malicious attacks in Mobile Devices
Asst.Professor.Department of computer science
Alluri Institute of Management Sciences
Md . Nayeemuddin
Department of computer science
Alluri Institute of Management Sciences
E-mail: mohd.nayeemuddin @ gmail . com
This paper examines the scope of the malicious attacks (malware) threats to mobile devices. The starting point for the wireless industry are high. While malware is widespread among 1 billion PCs, about twice as many mobile users currently enjoy a malware-free experience. But since the appearance of Cabir worm in 2004, malware for mobile devices has developed relatively quickly focused primarily on the popular Symbian smartphone platform. Key highlights in malware development should be advised that suggests that mobile devices attract more sophisticated malware attacks. Fortunately, a number of host-based and have developed network-based anti decades of experience with PC malware. Activities are underway to protect mobile devices before the malware will improve catastrophic problem, but the developers are limited by the capabilities of your handheld.Keywords: malware smartphone Trojan, Virus, Vulnerability, Worm
Most people are aware that malicious software (malware), an ongoing common problem with Internet-connected PCs. Statistics on the spread of malware, as well as personal anecdotes from the affected PC users are easy to find. PC malware going back to at least the Brain virus in 1986 and the Robert Morris worm Jr. in 1988 are traced. Many variants of malware have developed over 20 years. In October 2006 WildList (www. wildlist.org) contained 780 viruses and worms are spread in the wild “is known (real user PCs), but this list, a small subset of the total number of available contain viruses. The prevalence of malware in a 2006 CSI / FBI survey, where 65% of organizations reported hit by malware, the most common type of attack significantly.
taxonomy for the introduction of malware definitions in Figure 1, but classification is sometimes difficult because a piece of malware often combines multiple features. Viruses and worms are characterized by the ability to reproduce themselves, but they differ in their methods (Nazario, 2004; Szor, 2005). A virus is a piece of software code (set of instructions, but not a complete program) attached to a normal program or file. The virus is dependent on the performance of the host program. At some point in the execution, the virus code takes control of program execution copies of itself and bring these copies to other programs or files. In contrast, a worm is a standalone program that provides automated vulnerable computers on a network searches and copies itself compromised victims.
non-replicating malware typically hide their presence on a computer or at least hide their malicious function. Malware that hides a malicious function but not necessarily his presence is a Trojan horse (Skoudis, 2004). Typically Trojans pose as a legitimate program (such as a game or device drivers) and usually leave on social engineering, because they are not capable of reproducing itself. Trojan horses are for different purposes, often used for confidential data theft, destruction, backdoor for remote access, or the installation of other malware. In addition to Trojan horses, many types of non-replicating malware to hide their presence, to conduct a malicious function a victim host without detection and removal by the user. Typical examples are bots and spyware. Bots are hidden software that secretly listening to broadcast for remote commands, usually through the Internet Relay Chat (IRC) channels and run them installed on compromised computers. Spyware collects personal user data from a victim computer and transmits the data over the network, often for advertising purposes but possibly for identity theft. Spyware is often bundled with shareware or covertly installed through social engineering.
Figure 1 Taxonomy of malicious software
Since 2004, malware has been observed to spread in smartphones and other mobile devices over wireless networks. According to F-Secure, the number of known malware, Smartphones target about 100 (Hypponen, 2006). However, some believe that malware will inevitably become a serious problem (Dagon, Martin & Starner, 2004) grow. There are already complex, blended malware on mobile devices. Within a few years, mobile viruses in sophistication in a way have grown recalls 20 years of PC-Malware Development. Unfortunately, mobile devices for security not provided and they have limited defense against attacks continually evolving. If the present trend continues, the spread of malware over wireless networks could use up valuable resources and significantly worsen the experience of the mobile radio customers. In the worst case malware could become worse than commonplace in wireless networks like the Internet with all the associated risks of data loss, identity theft and. The wireless market is growing fast, but negative experiences with malware on mobile devices could discourage subscribers and inhibit market growth.
The concern is serious because wireless services are currently liable to pay the bill and mechanisms, use of wireless services, whether it is for legitimate purposes or malware lead in subscriber fees. This is a sacrifice they not only suffer the experience of malware, but can get also billed extra cost.
