunications market, mobile environment liberalization and the advent of open-based mobile platform. Smartphone can be defined as a cell phone which has more advanced capabilities than existing feature phone and equipped with PC functionalities into the mobile device with general purpose operating system. The main features of smartphone are PDA functionalities, it has QWERTY keyboard functions and built-in Wi-Fi to connect to the Internet anytime and anywhere as long *
This work was supported by the Security Engineering Research Center, granted by the Korea Ministry of Knowledge Economy. ** Corresponding author. T.-h. Kim et al. (Eds.): FGCN 2010, Part I, CCIS 119, pp. 155–163, 2010. © Springer-Verlag Berlin Heidelberg 2010
156
K. Lee et al.
as there is wireless connection. Smartphone has more advanced higher-performance CPU than the feature phone, it offers a better multimedia services. But recently, the specifications of feature phones and smartphones have improved a lot, this is the reason why it’s hard to distinguish the difference in hardware specs and features between smartphones and feature phones. The main feature to differentiate smartphone and feature phone is openness. Smartphone uses the general-purpose operating system and provides a standardized development environment, so developers can develop application freely by open source OS. Thus, it is possible to share open source OS based variety of applications and contents in normal users groups. As a result, it is easy to generate numerous contents. Open-source can spread quickly and use a content which has variety of features easily. However, there is a possibility of exposing personal information that can cause information security threats like a malicious code infection or virus high.[1] If a smartphone is infected with malicious code, then personal information and financial transaction information can be exposed or damaged, infected smartphone can charge a lot of communication fee which leads to financial loss, and malicious code can activate and spread out in smartphone OS which is common and it is increasing. Smartphone and mobile application manufacturers established measures to prevent infection of malicious code, they also developed antivirus for mobiles and advised users to install it. In this paper, according to a rapid propagation of smartphone, we propose white list based Malicious Code Blocking Scheme to prevent infections of malicious code from installation of malicious applications in mobile environment. The composition of this paper is Chapter 2: Trend of Smartphone; Chapter 3: Propose Malicious Code Blocking Scheme in Smartphone Environment; Chapter 4: System Architecture of Proposed Scheme; and Chapter 5: Conclusion.
2 Related Work 2.1 Trend of Smartphone According to Gartner an overseas professional market research organizations, materials in the market for open platform-based smartphone will grow 12.9% in 2008 to 26.5% until 2010.[2] Current smartphone market share is lower than the existing common mobile phone market, next to a very high growth potential are analyzed. Furthermore, smartphone market has started a new value-added business because market of operating system (platform) mounted in the smartphone continues to increase. Smartphone provides various benefits such as Table 1, in terms of users, service providers and manufacturers.[3] The operating system of mobile devices can be divided into GPOS (General Purpose OS) and RTOS (Real Time OS). GPOS is an operating system that typically mounted on a smartphones and designed to meet a variety of goals, including protection between users and applications, fast response time for interactive applications, high throughput for batch and server applications, and high overall resource utilization.
A Study on Architecture of Malicious Code Blocking Scheme
157
Table 1. Shows the benefits and Features of Smartphones in terms of Users, Service Providers and Manufacturers Classification Users Service Providers
Features • Mobile device can support mobile wireless Internet, multimedia and multitasking • Requirement for various applications, services, download are increasing • Excellent integration capabilities with other devices • Shorten the duration of Launch new services • Reduce the test cost • Reduce development costs by using platform then recycle SW
rd Manufacturers • Easy to secure application through 3 party then increase mobile device value
• Easy to apply Manufacturer’s own services and spread
RTOS is an operating system (OS) intended for real-time applications. Such operating systems serve application requests nearly real-time. A real-time operating system offers programmers more control over process priorities. An application's process priority level may exceed that of a system process. Real-time operating systems minimize critical sections of system code, so that the application's interruption is nearly critical. There are several RTOS middleware that provides a wide variety of mobile handsets such as Java VM, BREW, WIPI, Mocha, Infineon, and so on. CDMA is using REX (Real-Time Executive) as a default operating system, and GSM is using Nucleus and Kadak as a default operating system. Due to a variety of functions of mobile applications and improvement of hardware performance, RTOS has reached the limit to process various multimedia in mobile environment. Therefore, the mobile operating system maintains the PC-class operating system while maintaining the structure in the direction of optimization for mobile communications with the advent of smartphones. According to development of mobile devices from feature phone to smartphone, the development of mobile platform is accelerated from Microsoft Windows Mobile, Apple iPhone and Google Android are applied to commercial and mounted on mobile device due to the higher performance and it supports multitasking performance compared to the existing feature phone. The development environment has been changed from closed structure in which manufacturer develops their own application to open structure in order that users or developers can develop application in standardized environment. Especially, mobile platform manufacturer such as Apple and Google are committed in developing a positive cycle that induce use and development of their application by many users through their own mobile operating system based on open market. 2.2 Security Threats in Smartphone Environment Mobile devices are also exposed to a variety of security threats and security technology for mobile devices is continuously increasing. However, with the development of mobile devices based on networking services, the security threats of smartphone caused by malicious code are also constantly growing.[4] Figure 1 illustrates the type of security threats of smartphone and classifies various attacks that can be imposed on the mobile device such as smartphone by their methods and goals. The purposed of these types of attacks are caused by information disclosure, device failure and monetary damages was being tested. The market entry of various smartphone operating
