Detecting Mobile Malware

Since the breakthrough in botnets specifically for mobile began in 2011, they have been a major headache, and cause for concern, for all those involved with the security of mobile devices. While early generations of botnets have been in operation on computers and networks worldwide for many years – these have usually targeted less-monitored computers with high-bandwidth connections (e.g., university networks and home computers). With the rise in smartphone use – and especially so for dealing with sensitive information – these are now providing an efficient environment for botmasters.
Detecting_mobile_malwareMeisam Eslahi, writing for, gives a brief rundown of the most common real mobile botnets and some of the inherent challenges in their detection:
Zeus: infects a variety of mobiles OSs such as Blackberry and Android, infecting those using mainly social engineering approaches. An infected SMS is sent to victims containing a fake URL, tricking users into downloading fake security certificates.

  • DroidDream: is a particularly efficient app since it operates only between certain hours (11pm to 8am) when the user is asleep or otherwise less likely to be using the phone. During this window, it gains root privileges and can install secondary software to steal data and prevent its removal.
  • TigerBot: is a botnet that is fully controlled by SMS instead of via web technologies. In addition to collecting private data like SMS messages, it can record voice calls and even surrounding sounds.

There are further, notable, challenges in detecting botnets on mobile devices. These can be classified from two points of view as inherent challenges and from the mobile environment’s ‘point of view.’
The inherent challenges include their dynamic and flexible nature. Bot and botnets are continuously updated and their code changes from day to day. For instance, there are over 17 different versions of the above described Zeus botnet alone. A further problem is that, like with DroidDream, many work in a ‘silent mode.’ Bots installed on mobile devices avoid making any unusual or suspicious uses of the mobile’s CPU, memory or other computer resources – making them invisible to the user.
From the mobile environment’s point of view, there is a definite lack of protection and user awareness compared to traditional computing formats (i.e., desktops and laptops). There are also limitations in CPU, memory and battery life on mobile devices which hamper the often resource-intensive nature of botnet and virus detection solutions. Unlike in computer-based botnets there is also a wider range of transmission vectors. Botnets can spread using SMS, MMS and Bluetooth (for example) to spread as well as the internet.
These characteristics (and more) show that mobile botnet detection is an immense challenge for mobile security management. Regardless of the efficacy of traditional solutions, they are designed for traditional computers and networks. This makes them a square peg in a round hole when applied to mobile devices; creative solutions are needed to resolve the problems described above.
The security principles set forth in industry standard ISO/IEC 27002 provide a framework for effective security, built around the cycle of Plan, Do, Check, and Act (PDCA). Many good security products are on the market, but all are designed to meet specific threats – and will not block other threats. At GRT Corp. our security philosophy is built around these words by noted security expert Dr. Bruce Schneier: “Security is not a product, but a process.”

Related Posts

Ignore Bad Data… Sort Of

Ignore Bad Data… Sort Of

In George Orwell's classic Animal Farm there is a well-known quote that sums up the issues tackled in the book: "All...