a timeline of mobile botnets - botconf 2018 · a timeline of mobile botnets ruchna nigam fortiguard...

A Timeline Of Mobile Botnets

Ruchna NigamFortiGuard Labs,

FortinetEmail: [email protected]

Abstract—The explosion of smartphones and their increasingadaptation by the masses, is a trend that hasn’t gone unnoticedby malware authors. In keeping with this trend, malware authorshave also focussed their attention on mobile devices, leading to asteep rise in mobile malware over the past couple of years. Thispaper focusses particularly on mobile malware variants calledbots, that can be controlled remotely by an attacker.

The paper begins with a comparison between mobile andPC botnets, discussing fundamental, conceptual and implemen-tational differences between them. Next, some precursors to fullyfunctional mobile bots are discussed, along with some Proofs ofConcept mobile botnets that have been published for researchpurposes.

The crux of the paper lies in an Inventory detailing knownmobile bot variants in the wild, ordered chronologically basedon their date of discovery, accompanied by features like theCommand and Control (C&C) channel used, C&C commands,the bot’s abilities, the main motivation(s) behind it and thenumber of known samples. Following the inventory, some vari-ants are described further in detail, selected based on criterialike Unusual Functionalities, Anti-Debugging Tricks used, CodeObfuscation and Traffic Encryption, and whether they are servedusing unusual Attack Vectors.

The paper ends in Statistics based upon the analysis of thebot variants listed in the inventory and a Conclusion, includinginferences that can be drawn from these statistics. My motivationfor this paper ultimately stems from the possibility of thisinformation helping in the design of mobile security systems inthe future.

I. INTRODUCTION

2014 saw mobile malware completing 10 years of itsexistence[1] beginning with the discovery of Cabir, the firstmobile worm in 2004. Since then, mobile malware has broadlyfollowed the same evolution as PC malware, albeit at a muchfaster pace. This evolution included the evident emergenceof bots for mobile phones, pieces of malware that can becontrolled by a remote entity, called a Command and Control(C&C) server or botmaster, to perform various functions.

The concept of this paper came about with the idea tocreate an inventory of sorts of known mobile bot variantsand, more importantly, to study differences and commonalitiesbetween them. By means of this paper, the author analyzes andexamines 60 odd mobile bot variants, starting with variants asearly as 2010, up until the recently discovered version of theCryptolocker ransomware targeting the Android platform thatlistens for deactivation commands from its botmaster.

A. Botnets : PC vs Mobile

In this first section, some fundamental, conceptual andimplementational differences between PC and mobile botnets

will be discussed.

• Platform of operation : The platforms on whichbotmasters and slaves run is a fundamental differencebetween mobile and PC botnets. In the case of PCmalware, both the botmaster and slave run on the sameplatform i.e. a PC, whereas in the case of mobilebotnets, the bot slave is on a mobile phone, whilethe botmaster runs on a PC, or on a phone manuallyoperated by an attacker. Botmasters haven’t yet beenobserved running autonomously on phones. One couldspeculate this is due to constraints on resources inmobile phones such as battery life and computationalpower.

• Connectivity : Mobile botnets are subject to theconnectivity of a mobile phone to a cellular networkfor communication with a C&C server, whereas PCbotnets are subject to the internet access of the PCwhich is mostly affected only by network glitches ortechnical faults in the device itself. The field could beconsidered as leveled for both kinds of botnets in thiscase.

• Lucrativeness : Mobile devices fundamentally pro-vide a more lucrative attack surface owing to the factthat they are almost always carried around by the user,providing a greater probability of grabbing relevantinformation from audio and video recordings, andcamera captures, as opposed to PC botnets that dependupon the device’s uptime and a user’s availabilityat the device. A particularly interesting motivationfor mobile botnets that their PC counterparts don’tprovide, is the ability to track the location of a victimin real time.

