Paper Title (use style: paper title)

2014 IEEE 5th Control and System Graduate Research Colloquium, Aug. 11 - 12, UiTM, Shah Alam, Malaysia

Mobile Botnet Detection: Proof of Concept Zubaile Abdullah1,2, Madihah Mohd Saudi2, Nor Badrul Anuar3 1

Faculty of Computer Science & Information Technology. Universiti Tun Hussein Onn Malaysia (UTHM), Johor, Malaysia 2 Faculty of Science & Technology, Universiti Sains Islam Malaysia (USIM). Negeri Sembilan, Malaysia 3Faculty of Computer Science & Information Technology, Universiti Malaya, Kuala Lumpur, Malaysia 1

[email protected], [email protected], [email protected]

mobile devices that are infected by a specific malware or software without user consent or knowledge. These infected devices communicate with each other by using a command and control (C&C) mechanism and controlled by an attacker called a botmaster. The infected mobile devices then can be used by botmaster to do a cyber-crimes or cyber-attacks, such as sending spam messages, interruption, denial of services (DoS) and collecting sensitive information which can be exploited for illegal purposes. Figure 1 shows mobile botnets basic architecture.

Abstract—Nowadays mobile devices such as smartphones had widely been used. People use smartphones not limited for phone calling or sending messages but also for web browsing, social networking and online banking transaction. To certain extend, all confidential information are kept in their smartphone. As a result, smartphones became as one of the cyber-criminal main target especially through an installation of mobile botnet. Eurograbber is an example of mobile botnet that being installed via infected mobile application without victim knowledge. It will pretense as mobile banking application software and steal financial transaction information from victim’s smartphone. In 2012, Eurograbber had caused a total loss of USD 47 Million accumulatively all over the world. Based on the implications posed by this botnet, this is the urge where this research comes in. This paper presents a proof of concept on how the botnet works and the ongoing research to detect and respond to the mobile botnet efficiently. Detection of botnet malicious activity is done through an analysis of Crusewind Botnet code using reverse engineering process and static analysis technique. Index Terms— smartphones, mobile botnet, static analysis, reverse engineering, innate immune system.

I. INTRODUCTION Mobile devices, for example smartphones have experienced a great population growth over the last few years for personal and business use [1], [2]. Nowadays, people use mobile devices not limited for phone calling or sending messages but also for web browsing, social networking and online banking transaction. To certain extend, all confidential information for example, bank account number, username and password for online banking, credit card number, memorable and private pictures are kept in their smartphone. As a result of their popularity and functionality, mobile devices are now an ideal target for cyber-criminal.

Fig. 1. Mobile Botnet Architecture

In recent years, attacks and threats of mobile malware and mobile botnets have been on the rise. Survey conducted by FSecure [6] stated that the number of mobile malware threat families risen 26 percent from the second to the third quarter of 2013 compared with the same time period in previous year. As shown in Fig. 2, there are 259 new threats in third quarter of year 2013 compared to third quarter of year 2012. One remarkable mobile botnets attack is from Zitmo Botnet variant named, Eurograbber which attacked Android, Symbian, Windows and Blackberry smartphones in 2012. Eurograber was responsible for more than $47 million dollar losses in fraudulent transfers from victims' bank accounts [7]. Based on the implications posed by this botnet, this is the urge where this research comes in. This paper presents a proof of concept on how to detect the mobile application that infected with botnet

The attacks and threats on mobile devices come in various forms, such as viruses, trojans, worms and mobile botnet [3]. However, mobile botnet are more dangerous as they pose serious threats to mobile devices and mobile networks [4], [5]. In their research, [4] had defined a mobile botnets as a set of

978-1-4799-5692-0/14/$31.00 ©2014 IEEE

257


A Static Analysis In static analysis, an application is analyzed without executing it. Static analysis can directly be employed either on the source code of the application or the corresponding binary file and use reverse engineering techniques to extract certain features or methods might be invoked from the source code. In Android application, features and methods also can be analyzed from manifest file. Extracted features or methods not only can be used to detect malicious payload but also to profile and weigh malware threats [14]. In the other hand, [15] had listed features and methods that usually extracted from application source code which are: Requested Permission, Imported Package, API Calls, Instructions or Operation Code (Opcode), Data Flow and Control Flow. Details of researchers that have used these features and methods will be discussed in Section 2.4.

specifically on Android platform. Detection of botnet is done through an analysis of ambiguous code using reverse engineering process and static analysis technique of mobile application.