This paper examines historical examples of malware and the current environment for mobile devices. Possible routes of infection are explored. Finally, the existing defense mechanisms are identified and described.2nd BACKGROUND
Mobile devices are attractive targets for several reasons (Hypponen, 2006). First, mobile devices have clearly far ahead in terms of hardware and communication. PDAs have from simple organizers with their own mini-computer operating systems (such as Palm or Pocket PC / Windows Mobile) that can grow to download and install a variety of applications. Smartphones combine the communication capabilities of mobile phones with PDA functions. According to Gartner, nearly 1 billion mobile phones will be sold in 2006. Currently, smartphones are a small fraction of the total handset market. According to the Computer Industry Almanac, 69 million smartphones will be sold in 2006. However, their programs are growing rapidly, and IDC predicts smartphones 15% of all mobile phones in 2009. About 70% of all smartphones running the Symbian operating system, from different manufacturers, according to Canalys. Symbian is jointly organized by Sony Ericsson, Nokia, Panasonic, Samsung and Siemens AG. Symbian is widespread in Europe and Southeast Asia, but less common in North America, Japan and South Korea. The Japanese and Korean markets are dominated by Linux-based phones. The North American market has a variety of cellular platforms.
Almost all of malicious programs for mobile devices, has targeted the Symbian operating system. Increased from Psion EPOC Software, it is similarly structured desktop operating systems. Traditional phones have proprietary embedded operating systems is generally only accept Java applications. In contrast, Symbian Application Programming Interfaces (APIs) are publicly documented, so anyone can develop applications. packaged applications in the SIS file format at any time, the Symbian devices will be installed even more attractive to consumers and malware authors means. Mobile devices are attractive targets because they are good, often incorporating various means of wireless communication. They are typically in a position similar to Internet access for Web browsing, e-mail, instant messaging and applications such as PCs.
You can also
by cellular, IEEE 802.11 wireless LAN communication, short range Bluetooth and Short / Multimedia Messaging Service (SMS / MMS). Another reason for their attractiveness to malware authors is the size of the target group. There were more than 900 million PCs in use worldwide and in 2005 will climb past 1 billion PCs in 2007, according to Computer Industry Almanac. In comparison, there were about 2 billion mobile subscribers in 2005. Such a large target audience is attractive to malware authors who want to maximize their impact.
Malware for mobile devices is relatively unknown today. At this time, only a small number of malware families have been seen for wireless devices, and malware is not a prominent threat in wireless networks. Due to the low threat risk mobile devices have minimal security defenses. Another reason is the limited capacity of mobile devices. While desktop PCs are fast processors and plug in virtually unlimited power mobile devices have less processing power and limited battery power. Protection such as antivirus software and host-based intrusion detection would incur relatively high costs in processing and energy consumption. In addition, mobile devices were never designed for security. For example, they lack the Encrypting File System, Kerberos authentication, and so on. In short, they are missing all the components needed to create a modern, secure network-connected computing device.
3rd Development process malware
Malware already appeared on mobile devices in recent years (Peikari & Fogie, 2003). While the number is still small compared to the families of malware for PCs known, shows a study of the prominent examples of the malware is in constant change. The intent here is not an exhaustive list of examples of known malware, but to show how malware has evolved. Palm Pilots and Pocket PCs were common before smart phones, and malware appeared for the Palm operating system first. Liberty Crack was a Trojan horse for Freedom, a program emulates the Nintendo Game Boy on the Palm, reported in August 2000 (Foley & Dumigan, 2001). As a Trojan, it was not self-replicate distributed, but dependent on a PC, that the “liberty_1_1_crack.prc” file was installed. Once installed on a Palm, it will be on display as an application, crack. When executed, it deletes all applications from the Palm.