• Detection : Possibilities of detection using signs ofinfection exist for both mobile and PC botnets. Inaddition to that, mobile botnets also face the uniquerisk of detection from phone bills i.e. either byunexpectedly high bills due to internet connectionand/or SMS messages in fixed amount plans, or byunusual/unrecognized numbers in the call/SMS historyon bills.

• Takedown : Fortunately for security enforcers, mobilebotnets are still fairly easy to take down since allcases seen in the wild so far have a single pointof takedown i.e. either a phone number, a serveror an email address. However, with the emergenceof new variants with remotely upgradeable C&Cs,mobile botnets might be headed towards the level ofcomplexity of takedown seen in PC botnets.

B. The Early Stages of Mobile Botnets

This section will introduce the infamous Yxes malware forthe Symbian platform that was pitted as the first step towardsmobile botnets, and some other Proofs of Concept mobilebotnets.

In 2009, a Symbian malware named Yxes was discoveredthat made the headlines particularly for being the foretaste ofa mobile botnet[2]. There were mainly two reasons for thisspeculation :

1) Internet access : The malware collected informationfrom the infected phone such as the serial number andsubscription number and forwarded them to a remoteserver, fulfilling one requirement for qualification asa bot client i.e. reporting to a remote server.

2) SMS propagation : The malware, in effect, sent outSMS messages to the phone’s contacts containing adownload link. The link pointed to a copy of themalware itself, qualifying it as a self-propagatingworm. This further fueled doubts of it being part of abotnet since the remote copy of the malware could beupgraded up by the attacker(s) to include the abilityto listen for commands.

However, Yxes isn’t classified as a bot since it lacks thisfundamental bot functionality - the ability to take commandsfrom a remote location.

In the same year, another malware known as Eeki.B onthe iOS was discovered. The variant posessed abilities to stealinformation from the infected phone such as its SMS database,iPhoneOS version and SQL version to a remote server in tar-gzipped format. It also scanned fixed IP ranges and the phone’slocal IP range for other Jailbroken iPhones and sent a copy ofitself to them.

This variant was not included in the Inventory for thefollowing two reasons :

1) JailBroken Devices : The malware worked only onJailBroken devices, and in addition, only on ones thathad an SSH-enabled application and used the defaultssh password ’alpine’.

2) C&C Down : As with the previous case, the malwarewould need to be able to be commanded by a remotelocation in order to qualify as a bot. In this case,there were no confirmed cases of the exact responsereceived from the C&C. It appears the C&C wastaken down fairly soon.

However, it is considered as a precursor due to the factthat it posessed the ability to receive and execute shell scriptsfrom a remote server[3].

1) Proofs of Concept (PoCs): This section lists out somePoCs of mobile botnets that have been released over the years.

• In 2010, a PoC for a cellular botnet architecture waspresented[4]. The authors evaluated a P2P-based C&Cmechanism for mobile phone botnets and implementedit on Jailbroken iPhones. Finally, they compared multi-ple approaches for C&C communication - P2P, SMS,SMS-HTTP and concluded that an SMS-HTTP hy-brid approach was optimal for C&C communication

because of the difficulty in monitoring and disruptingit.

• In 2011, the PoC for an advanced (at the time ofwriting) Android botnet was introduced. The botnet,called Andbot[5], used a novel C&C strategy namedURL Flux. The authors used a Username Generationalgorithm (UGA) to generate the username of a socialmedia account that served as the C&C. The accountwould generate encrypted tweets that would serve ascommands after decryption by the bot. They foundAndbot to be stealthy, resilient, and low cost.

• In the same year, another PoC was presented thatmade use of a mechanism for proxying the applicationlayer and modem on the phone[6]. The concept wasbased on previous work that used the same mechanismfor SMS fuzzing[7]. The botnet architecture presentedplaced the bot functionality between the applicationlayer and modem, which would then listen for receivedSMS messages, decode them and check for a Bot key.If the key was found, the payload functionality wouldbe performed. Else, the SMS message would be passedonto the application layer as is done by default.