Fig. 2. New Mobile Threat Families and Variants

Further the survey also found that in every five malware threats, there is one mobile botnet threats as shown in Fig. 3.

Static analysis is simple and efficient in providing fast detection and classification for known mobile malware however it drawback is unable to detects unknown or mutated mobile malware because of obfuscation and encryption techniques employed by mobile malware writers. To overcome this limitation, dynamic analysis is used to detect mobile malware. B Dynamic Analysis In contrast to static analysis, dynamic analysis does not inspect the source code but the application sample is analyzed while it is executed within controlled environment. In current studies, the behavior of the application can be monitored through Logged Behavior Sequence, System Calls and Dynamic Tainting, Data Flow and Control Flow [16]. By monitoring and logging every relevant operation of the execution, a report is generated for detection analysis.

Fig. 3. Types of Mobile Threats

This paper is organized as follows. Section 2 reviews related works by other researchers. Section 3 explains the methodology used in this research which consists of reverse engineering process and static analysis technique. Section 4 presents the result and discussion which consists of proof of concept of mobile botnet detection. Section 5 concludes the finding and summarizes the challenges and future work of this research paper.

C Related Studies of Mobile Malware Detection and Response Techniques Malware has been a threat for computers for many years and continues to cause damage to infected systems. The first attempts to identify and analyze malware on mobile devices such as smartphones started by adapting existing PC security solutions and applying them to smartphones. This was not a feasible solution in light of the high demand placed on resources by anti-virus techniques and the power and memory constraints of mobile devices. Since mobile malware detection and response have already been the subject of massive research, this paper on the other hand, review the mobile malware detection and response techniques studies which are form this research foundation. Further, it is to be noted that this paper only consider mobile malware detection and response for the Android platforms.

II. RELATED WORKS The main purpose of a detection and response technique is to detect the presence of malicious entity in mobile application which, if found, could be cleaned, quarantined, blocked or deleted. Several approaches of detection techniques related to mobile application have been attempted by [8]–[13]. Although these researches focused on mobile malware detection, there also applicable for the basis of mobile botnet detection technique development. Two common techniques used for mobile malware detection can be categorized into static analysis and dynamic analysis.

Schmidt is one the first researchers who studied and proposed malware detection on mobile devices specifically on Android smartphones [17]. Their system extract function calls

258


algorithm to classify the collected data into two groups, the benign group and the malicious group, which can be used to identify the specified user who is running the malicious repackaged application. CrowDroid needs a set of users to execute the same original application and the same corresponding malicious applications. Although their experiment result indicated a 100% accuracy of detection rate, the drawback is they used small scale of malicious dataset as training set. Furthermore, evaluation was also carried out using a self-implemented set of malware samples instead of malware from the wild.

from binaries of applications, and apply their clustering mechanism, called Centroid, for detecting unknown malware. This is done by performed static analysis of Linux ELF (Executable and Linking Format) object files in Android environment using the command readelf. Those files hold information such as function calls and modified files. The function calls then compared with malwares executable for classifying them with Decision Tree Learner (DTL), Nearest Neighbor (NN) algorithm and Rule Inducer (RI). The authors claimed that their technique shows 96% detection-accuracy with 10% false positives. The main drawback of their system is they used small collection of malware samples. These malware samples are coded by themselves and not represent as real mobile malware in Android market. In addition, at that time there were still no real Android devices available, so they could not test their system properly.

While above studies, choose to analysis the application either statically or dinamically, [11] proposed a hybrid method called AAsandbox. AAsandbox used of static and dynamic analyses approach. The static analysis runs by decompresses the apk file, converts their class files into java source code, searches for suspicious patterns and marks them as benign or malicious. During the application execution in Android Emulator, AAsandbox counted the number of all system calls to detect malicious behaviours. However, the data obtained by AASandbox is very diverse, causing low detection accuracy[20]. In addition they also used ADB Monkey in dynamic analysis simulation.

In same year, [9], proposed another static analysis which scans the application for matching malicious patterns namely Kirin. They define various of potential dangerous permission combinations as rules to block the installation of potential unsafe applications. However, Kirin is more on vulnerability assessment of application instead of mobile malware detection.