Discovered in September 2000 was the first phage virus, Palm PDAs (Peikari & Fogie, 2003) target. When executed, the virus infects all third-party applications by overwriting (http://www.f-secure.com/v-descs/phage.shtml). If a program icon is selected, the display turns gray, and the application quits. The virus can spread directly to other Palms via infrared beaming or indirectly via PC synchronization. Another Trojan horse discovered around the same time, vapor is installed on a Palm as the application “vapor.prc (www.f-secure.com/vdescs/ vapor.shtml). If he runs, it changes the file attributes of other applications so that they are invisible (but not really delete). It is not self-replicate.
In July 2004, Duts a proof of concept virus, the first Windows Pocket PCs goal. It asks the user for permission to install. When installed, it tries to infect all EXE files larger than 4096 bytes in the current directory. Later in 2004 Brador was a backdoor for Pocket PCs (www.f-secure.com/v-descs/brador.shtml). It will install the file svchost.exe in the startup directory so that it start automatically when booting the device. Then it is the local host IP address and e-mail addressed to the author. After e-mail’s IP address, open the back door on a TCP port and starts listening for commands. The backdoor is capable of uploading and downloading files to execute arbitrary commands and displaying messages on the PDA user. The Cabir worm was discovered in June 2004, a milestone marking the trend away from PDAs and Smartphones with the operating system to the operating system Symbian. Cabir is a proof-of-concept worm that first one for Symbian, a member of the group to write a virus 29A (www.f-secure.com/ v-descs/cabir.shtml) written. runs
The worm in a file “caribe.sis (Caribe is the Caribbean Spanish). The SIS file contains autostart settings that will automatically run the worm will install the SIS file. When the Cabir worm is activated, it will start looking for other (identified) Bluetooth devices within range. In search of another device, it will try to send the file caribe.sis. Reception and installation of file requires user registration is displayed after a message. It caused no damage. Cabir was not only one of the first malware for Symbian, but it was also one of the first Bluetooth (Gostev, 2006) to use. Malicious software is often spread by e-mail. The choice of Bluetooth meant that Cabir would spread slowly in the wild. An infected smartphone would need another smartphone in Bluetooth range and the goal of discovering user would willingly accept the transfer of the worm file, while the devices are within range of each other.
In August 2004 the first Trojan horse for smartphones was discovered. It seemed to be a cracked version of the Symbian game Mosquitos. The Trojan infects phones made SMS text messages to phone numbers which charges on the cell phones’ owners. In November 2004, was the Trojan horse skull found infect Symbian Series 60 smartphones. The Trojan is a file called “Extended Theme. SIS, “a theme manager for Nokia 7610 smartphones. When run, it disables all applications on the phone and replaced the icons with skulls. The phone can be used to make calls and calls. However, not all system applications, such as SMS, MMS, Internet, camera and does not work. In December 2004, Skulls and Cabir were combined to Metal Gear, a Trojan horse masquerading off as a form of the game with the same names. Metal Gear skull with a unit of antivirus . This was to attack the first malware, anti-virus for Symbian smartphones. The malware also drops a file “SEXXXY.SIS”, an installation program code to disable the handset menu button created. It then uses Cabir, on other devices Send.
In March 2005, distribute or ComWar CommWarrior the first worm via MMS on Symbian Series 60 smartphones. Like Cabir, it was also able to spread by Bluetooth. Infected phones for Bluetooth seen device in your in range, if found to be infected try to send the worm in a randomly named SIS file. But Bluetooth is sent to devices within 10 meters or so limited. MMS messages can be anywhere in the world to spread. The worm attempts to found by MMS to other mobile phone owners in the victim’s address book. MMS has the unfortunate side effect of the fees for mobile phone owners. In April 2005, the Mabir worm is similar in capability, Bluetooth spread Cabir. He had the added capability of MMS messages disseminated. It waits for any incoming MMS or SMS message, and comes with a copy of itself in a file called “info. Sis can. “reply
Found in September 2005 targeted Trojan horse Cardtrap the Symbian 60 smartphones and infect one of the first examples of smartphone malware a PC. If it is installed on the Smartphone, disabled there are several applications by overwriting their main executable files. More interestingly, it also installed two Windows worms, Padobot.Z and rays, the phone memory card. An autorun file with the Padobot.Z worm copies, so if the memory card is inserted into a PC, the autorun file tries to execute the worm Padobot. The Rays worm is a file called “system. Exe “, which has the same icon as System folder on the memory card. The obvious intention was to create a user to read the contents of the card to a PC in the execution of the worm Rays trick.