• In 2012, the authors of [8] presented the detaileddesign of PoC mobile botnet. They also include attackvectors for spreading the bot code to smartphonesthat wasn’t covered in previous works. They also usedSMS messages as the C&C channel. They comparedstructured and unstructured P2P architectures and con-cluded that the structured architecture (a modifiedKademlia) was a better option.

C. The Inventory

TABLE I: Known mobile bot variants, in chronological order

Time1 Name of Variant C&CType

Info.LeakedbyDefault

Botnet Commands Bot Capabilities MainMotivation #2

2010

Sep2010

Android/SmsHowU.A SMS None ”How are you???” or

”how are you?”

Send location usingGPS + Google mapslink to current geo-graphic location viaSMS

Grab location ofvictim 18

Sep2010 SymbOS/Zitmo.A SMS None

ON, OFF, ADDSENDER, SETSENDER, REMSENDER, BLOCKON, BLOCK OFF,SET ADMIN

SMS Forwarding SMS/mTANstealing 2

2011

Jan2011 Android/Geinimi.A

HTTPPort8080

PhoneNumber,IMEI,NetworkOperatorDetails,IMSI,VoiceMailNumber,SIMOperatorDetails,SIMSerialNumber,SIMState,BuildInfo.

PostUrl, call://,email://, map://,sms://, search://,install://, shortcut://,contact://,wallpaper://,bookmark://, http://,toast://, startapp://,suggestsms://,silentsms://, text://contactlist,smsrecord,deviceinfo, location,sms, register,call, suggestsms,skiptime,changefrequency,applist, updatehost,install,uninstall,showurl, shell, kill,start, smskiller, dsms

Send Email &SMS, Make phonecalls, Update C&Caddress, SelectiveDeletion of SMSmessages, Add newApplication Shortcuticons, Create aBookmark, Displaynotifications, Listrunning processes,Perform web search,Display Google Mapof current locationetc.

Propagation ofpossible malware 632

Feb2011 BlackBerry/Zitmo.A SMS None

ON, OFF, ADDSENDER, SETSENDER, REMSENDER, BLOCKON, BLOCK OFF,SET ADMIN

SMS Forwarding SMS/mTANstealing 1

Feb2011 SymbOS/Zitmo.B SMS None UNINSTALL 45930,

SET ADMIN

SMS Forwarding, In-stall new packages,Send an SMS withtext ”app installedok”

SMS/mTANStealing,Propagationof possiblemalware

2

[1] Time of Discovery of the First Sample[2] Number of Unique Samples





Feb2011 WinCE/Zitmo.B SMS None UNINSTALL 45930,

SET ADMIN

Install new packages,Forward SMS, Sendan SMS with text”app installed ok”

SMS/mTANStealing,Propagationof possiblemalware

2

Mar2011 Android/PjApps.A

HTTPPort8118

IMEI,IMSI,PhoneNumber,SMSservicecenter,ICCID

execMark, execPush,execSoft, execTanc,execXbox

Insert Bookmark,Send SMS, Installa new application,Open URL in phonebrowser

Financial, Propa-gation of possiblemalware

320

May2011

Android/Smspacem.A

HTTP+SMS

PhoneNumber,NetworkOperatorName

HTTP : formula401,pacemSMS : health

Send SMS to allcontacts on phonecontaining an HTTPlink, Send victim’sEmail address viaHTTP.SMS commandsends an SMS backto the sender sayingI am infected andalive ver 1.00.

