Evaluating the threat of epidemic mobile malware 8 th IEEE International Conference on Wireless and Mobile Computing, Networking and Communications (WiMob

Evaluating the threat ofepidemic mobile malware

8th IEEE International Conference on Wireless and Mobile Computing, Networking and Communications

(WiMob 2012)

M. Sc. Christian Szongott

Distributed Computing & Security Group (DCSec)Gottfried Wilhelm Leibniz University of Hannover, Germany

Slide 2

Malware for mobile devices

Desktop PCs have been the only attractive goals for malware attacks in the past limited functionality of cell phones mobile internet not widely used

Todays cell phone landscape Multiple communication interfaces

(WiFi, Bluetooth, NFC, …) Increased usage and connectivity

Christian Szongott, Evaluating the threat of epidemic mobile malware, IEEE WiMob 2012, 10.10.2012

Slide 3

Source: hostingnote.com

Malware for mobile devices II

In the past… cell phones from many manufacturers

Nokia, Siemens, Sony, Ericsson, LG, Samsung, … great diversity of mobile operating systems

each manufacturer had his proprietary OS not an attractive goal for attackers

Today… only a handful of manufacturers only 2 relevant mobile OS left (Android, iOS) bulk of mobile phone users with equal mobile OS


Slide 5

iOS Malware

noteworthy worms in the past on iOS device

iKee worm (changes wallpaper) iKee.b/Duh (connects to botnet control server, loads

additional components, sends SMS details) Siri Privacy Exposer (MITMA, stealing private

information) on different computer

iPhone/Privacy.A (steals private information of nearby devices)


All of them require a jailbroken device to work!

Slide 6

iOS Malware II

iSAM variety of attacks possible Propagation through SMS

Our approach Use modern hotspot feature of cell phones for the

malware to spread to nearby devices spatial proximity is considered


Slide 7

Proof-of-concept implementation

1. Prepare Evil Twin Hotspot at acrowded place well used SSID Auto-reconnection Once connected, all data connections go through our Evil

Twin

2. Exploitation Using iOS internal pf to redirect requests to locally

deployed lighttpd webserver In iOS the captive portal pop-up window (UAM) is shown Site is hosted on our webserver and contains actual exploit Exploit jailbreaks the device and receives METM software


Slide 8

Proof-of-concept implementation II

3. Prepare a new Evil Twin Start hotspot

(in our proof-of-concept MyWi) Copy malware and configurations Overwrite pf rules Start webserver Cycle starts back at step 1.


Slide 9

Proof-of-concept evaluation I

MET transfer ~12 seconds (~10MB) for d < 20m


Slide 10

Proof-of-concept evaluation II

Significantly higher battery consumption with running Hotspot Still low enough to infect a bulk of other devices during a day


Slide 11

Simulating cell phone users

Drawbacks of existing simulators pure mathematical models

only consider temporal dynamics but no spatial ones mobile agent-based models

rely on simple assumptions (homogenous users, random walk model in empty terrain, instant infection)

Development of the Mobile Security & Privacy Simulator (MoSP) Based on SimPy (process-based discrete-event simulation

framework) Uses geo-spatial data from the OpenStreetMap Open source


Slide 12

Environment and Assumptions I

Simulation of downtown Chicago (The Loop)

Population Amount of infectable devices

Transport statistics -> 400,000 smartphone users iOS share from comScore study 12% Users running a vulnerable version of iOS% <10% Resulting in 4,000 infectable devices

Newer exploits might be multi-platform malware Therefore most simulations run with 10,000 devices


Slide 13

Environment and Assumptions II

Battery consumption Based on the conducted lab tests Consumption rises when device gets infected For each new infection a small amount is subtracted If flat battery no infection possible from and to device

Infection duration Overall time until a victim’s device is infectious Measured average for d < 20m : 12 seconds Additional installation and start-up : 3 seconds Assumed overall infection time: 15 seconds


Slide 14

Environment and Assumptions III

Four user actions Walking, public space, location, leave

Five user groups Power Users, Window Shoppers, Cafe Visitors, Average

People, Strolling People Differences in walking speed, duration of stay, internet

usage, probabilities for next user action


Slide 15

Infection Model – Outside

Depending on the user’s group membership users have different internet access intervals

An infection occurs if, the victim’s device tries to access the internet the victim’s device remains in communication range (15m)

for at least 15 seconds.


Slide 16

Dimensions of locations (cafes, etc.) are not included in OSM data mathematical infection model

Location sizes: 30 – 300 m2

Infection probability: Story count (l), area (a), #inf. devices (i), damping factor (β)

Length of stay (tvisit),device activation interval (tloc), communication range (rWi-Fi)

Infection Model – Inside


Slide 17

Comparison of different world models

Infection: Zombie infection / Realistic Device Infection Movement: Random walk model / Full model


Slide 18

Results

Parametric study of infections


Slide 19

Results II

Different internet usage intervals


Slide 20

Results III

Closed vs. open system


Slide 21

Results IV

Different initial battery levels


Slide 22

Results V

No locations


With cafés as locations

Slide 23

Conclusion & Future work

Simulation of mobile malware has to take movement and usage patterns as well as locations into account

A critical mass for epidemical spreading of mobile malware will probably be reached in the near future Monoculture of mobile operating systems Significantly rising number of smartphone users

Simulator ToDos Improving indoor simulator Tuning simulation parameters Simulation of countermeasures


Slide 24

Links & information

Mobile Security & Privacy Simulator http://www.dcsec.uni-hannover.de/mosp.html

More technical details about the proof-of-concept malware “Mobile Evil Twin Malnets - The Worst of Both Worlds”,

Proceedings of the 11th International Conference on Cryptology and Network Security, 2012 (to appear)

or ask me later on


Thank you! Any Questions?

Slide 25

Simulation of a countermeasure


Slide 26

Results VI


Documents

Evaluating the threat of epidemic mobile malware 8 th IEEE International Conference on Wireless and Mobile Computing, Networking and Communications (WiMob