In August 2006 the Mobler worm for Windows personal computers discovered. It’s not a real threat, but is suggestive, could develop as future malware. When a PC is infected is copied, the worm in different folders on local hard disks and recordable media (such as a memory card). archived to the various actions that the worm creates a SIS program makesis. Exe and a copy of itself named “system.exe” in the Windows system folder. It also creates a Symbian installation package named Black_Symbian.SIS. “It is believed to be able to spread from one PC smartphone, a Another example of cross-platform malware.
In January 2007, declared that “have identified more than 200 mobile viruses already, a figure almost doubled every six months. Now is the time for IT managers and heads of industry within the institutions to take measures to protect their companies and customers from mobile malware. The most optimistic scenario is when the attacker does not know what he holds in his hands and his future actions do not include those affected. The less optimistic picture allows us to identity theft, bank accounts emptied in an instant, and even the collapse of several financial institutions.
At the present time is not known whether crossover and Mobler the beginning of a new trend towards cross-platform malware that spread as well in PCs and mobile devices signal. The potential target group would be nearly 3 billion euros. The trend is not obvious, but still Mobler crossover and indicate that cross-platform malware could be possible in the near future.
4th Infection of vectors
routes of infection for PC malware have evolved over the years as computer technology has changed. Viruses spread by floppy disks first. After disks disappeared, and Internet connectivity was ubiquitous, mass distributed E-mailing worms. Similarly, infection routes of malware for mobile devices are used in the past few years
sync: Palm PDAs and Windows smartphones were popular before. PDA Software install through synchronization with PC (Foley & Dumigan, 2001). For example, Palm applications, such as Palm resource is packaged (PRC) files installed on PCs. As already shown, Palm malware usually rely on social engineering to get installed. This is an infection vector for malware to spread more slowly between PDAs, because it requires synchronization with a PC and then contact with another PC that synchronizes with another PDA. Possible routes of infection has become much faster when PDAs and smartphones then the communication is started directly between mobile devices feature without going through PC.
e-mail and web: Internet access from mobile devices, users of their desktop to the most popular Internet applications, e-mail and to use the World Wide Web. Most mobile devices to send and receive e-mails with attachments. In addition, many of the web browser can a micro to the Web content on the small displays of mobile devices to make access. Current browsers are displayed similar characteristics in regular web browser, capable of HTML, WML, CSS, Ajax, and plug-ins. Although e-mail and the Web are common vectors for PC malware, they have not been used as vectors to infect mobile devices to date.SMS / MMS: Even as text messaging, SMS is available on most mobile phones and Pocket PCs. It is very popular in Europe, Asia (excluding Japan), Australia and New Zealand, but not so popular in the United States and other types of messaging. Text messaging is often used to interact with automated systems, such as order
products or services or participate in competitions. Text messages are limited to 140 bytes of data, but more can be happy with segmented and sent in multiple messages. The receiving phone is responsible for assembling the entire message. Short messages can also be used to send binary content such as ringtones or logos. While SMS is largely limited to text, MMS is an enhanced messaging service allows the transmission of multimedia objects, video, images, audio and rich text. The ComWar worm was the first to spread via MMS (on Symbian Series 60 Smartphones). MMS has the potential to spread quickly. ComWar increased his chances by focusing on other phone owner of the victim’s address book found. The seemingly come from a friend, an incoming message has to be more accepted by a receiver. MMS will probably continue to be
infection in the future.
Bluetooth: Bluetooth is to find a short-range wireless communication protocol, the Bluetooth devices (which was mobile or stationary) within 10-100 meters and talk to each other can be activated. Up to eight devices with one another in a piconet, where a unit operates in the role of “master” and the other in the role of communication “slaves”. The master switches communicate with each slave by round robin. The roles of master and slave can be changed at any time.
Every Bluetooth device has chosen a unique and permanent 48-bit address and a user-friendly Bluetooth name. Each device can also look for other devices in the vicinity and devices are configured to respond their name, class, list of services and technical details (eg manufacturer, unit provides) give. If a device accessed directly on a device’s address, there will always respond with the requested information.