158
K. Lee et al.
Fig. 1. Type of Mobile Device Attack
systems accelerates the open-source based mobile environment. Many smartphones are equipped of different OS was released or soon to be released. Thus, the damage caused by mobile malicious code is expected to be realized. Mobile malicious code is mainly targeting the smartphone mounted with Symbian operating platforms because the previous patterns of demand for Symbian is high and it is easy to get information. But recently, Windows mobile phone, iPhone, blackberry phone, and Android phone market expand as the main interest of hackers to target and analyze the changes.
Fig. 2. Distribution of Malicious Code
Figure 2 shows the distribution of the types of specific mobile malicious code by platform. In addition, approximately 97% malicious codes were mainly found in old version (7.x, 8.x) and 3% were found in new version (9.x) platform. Mobile malicious code in terms of scale with the growth of mobile devices is increasing rapidly and is becoming a wide variety of threats. The reasons of the increase of mobile malicious code are: the increase of open-source platform based on mobile devices which have an
A Study on Architecture of Malicious Code Blocking Scheme
159
environment that is prone to malicious code, and the increasing open communication methods of W-CDMA and CDMA-2000 using Bluetooth, Wi-Fi, USB, etc. in which external communications is open to access and can easily attack by a malicious code. In previous years, mobile malicious code has the ability to suspend the operation functions of mobile device in the form of personal information disclosure and gaining monetary benefits. So far, the presence of mobile malicious code can be distinguished in four kinds by reflecting the characteristics of the primary schedule activity. 1) Malfunctioning of mobile device caused by Malicious Code This type of attacks can make the device malfunction by suspending its operation. A trojan horse piece of code called “Skulls” that was discovered in November 2004. Once it is downloaded, it replaces all phone desktop icons with images of a skull. It also will render all phone applications, including SMSes and MMSes useless. Another type of malicious code is called “Locknut” that was discovered in February 2005. It is a malicious SIS file trojan that pretends to be patch for Symbian S60 mobile phones. When installed, it drops a binary that will crash a critical system service component. This will prevent any application from being launched in the phone. I addition, Gavno is a trojan horse which removes critical data in the Symbian OS. 2) Consuming battery power caused by Malicious Code This type of attacks continues to consume the battery power and depletes the battery of device. One example is Cabir (also known as EPOC.cabir and Symbian/Cabir) that was discovered in June 2005. It is a type of worm that spreads on vulnerable Bluetooth networks. This kind of malicious code is considered harmless because it replicates but does not perform any other activity, it will result in depletion of battery life on portable devices due to constant scanning for other Bluetooth enabled devices. 3) Cross Platform Malicious Code This type of attacks infects a PC through mobile devices. Cardtrap was discovered in September 2005, it is the first cross platform type of malicious code. It installs Windows malware on the phone's memory card, and if the user attached the infected memory card into the PC it starts to infect the PC through autorun. After infect, it deletes data or degrades the performance of a mobile device. This is the new type of malicious code in terms of mobile device infects PC not a mobile device. 4) Information disclosure Malicious Code This type of attack leakages the information of infected device or user information. Infojack is a type of trojan that was discovered in March 2008, it installs unsolicited files and steals user's personal information; also remove the alert to install unsigned applications, leaving the door open for other infections. The Trojan changes the phone's security settings leaving it in its lowest, so any malware can be installed without the user noticing. Flexispy and PBStealer are types of personal information disclosure malicious code. Flexispy forms like a spyware commercial malicious code. It can send phone records and text message content to the web server.