Another hybrid solution being proposed by [16] named DroidRanger. DroidRanger uses both static and dynamic analysis techniques to develop behavior profiles for scalable mobile malware detection which scanning large numbers of third-party Android applications for malicious behavior. DroidRanger implements a combination of permission-based behavioral footprinting to detect samples of already known malware families and a heuristic-based filtering scheme to detect unknown malicious families. Within their dynamic part they use a kernel module to log only system calls used by known Android exploits or malware however these authors only monitor those system calls used by existing root exploits with root privilege, and hence new malwares which avoid calling such system calls with root permissions may avoid being detected. On the other hand, the detection heuristics used by authors present a high false negative rate, ranging from 5.04% to 23.52% [21].

Static analysis also being used by [15] and they proposed Android malware detection tool named DroidMat. DroidMat detects malwares through the manifest file and traces of API calls. They demonstrated that this tool capable of finding more Android malware than other Android detection tool, the AndroGuard. However, with a single sample android malware, DroidMat cannot predict and learn behaviour of new malware. Moreover, there are two families of malwares (BaseBridge and DroidKungFu) which used update attack technique that not detected by DroidMat [18]. In 2010, [19] et al. proposed a malware detection that monitors various features and events obtained from the mobile devices while execute the application. Then they applied machine learning anomaly detectors to classify the collected data as normal for benign or abnormal for malicious. The features they consider including cpu consumption, number of sent packets through the WiFi, number of running processes, keyboard or touch-screen pressing and application start-up. To validate their models, they selected features using three selection methods, Information Gain, Fisher Score and ChiSquare. Their approach achieved 92% of accuracy however two drawbacks of their system are not using real malware sample and the use of an application that simulates user interaction known as ADB Monkey, which is not a real user.

Each of these works have their own strengths and gaps that can be further improved. It noticed that most works are focused on general mobile malware detection although mobile botnet is most dangerous mobile malware [4], [22]. This is one of the motivations why this research is done. Another point is, a research [23] had revealed that from 1260 mobile malware samples they analyzed, 93% exhibit mobile botnets behavior thus make the studies on mobile botnet detection is a must.

In the other hand, [12] presented another approach for dynamically analyzing the behavior of Android applications. They used a crowd-sourcing system named CrowDroid to obtain traces of application’s behavior such as system call. CrowDroid collected all the system calls used from a set of users during the runtime. It adopted the K-means clustering

This research conceptually has some similarities with [15] which used static analysis of the manifest file and tracing of API calls. The extension is, this research also employ dynamic analysis to counter obfuscated and encrypted application source code. Since the means for collection and run-time

259


analysis of mobile botnets by itself is not sufficient to lessen a threat posed by novel mobile botnets, this research also adopt knowledge discovery technique (KDD) and data mining. In term on response perspective which is not applied by previous researchers, this research adopts Innate Immune System. Summary and comparisons of this research with related studies is presented in Table 1.

Based on those literature reviewed, Innate Immune System (IIS) is seen as one of the specialisms in human immunology that can be further explored and integrated into this research, particularly in detection and response to mobile botnets infection. The term innate immune system [27], refers to the fast-acting non-specific immunological actions of human that recognize an infection and attempt to clear it from the human. The innate immune system can be thought of human front line of defense against pathogens. One example of the used of innate immunization is in [28], which to detect and response to computer malware. This paper in the other hand used IIS in mobile botnet detection and response system.

TABLE 1. RELATED WORKS OF MALWARE DETECTION ON ANDROID

III. METHODOLOGY The reverse engineering of mobile botnet code is done in controlled lab environment as shown on Fig. 4. The mobile application dataset which infected with mobile botnet is downloaded from Android Malware Genome Project by Zhou and Jiang [1].

Fig. 4. Mobile Botnet Controlled Lab Architecture

Almost 80% of the software used in this testing is an open source and available on a free basis. Dex2jar which can be downloaded via https://code.google.com/p/dex2jar/downloads/list is a tool for reverse engineering Android application. It can decode Android application to nearly original form. After decoded, software named JD-GUI which can be downloaded via https://code.google.com/p/innlab/downloads/detail?name=jdgui-0.3.3.windows.zip& is used to view the reversed engineered code and thus researcher can find the ambiguous or malicious code.

D. Innate Immune System for Mobile Botnet Detection and Respose Humans live in an environment where their bodies are constantly being attacked by intruders such as viruses, bacteria and other organisms [24]. Human however do not need to download any security patches since the bodies have adapted to living in such a harsh environment with the help Human Immunology System (HIS). This human advantage now being adopted by many researches to develop computer Artificial Immune System (AIS). AIS which mimic the behavior of HIS, used in many antivirus software to neutralized or destroy infected files and application. Somayaji, et. al.,[25] provided various possible architectures of AIS for computer security. while [26], on the other hand provide a good review of the AIS field.

