Pierluigi Paganini
March 14, 2013
Anticipations on mobile botnets’ existence have been ended by the Damballa Research Laboratory official reports which discovered 40,000 infected mobile devices that have communicated through cybercriminal C&C servers for the first six months of 2011. Moreover, the McAfee research lab early prediction on advent of widely-distributed and more resilient mobile botnets come closer to reality as the Zeus botnet migrated from computers to mobile devices and targeted mobile banking. Recently nearby a million mobile devices has been infected by botnets in china via 7000 Trojanized applications.
“Security researchers say they have discovered a huge botnet running on the smartphones of more than a million unsuspecting mobile users in China. The botnet can allow the smartphones to be hijacked remotely and potentially used for fraudulent purposes. (BBC)”
The early generations of botnets (e.g. IRC, HTTP, P2P) have been operating on computer and computer networks with their most common targets being less-monitored computers, computers with high-bandwidth connections, university and company servers and home computers. Recently, mobile devices are well integrated with advanced capabilities and technologies which provides efficient environment to attract botmasters. In addition, soaring use of smartphones and Internet along with their convenience and mobility has motivated botmasters to migrate to mobile infrastructures.
The Zeus in the Mobile or Zitmo infects variety of mobile operating systems, such as Symbian, Windows Mobile, BlackBerry, and Android mainly by social engineering approaches. It sends an infected SMS to victims contain a fake URL to dupe users to download a security certificate which is, in fact, the Zitmo bot. It also intercepts messages which are sent by banks to customers and authenticates illegal transactions by stealing mobile Transaction Authentication Numbers (TAC).
Back in 2007, David Barroso termed botnets “the silent threat” as they try to control the infected devices without the knowledge of owners. They do not make any unusual or suspicious use of the CPU, memory, or other resources, which may uncover their activities. DroidDream was one of a good example of these silent patterns, since it is activated silently and at night (11pm to 8 am) when the mobile’s users are asleep. It was designed to gain root privileges on infected mobiles and install a second application to steal sensitive information and protect itself from removal.
The Android.Bmaster has infected high number of mobile devices by using Trojan applications and exploited techniques. The Symantec named Bmaster as “A Million-Dollar Mobile Botnet” since it has gained millions of dollars through premium SMS, telephone or video services. However, recently a new mobile botnet called MDK has overtaken the Bmaster by infecting nearby 7000 applications and having one million mobile devices under the control of its botmaster.
Although the Ikee.B is a simple botnet in nature, it can be named as one of the early generations of mobile botnets that operates on jailbreak iPhones with almost the same functionality as computer-based botnets. Scanning the IP range of iPhone networks, looking for other vulnerable iPhones in global scale and self-propagation are the main activities of this malware.
Amongst different types of mobile botnets the AnserverBot can be considered as one of the most sophisticated malware. Its command and control is designed based on a complex two-layer mechanism and implemented over public blog. In addition to detecting and disable the security solution in infected device, the AnserverBot periodically checks its signature to verify its integrity in order to protect itself from any type of changes.
TigerBot is fully controlled by SMS instead of the Internet and web technologies. However, it detects the C&C messages and makes them invisible to the mobile device owners. In addition to collecting private data like SMS messages, it has sophisticated capabilities to record voice call conversations and even surrounding sounds.
The aforementioned botnets are only a few examples of current mobile botnets to emphasize their existence and their negative impacts on mobile network environments. Although the mobile botnets are newly developed, they are growing extremely fast specially in popular platform such as Android.
“Since July 2012, more than 100 million Android phones have found their way to new owners, which represents slightly more than half of the market in smartphones (sorry, iPhones). Fake apps and bad SMS messaging is all the rave with the malware writers these days, and as the new year unwinds, we have already seen report after report of this rising tide of “new” target exploits. (Drew Williams, President, Condition Zebra )”
On the other hand, mobile environments are less protected compared to computers and computer networks and their specific characteristics bring notable challenges to mobile botnet and malware detection. I will discuss more on current challenges of mobile security solutions and mobile botnet detection in particular in the second part of this article.
By Meisam Eslahi
Meisam Eslahi is an information security researcher and digital forensic investigator, received his Masters’ of Computer Science in Network Security filed. He is working toward the Ph.D. degree in Computer Engineering at UiTM, Malaysia and his domain of interests include Cybersecurity Threats Detection, Mitigation and Response (Mobile Botnets in Particular), Behavioral Analysis, Cybersafety and Digital Awareness. He has over 11 years of experience in the field of Information Technology with 5 being focused on Cyber Security related domains and holds multiple certifications such as CEH (Certified Ethical Hacking), CHFI (Computer Hacking Forensic Investigator), and IBM certified Solution Advisor for Cloud Computing.
(Security Affairs – Botnets)
