Triton: A Carrier-based Approach for Detecting and Mitigating Mobile Malware

Authors

  • Arati Baliga NYU Polytechnic School of Engineering
  • Jeffrey Bickford AT & T Security Research Center
  • Neil Daswani Twitter Inc

DOI:

https://doi.org/10.13052/jcsm2245-1439.324

Keywords:

spyware, trojans, rootkits, botnets

Abstract

The ubiquity of mobile devices and their evolution as computing platforms has made them lucrative targets for malware. Malware, such as spyware, trojans, rootkits and botnets that have traditionally plagued PCs are now increasingly targeting mobile devices and are also referred to as mobile mal- ware. Cybercriminal attacks have used mobile malware trojans to steal and transmit users’ personal information, including financial credentials, to bot master servers as well as abuse the capabilities of the device (e.g., send premium SMS messages) to generate fraudulent revenue streams.

In this paper, we describe Triton, a new, network-based architecture, and a prototype implementation of it, for detecting and mitigating mobile malware. Our implementation of Triton for both Android and Linux environments was built in our 3G UMTS lab network, and was found to efficiently detect and neutralize mobile malware when tested using real malware samples from the wild. Triton employs a defense-in-depth approach and features: 1) in-the- network malware detectors to identify and prevent the spread of malware and 2) a server-side mitigation engine that sends threat profiles to an on-the-phone trusted software component to neutralize and perform fine-grained remediation of malware on mobile devices.

Downloads

Download data is not yet available.

Author Biographies

Arati Baliga, NYU Polytechnic School of Engineering

Arati Baliga is an Independent Security Consultant and Adjunct Professor at the Department of Computer Science and Engineering at NYU Polytechnic School of Engineering. Her expertise and interests are in mobile, systems and network security. Previously, she was a Security Researcher at the AT&T Security Research Center where she worked on building carrier based defenses against mobile malware.

Arati obtained her Ph.D from the Department of Computer Science at Rutgers University. Her dissertation work on stealth malware detection won the outstanding paper award at the Annual Computer Security and Applications Conference (ACSAC 2008).

Jeffrey Bickford, AT & T Security Research Center

Jeffrey Bickford is a member of the AT&T Security Research Center. He is interested in mobile device security with a focus on using virtualization techniques to create a secure and robust mobile platform. His recent work has focused on designing a secure enterprise architecture for protection against APT attacks. Jeff also enjoys investigating real world attacks and analyzing mobile malware samples. He completed his M.S. at the Rutgers University Department of Computer Science.

Neil Daswani, Twitter Inc

Neil Daswani is a member of the information security group at Twitter. He was formerly the CTO of Dasient, Inc. prior to its acquisition by Twitter. Before co-founding Dasient, Neil had served in a variety of research, development, teaching, and managerial roles at Google, Stanford University, DoCoMo USA Labs, Yodlee, and Bellcore (now Telcordia Technologies). While at Stanford, Neil co-founded the Stanford Center for Professional Development Software Security Certification Program.

His areas of expertise include security, wireless data technology, and peer-to-peer systems. He has published extensively in these areas, frequently gives talks at industry and academic conferences, and has been granted several U.S. patents. He received a Ph.D. and a master’s in computer science from Stanford University, and earned a bachelor’s in computer science with honors with distinction from Columbia University.

References

Android and security. http://googlemobile.blogspot.com/2012/02/androi d-and-security.html.

The bro network security monitor. http://bro-ids.org/.

Cloudmark mobile platform. http://www.cloudmark.com/en/products/ cloudmark-mobile-platform/how-it-works.

Cyanogenmod wiki. http://wiki.cyanogenmod.com/index.php.

Exercising our remote application removal feature. http://android-dev elopers.blogspot.com/2010/06/exercising-our-remote-application.html.

F-secure mobile threat report q2 2012.http://www.f-secure.com/weblog /archives/MobileThreatReport_Q2_2012.pdf.

Infected apps in the android market. http://goo.gl/cFNiX.

iphone security bug lets innocent-looking apps go bad. http://goo.gl /MMA2b.

Lookout unveils the mobile threat network; verizon the first to adopt lookout api. http://goo.gl/bRxLt.