IV. RESULT & DISCUSSION A case study using a sample from Android Malware Genome Project [1] shows the proof of concept how the mobile botnet detection is done. The architecture used for this testing had been mentioned earlier, which was conducted in a controlled lab environment. Reverse engineering process and static Analysis were conducted to analyze the code using Dex2Jar and JD-GUI. This methodology can be referred under

260


the methodology section and were repeated for all 1260 samples. The testing results showed, one of the payloads for this botnet code is to download an XML configuration file from the following location: http://crusewind.net as shown in Fig. 5.

Fig. 5. Reverse Engineered of Crusewind Botnet Codes

Further analysis revealed that this botnet used downloaded XML configuration file to retrieve a list of further URLs to send and receive additional data for malicious purposes which included sending the victim installed applications information to the following location to predefined server. The botnet also contains functionality to perform actions such as self-deletion and delete SMS messages

Fig. 6. An Overview of Mobile Botnet Classification Framework

ACKNOWLEDGMENT The authors would like to express their gratitude to Universiti Sains Islam Malaysia (USIM) and Universiti Tun Hussein Onn, Malaysia (UTHM) for the support and facilities provided. This research paper is supported by Universiti Sains Islam Malaysia (USIM) grant [PPP/FST/SKTS/30/12712].

Another payload that is seen as profit-based is an ability of this botnet to send premium-rate SMS messages to the number that is specified in the downloaded XML configuration file. Victim will be charged and the botnet author gets the commission from premium rate service operator. Further, this botnet also can lead to identity theft and loss of money to the victim. As for this research, all of these identified payloads are then used to build mobile botnet classification framework in the formation of the mobile botnet detection and response system. The framework is shown in Fig. 6.

REFERENCES

V. CONCLUSION The popularity and functionality of mobile devices not only attract user but also an attacker. Mobile devices such as smartphones can be infected by malware and turn this devices into botnet which later being used for cyber-criminal while current solutions for mobile botnet threats can still to be improved. Therefore there is an urgent need to produce more research on mobile botnet classification, detection and response. The motivation to pursue research in this area is to provide high accuracy and efficiency model for mobile botnet detection and response system. This paper is part of larger project to confront mobile botnet attacks. Ongoing research includes mobile botnet classification and the development of response system which adopted Innate Immune System capabilities.

261

[1]

Y. Zhou and X. Jiang, “Dissecting Android Malware: Characterization and Evolution,” 2012 IEEE Symp. Secur. Priv., no. 4, pp. 95–109, May 2012.

[2]

H. Li, D. Ma, N. Saxena, B. Shrestha, and Y. Zhu, “Tap-wave-rub: Lightweight malware prevention for smartphones using intuitive human gestures,” Proc. sixth ACM Conf. Secur. Priv. Wirel. Mob. networks, pp. 25–30, 2013.

[3]

M. Eslahi, R. Salleh, and N. B. Anuar, “Bots and botnets: An overview of characteristics, detection and challenges,” 2012 IEEE Int. Conf. Control Syst. Comput. Eng., pp. 349–354, Nov. 2012.

[4]

M. La Polla, F. Martinelli, and D. Sgandurra, “A survey on security for mobile devices,” IEEE Commun. Surv. Tutorials, vol. 15, no. 1, pp. 446–471, Jan. 2012.


[5]

H. Pieterse and M. S. Olivier, “Android botnets on the rise: Trends and characteristics,” in 2012 Information Security for South Africa, 2012, pp. 1–5.

[6]

F-Secure, “F-Secure Mobile Threat Report July September 2013,” no. September, 2013.

[7]

E. Kalige and D. Burkey, “A Case Study of Eurograbber : How 36 Million Euros was Stolen via Malware,” no. December, 2012.

[8]

Proc. 16th Netw. Distrib. Syst. Secur. Symp. NDSS, 2012.

A. Schmidt, R. Bye, H. Schmidt, J. Clausen, O. Kiraz, K. Yuksel, S. Camtepe, and S. Albayrak, “Static analysis of executables for collaborative malware detection on android,” IEEE Int. Conf. Commun. 2009, pp. 0–4, 2009.

[9]

W. Enck, M. Ongtang, and P. McDaniel, “On lightweight mobile phone application certification,” in Proceedings of the 16th ACM conference on Computer and communications security - CCS ’09, 2009, p. 235.