160
K. Lee et al.
2.3 Reputation Based Security System The purpose of reputation-based technologies and services in the past is to define the characteristics of a product or program based on user evaluation.[5] However, the purpose of reputation-based technology currently was introduced to cope with not acquired/analyzed malicious code. Reputation-based products for the core of smartphone security have received more attention, Symantec, Kaspersky and AhnLab’s 2010 products will be mounted to the main feature. In just only a year, a number of different variants of malicious code were discovered. A quick response should be made regarding these malicious codes, we should collect, analyze, develop respond engine and distribute quickly. To cope with the advent of malicious code as soon as possible and in order to stop or prevent the damaged that can be cause by infections and spreading of malicious codes. Each security provider collects a sample reaction, complains and concerns of their customer by encouraging them to join in network community. In the past, malicious code makes computer break down or slow but the current malicious code infiltrates secretly and performs its purpose without users knowing. In the recent years, users can easily identify files for deletion or has crashed when signs occur in their PC and they can report the suspicious files in the process of solving this malicious code, and because the network is not connected to each other in the past, speed of propagation is slow. But now, there is no symptoms of infection and malicious code are encrypted that is why user’s has difficulty to discover and report. Moreover, malicious code hacks the popular web server and quickly spread around the world. The only solution is to automatically collect the data quickly and then analyze whether it is malicious or not, and this collected data is used for protecting personal information. Currently, malicious code is changing in which it targets not a number of unspecified but the specific group, so fast acquisition, processing and fast deployment is not enough. Before discovering the malicious code, it is difficult to protect a small number of victims, those victims who are targeted specifically and if a small number of limited users are targeted and attacked then they can be excluded from the automatic acquisition target. To process these malicious codes which are not collected and not analyzed, reputation based technology has emerged. This reputation based system checks the program whether it is harmful or safe when it is running. If the application is not safe then the system will receive information from the server. The system will download the received information of the application about when it has been discovered, how many users and type of users have used this application, and send it to the current user to make a decision whether to run this application or not. Previously, the system shows a message that force to allow or block malicious application for installation but it is very difficult to user to choose with only description on the message box. This new reputation-based technology also shows a warning message several times compared to the old scheme and doesn’t show technical description, but it shows easy description such as “The application for Install/Download/Run is not yet analyzed, please block this application until finish analyzing” and let the users to run or block the application. Currently, the analysis of malicious code takes a few minutes or a couple of days. So, in the case of a new application, it cannot be installed until the analysis is finish. Also, if there is a new but unpopular application that the user wants to use, the user can request for application analysis. Popular application such as update of OS can use without waiting through
A Study on Architecture of Malicious Code Blocking Scheme
161
white list DB. Just install white list based software and run only verified and authorized application. As a result, we can prevent infection from unauthorized or unverified malicious code and targeting attack.
3 White List Based Malicious Code Blocking Scheme The purpose of existing scheme is to prevent the spreading of malicious code infections and to detect smartphone malicious code by a vaccine after infected. In this paper, the proposed scheme blocks the malicious code before it can infect through white list based malicious application download/install blocking algorithm. The purpose of this paper is to design and develop an algorithm in actual mobile application and build a database server running white list, and aims to provide a commercial service. To prevent infection of smartphone from malicious code, we need a method that can block installation of malicious application and build white list DB and develop application and build a white list server.
Fig. 3. System Configuration
4 System Architecture 4.1 System Architecture The white list based malicious application blocking scheme for preventing infection of malicious code blocks installation of mobile application which has possibility to include malicious code before download through searching the white list database. Figure 4 shows the system architecture of white list based proposed scheme.
162
K. Lee et al.
Fig. 4. System Architecture
Smartphone users download the application through connecting PC or access to app store and run installer. At this point of time, it sends the information of application that is trying to download or install to white list server. The white list server compares the information of application received from smartphone with the information of application stored such as reputation-based services in white list server DB. If there is information of application that was received from smartphone in the white list DB then the system sends a message “Clear” to the smartphone. However, if there is no information of application that was received from smartphone in the white list DB the system will send a message “Block” to the smartphone which means that the application cannot be downloaded. After receiving the message from white list server, smartphone downloads or installs the application immediately if it is verified. If the smartphone receives a respond from the white list server that this application is not yet verified, the system will show a message to users that “You can’t download and install this application until the verification is finish.” We build white list database for new application which is registered in app store using the collected information of reputation about the application and analyzing malicious code. White list server operates this database and the server responds to smartphone’s query with compared data that was stored in the server. The application for smartphone will be developed in open-source based Google Android OS environment.
A Study on Architecture of Malicious Code Blocking Scheme
163
5 Conclusion In this paper, we proposed a white list architecture which composed of reputationbased services based on malicious code blocking scheme and algorithm for information security in smartphone which is the core of mobile communication. The existing scheme for security of smartphone is just used for preventing the spreading of infections after analyzing the first cases of infections caused by malicious code. Malicious code blocking scheme for smartphone security that proposed in this paper is not for preventing the spreading of malicious code, but for blocking essentially the infections by using reputation-based collected data and information. With this proposed scheme, we can prevent malicious code infection which is the most important issues of security in the smartphone environment nowadays. In our future research, we are planning extend the functions and capabilities of this application to adopt various smartphone OS environment.
References 1. Hypponen, M.: Malware goes Mobile.: Technical Report, INC (2006) 2. Gartner.: Worldwide Smartphone Sales to End Users in 2Q2009. (2009) 3. Kim, K.Y., Kang, D.H.: Smart Phone Security Technology in Opened Mobile Environment. Korea Institute of Information Security & Cryptology 19(5) (2009) 4. Mulliner, C.: Security of Smart Phones. Master Thesis (2006) 5. AhnLab, http://www.ahnlab.com/kr/site/securitycenter/ securitycenterMain.do