New stealthy android spyware – plankton – found in official android market. http://www.csc.ncsu.edu/faculty/jiang/Plankton/.

Okl4 microvisor.http://www.ok-labs.com/products/okl4-microvisor.

Openggsn. http://sourceforge.net/projects/ggsn/.

Remote kill and install on google android. http://jon.oberheide.org/blog /2010/06/25/remote-kill-and-install-on-google-android/.

Security alert: Spamsoldier. https://blog.lookout.com/blog/2012/12/17 /security-alert-spamsoldier/.

Snort. http://www.snort.org/.

Universal mobile telecommunications system. http://en.wikipedia.org /wiki/Universal_Mobile_Telecommunications_System.

Vmware mobile virtualization platform. http://www.vmware.com /products/mobile/overview.html.

A. Baliga, L. Iftode, and X. Chen. Automated Containment of Rootkit Attacks. In Elsevier, Computers & Security, volume 27, 2008.

F. Beck and O. Festor. Syscall Interception in Xen Hypervisor. In MADYNES Technical Report, 2009.

J. Bickford, H. Lagar-Cavilla, A. Varshavsky, V. Ganapthy, and L. Iftode. Security versus Energy Tradeoffs in Host-Based Mobile Malware Detection. In Proc. 9th Conference on Mobile Systems, Applications and Services, 2011.

Think Broadband. Download test files. http://www.thinkbroadband.com /download.html.

F. Chang, J. Dean, S. Ghemawat, W. C. Hsieh, D. A. Wallach, M. Burrows, T. Chandra, A. Fikes, and R. E. Gruber. Bigtable: A Distributed Storage System for Structured Data. In Proc. 7th USENIX Symposium on Operating Systems Design and Implementation, 2006.

R. Chinchani and E. van den Berg. A Fast Static Analysis Approach to Detect Exploit Code Inside Network Flows. In Proc. 8th Symposium on Recent Advances in Intrusion Detection, 2005.

M. Christodorescu. Behavior-based Malware Detection. In University of Wisconsin-Madison, August 2007.

C. Cranor, Y. Gao, T. Johnson, V. Shkapenyuk, and O. Spatscheck. Gigascope: High Performance Network Monitoring with an SQL Interface. In Proc. Conference on Management of Data, 2002.

C. Cranor, T. Johnson, O. Spataschek, and V. Shkapenyuk. Gigascope: A Stream Database for Network Applications. In Proc. Conference on Management of Data, 2003.

B. Dragovic, K. Fraser, S. Hand, T. Harris, A. Ho, I. Pratt, A. Warfield, P. Barham, and R. Neugebauer. Xen and the art of virtualization. In Proc. 19th ACM Symposium on Operating Systems Principles, 2003.

W. Enck, P. Traynor, P. McDaniel, and T. La Porta. Exploiting Open Functionality in SMS-capable Cellular Networks. In Proc. 12th Conference on Computer and Communications Security, 2005.

T. Garfinkel and M. Rosenblum. A Virtual Machine Introspection Based Architecture for Intrusion Detection. In Proc. 10th Network and Distributed Systems Security Symposium, 2003.

R. Greer. Daytona and the Fourth-Generation Language Cymbal. In Proc. Conference on Management of Data, 1999.

G. Gu, R. Perdisci, J. Zhang, and W. Lee. BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection. In Proc. 17th USENIX Security Symposium, 2008.

G. Gu, P. Porras, V. Yegneswaran, M. Fong, and W. Lee. BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation. In Proc. 16th USENIX Security Symposium, 2007.

G. Gu, J. Zhang, and W. Lee. BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic. In Proc. 15th Network and Distributed System Security Symposium, 2008.

K. W. Hamlen, V. Mohan, M. M. Masud, L. Khan, and B. Thuraisingham. Exploiting an Antivirus Interface. Computer Standards and Interfaces, November 2009.

J. Hwang, S. Suh, S. Heo, C. Park, J. Ryu, S. Park, and C. Kim. Xen on ARM: System Virtualization using Xen Hypervisor for ARM-based Secure Mobile Phones. In Proc. 5th IEEE Consumer Communications and Networking Conference, 2008.