[10]

A. Shabtai, Y. Fledel, and Y. Elovici, “Automated Static Code Analysis for Classifying Android Applications Using Machine Learning,” 2010 Int. Conf. Comput. Intell. Secur., pp. 329–333, Dec. 2010.

[11]

T. Bläsing, L. Batyuk, A. Schmidt, S. A. Camtepe, and S. Albayrak, “An Android Application Sandbox system for suspicious software detection,” in 2010 5th International Conference on Malicious and Unwanted Software, 2010, pp. 55–62.

[12]

I. Burguera and U. Zurutuza, “Crowdroid : BehaviorBased Malware Detection System for Android,” Proc. 1st ACM Work. Secur. Priv. smartphones Mob. devices (SPSM ’11), 2011.

[13]

M. Grace, Y. Zhou, Q. Zhang, S. Zou, and X. Jiang, “Riskranker: scalable and accurate zero-day android malware detection,” Proc. 10th Int. Conf. Mob. Syst. Appl. Serv. (MobiSys 2012), pp. 281–293, 2012.

[14]

S. Y. Yerima, S. Sezer, G. McWilliams, and I. Muttik, “A New Android Malware Detection Approach Using Bayesian Classification,” 2013 IEEE 27th Int. Conf. Adv. Inf. Netw. Appl., pp. 121–128, Mar. 2013.

[15]

D.-J. Wu, C.-H. Mao, T.-E. Wei, H.-M. Lee, and K.-P. Wu, “DroidMat: Android Malware Detection through Manifest and API Calls Tracing,” 2012 Seventh Asia Jt. Conf. Inf. Secur., pp. 62–69, Aug. 2012.

[16]

Y. Zhou, Z. Wang, W. Zhou, and X. Jiang, “Hey, You, Get Off of My Market: Detecting Malicious Apps in Official and Alternative Android Markets,”

262

[17]

D. Damopoulos, G. Kambourakis, S. Gritzalis, and S. O. Park, “Exposing mobile malware from the inside (or what is your mobile app really doing?),” Peer-toPeer Netw. Appl., Dec. 2012.

[18]

L. K. Yan, “DroidScope : Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis.”

[19]

A. Shabtai and Y. Elovici, “Applying behavioral detection on android-based devices,” Third Int. ICST Conf. Mob. Wirel. MiddleWARE, Oper. Syst. Appl., pp. 235–249, 2010.

[20]

Y.-D. Lin, Y.-C. Lai, C.-H. Chen, and H.-C. Tsai, “Identifying android malicious repackaged applications by thread-grained system call sequences,” Comput. Secur., vol. 39, pp. 340–350, Nov. 2013.

[21]

G. Suarez-Tangil, J. E. Tapiador, P. Peris-Lopez, and A. Ribagorda, “Evolution, Detection and Analysis of Malware for Smart Devices,” IEEE Commun. Surv. Tutorials, pp. 1–27, 2013.

[22]

Y. Zeng, K. Shin, and X. Hu, “Design of SMS commanded-and-controlled and P2P-structured mobile botnets,” WISEC ’12 Proc. fifth ACM Conf. Secur. Priv. Wirel. Mob. Networks, no. February, 2012.

[23]

X. Jiang and Y. Zhou, Android Malware. New York, NY: Springer New York, 2013.

[24]

M. M. Saudi, “A New Model for Worm Detection and Response,” University of Bradford, 2011.

[25]

A. Somayaji, S. Hofmeyr, and S. Forrest, “Principles of a computer immune system,” in Proceedings of the 1997 workshop on New security paradigms - NSPW ’97, 1997, pp. 75–82.

[26]

D. Dasgupta, S. Yu, and F. Nino, “Recent Advances in Artificial Immune Systems: Models and Applications,” Appl. Soft Comput., vol. 11, no. 2, pp. 1574–1587, Mar. 2011.

[27]

M. F. Marhusin, D. Cornforth, and H. Larkin, “Malicious Code Detection Architecture Inspired by Human Immune System,” 2008 Ninth ACIS Int. Conf. Softw. Eng. Artif. Intell. Networking, Parallel/Distributed Comput., pp. 312–317, 2008.

[28]

M. Ahmed, M. Ali, and M. A. Maarof, “Enhancing Malware Detection using Innate Immunization,” vol. 13, no. 10, pp. 74–77, 2013.

Paper Title (use style: paper title) - IEEE Xplore

Paper Title (use style: paper title) - IEEE Xplore

Suggest Documents