Cabir worm was the first to use Bluetooth as a vector. Bluetooth is expected to be a slow infection vector. An infected smartphone would need another smartphone in a 10-yard field goal to discover and the user would have to willingly accept the transfer of the worm file, while the devices are within range of each other. Although mobile phones normally shipped with Bluetooth in discoverable mode, it is easy to connect devices to switch to invisible mode. This simple precaution would be much harder for malware.
5th MALWARE DEFENSE
protection instead of a single (hopefully perfect) defense (Skoudis, 2004). Fortunately, various defense mechanisms against malware from decades of experience have developed with PC malware. A taxonomy of malware defense is shown in Figure 2. Defenses can first be categorized as preventive or reactive (defensive). Preventive techniques to prevent malware infections by identifying and eliminating vulnerabilities, the strengthening of security policies, patching of operating systems and applications, updating anti-virus signatures, and even educating users on best practices (in this case, for example Bluetooth off, except when necessary to reject the installation of open source software and blocking SMS / MMS messages from untrusted parties). At this time, simple preventive techniques likely to be very effective because there are relatively few risks, which are really spread in the wild. In particular, awareness training users would be effectively used against social engineering, one of the main routes of infection from malware for mobile devices so far.
6th host-based defenses
Even with the best practices to avoid infections, are reactive defense is still needed to support mobile devices from actual malware threats . protect Reactive defense in hosts (mobile device) or a company network. Host-based anti-sense, because there is protection in the vicinity of the targets. However, use host-based processes (such as antivirus programs) processing and energy resources, which are more critical on mobile devices than desktop PCs. Also, the approach difficult to scale to large populations, if the software is installed, maintained and serviced on any mobile device. Network-based defenses are more scalable in the sense that one router or a firewall can protect a group of hosts. Another reason for network-based defense is the possibility that the network could to block malware before it actually reaches a specific device that is not based with host defenses. Host-based anti-effectively after contact with the host. In practice, host-based and network-based defenses can be used both in combination to realize their complementary services.
The most obvious host-based defense is antivirus software (Szor, 2005). Anti Virus does automatic analysis of files, sent messages and system activities. All commercial antivirus programs depend mainly on malware signatures, the sets of unique properties associated with any known malware. The main advantage of signature-based detection of malware in its accuracy identification. If a signature is correct, the malware is exactly identified and perhaps sufficient for disinfection.Unfortunately, signature-based detection of two disadvantages. First, anti-virus signatures are updated regularly. Second, there is always the possibility that new malware detection could escape if they do not have a matching signature. For this case include anti-virus programs often heuristic detection of anomalies, the unusual behavior or activities covered. Anomaly detection is usually not detect malware exactly, only the suspicion of the presence of malware and the need for further investigations. For this reason, signatures are still the preferred method of anti-virus for the foreseeable future.
Recognizing that almost all smartphone malware has targeted Symbian devices, has focused a great deal of attention to the vulnerabilities of the operating system. One could argue that the system has a low level of application security. For example, allows any Symbian application without the consent of the users are being rewritten. Even after an application is installed, it has total control over all functions. In short, applications are completely familiar.
Figure 2: A taxonomy of malware defense
Symbian OS Version 9 has the function of code-signing. Currently, all software must be installed manually. The installation will warn the user if an application has not been signed. Digital signing makes software responsible for the developer and to check whether an application has not changed since it left to the developer. Developers can apply to have their software signed via the Symbian Signed program (www.symbiansigned.com). Developers also have the option of self-determination of their signature programs. Each signed application will install on the Symbian OS phone without a safety warning. An unsigned application can be installed with user consent, but the operating system will do it to prevent potentially harmful things through access to critical system functions and data storage by other applications.
7th Network-Based DEFENSE
Network-based Defense hanging monitoring system operators, analyze and filter the traffic on their networks. Safety accessories include firewalls, intrusion detection systems, routers with access control lists (ACLs) and anti-virus running in an e-mail server and SMS / MMS service center.