X. Jiang. An evaluation of the application verification service in android 4.2. http://www.csc.ncsu.edu/faculty/jiang/appverify/.

X. Jiang, X. Wang, and D. Xu. Stealthy Malware Detection Through VMM-based “Out- of-the-Box” Semantic View Reconstruction. In Proc. 14th Conference on Computers and Communications Security, 2007.

T. Johnson, S. M. Muthukrishnan, V. Shkapenyuk, and O. Spatscheck. Query-aware Partitioning for Monitoring Massive Network Data Streams. In Proc. Conference on Management of Data, 2008.

S. T. Jones, A. C. Arpaci-Dusseau, and R. H. Arpaci-Dusseau. Antfarm: Tracking Processes in a Virtual Machine Environment. In In Proc. USENIX Annual Technical Conference, 2006.

A. Karasaridis, B. Rexroad, and D. Hoeflin. Wide-scale Botnet Detection and Characterization. In Proc. 1st Workshop on Hot Topics in Understanding Botnets, 2007.

H. Kim and B. Karp. Autograph: Toward Automated, Distributed Worm Signature Detection. In Proc. 13th USENIX Security Symposium, 2004.

P. P. C. Lee, T. Bu, and T. Woo. On the Detection of Signaling DoS Attacks on 3G Wireless Networks. In Proc. 26th IEEE Conference on Computer Communications, 2007.

L. Litty, H. A. Lagar-Cavilla, and D. Lie. Hypervisor Support for Identifying Covertly Executing Binaries. In Proc. 17th USENIX Security Symposium, 2008.

L. W. McVoy and C. Staelin. lmbench: Portable Tools for Performance Analysis. In Proc. USENIX Annual Technical Conference, 1996.

Y. Nadji, J. Giffin, and P. Traynor. Automated Remote Repair for Mobile Malware. In Proc. 27th Annual Computer Security Applications Conference, 2011.

J. Oberheide and F. Jahanian. When Mobile is Harder Than Fixed (and Vice Versa): Demystifying Security Challenges in Mobile Environments. In Proc. 11th Workshop on Mobile Computing Systems and Applications, 2010.

J. Oberheide and C. Miller. Dissecting Android’s Bouncer. In SummerCon, 2012.

B. D. Payne and W. Lee. Secure and Flexible Monitoring of Virtual Machines. In Proc. 23rd Annual Computer Security Applications Conference, 2007.

P. Porras, H. Sadi, and V. Yegneswaran. An Analysis of the iKee.B iPhone Botnet. In Security and Privacy in Mobile Information and Communication Systems. 2010.

A. Srivastava and J. T. Giffin. Automatic Discovery of Parasitic Malware. In Proc. 13th Conference on Recent Advances in Intrusion Detection, 2010.

P. Traynor, M. Lin, M. Ongtang, V. Rao, T. Jaeger, P. McDaniel, and T. La Porta. On Cellular Botnets: Measuring the Impact of Malicious Devices on a Cellular Network Core. In Proc. 16th Conference on Computer and Communications Security, 2009.

K. Wang, G. F. Cretu, and S. J. Stolfo. Anomalous Payload-Based Worm Detection and Signature Generation. In Proc. 8th Symposium on Recent Advances in Intrusion Detection, 2005.

D. Whyte, E. Kranakis, and P. C. van Oorschot. DNS-based Detection of Scanning Worms in an Enterprise Network. In Proc. 12th Network and Distributed System Security Symposium, 2005.

Y. Zeng, X. Hu, and K. G. Shin. Detection of Botnets Using Combined Host-and Network-level Information. In Proc. 40th Conference on Dependable Systems and Networks, 2010.

Downloads

Published

2014-07-10

How to Cite

1.
Baliga A, Bickford J, Daswani N. Triton: A Carrier-based Approach for Detecting and Mitigating Mobile Malware. JCSANDM [Internet]. 2014 Jul. 10 [cited 2024 Apr. 25];3(2):181-212. Available from: https://journals.riverpublishers.com/index.php/JCSANDM/article/view/6183

Issue

2014: Vol 3 Iss 2

Section

Articles

Most read articles by the same author(s)