Propagationof possiblemalware, Spam

27

Jun2011 Android/CruseWin.A HTTP IMEI sms, insms, url,

clean, listapp, update

Send SMS, RelaySMS, UpdateC&C address,List InstalledApplications onphone, Deletespecific Applicationfrom phone, Visitspecified URLif bot’s versionis different fromversion numberreceived from C&C

Spying or Finan-cial (by sendingSMS to premiumnumbers)

26

Jun2011

Android/DroidKungFu.A HTTP IMEI

execDelete,execInstall,execOpenUrl,execStartApp

Download, Installa-tion and Executionof other packages,Uninstallation of apackage, Open URLin Phone Browser

Propagation ofpossible malware 1000+






Jun2011

Android/JSmsHider.A HTTP

IMEI,IMSI,User-Agentstring,CellLocation,SDKVersion,BotversionNumber

001, 002, 003, 004,005, 006, 007, 008

Hide and deleteSMS from numberstarting with ”106”,Set bot’s updaterate, Download andinstall package,Update a package,Send SMS, AddAPN of a Chineseoperator, UpdateC&C address


47

Jun2011 Android/Plankton.A HTTP

IMEI,BuildInfo.

commandstatus,commands, activate,bookmarks, history,installation,shortcuts, status,homepage,terminate,unexpectedexception

Set Browser Home-page, Get/Set Book-marks, Get/Set listof Shortcuts on thephone’s main Ap-plication Page, SendDebugging Info.


Jun2011 Android/YzhcSms.A

HTTPPort8080

IMEI,IMSI,PhoneNumber,BuildInfo.

XML responsecontaining tagsdomreg, upgrade,address, time, widget

Send SMS, Upgradeself, Widget elementof C&C’s XMLresponse containsa URL to contact,Phone numbersto send SMSto+Content of SMSto send

Financial 1

Jul2011

Android/GoldDream.A HTTP IMEI,

IMSI 1 -8

Send SMS, Makea Phone Call,Download andInstall new packages,Delete packages,Upload files to aURL


405

Jul2011 Android/PjApps.B

HTTPPort8018

IMEI,IMSI,PhoneNumber,LocationInfo.

execTask, execXBox Send SMS, Visit aURL Financial 15






Aug2011 Android/NickiSpy.B SMS IMEI

Password# + record,contact, 0boot,1boot, 0log, 1log,sendlog, 0sms, 1sms,sendsms, 0gps, 1gps,state, newnum, 0all,1all

Send SMS history,Phone Contacts,Call Logs,Status of phone;Enable/DisableBootingNotifications, PhoneCall Monitoring,SMS Monitoring,GPS Monitoring;Update C&CNumber

Spying/Datastealing 20

Aug2011 Android/Pirates.A HTTP

IMEI,IMSI,AndroidSDKversion

sendsms, blog down,free down, fav down,open wap

Send SMS, AddBookmark, OpenURL in PhoneBrowser, Set APN

Financial 107

Aug2011 SymbOS/Spinilog.A HTTP None

###CellInfo:,,,;,###SMSInfo:,,,;,###SMSSend:[Param],,,;,###EMailSend:[Param],,,;,###Send-File:[Param],,,;,###MakeA-Call:[Param],,,;,###BtSendMy-File:[Param],,,;,###LogInfo:,,,;,###CalendarInfo:,,,;,###Systemlist:,,,;

Send SMS, SendEmail, Make a phonecall, Send a file viaBluetooth, Sendphone informationto an email address

SMS/Data steal-ing, Propagationof possible mal-ware

1

Sep2011

Android/DroidKungFu.D HTTP IMEI

execDelete,execInstall,execHomepage,execOpenUrl,execStartApp,execUpBin,execSysInstall

Download, Installand Execution ofother packages,Download andinstall a package inthe ”system/app”folder, Set BrowserHomepage, OpenURL in PhoneBrowser, Downloadand edit DHCPCDand other files







Oct2011 Android/FakeInst.B HTTP IMEI,

IMSI

delete list, catchlist, catch num-ber=[NUM], deletenumber=[NUM],command name=removeAllSmsFilter,command name=sendContactList,command name=removeCurrent-CatchFilter,wait seconds,http url=[URL]method=GET orPOST, paramname=[NAME],update, screen

Selective SMSdeletion, SelectiveSMS forwarding,Send Contact List,Contact URL,Update Self

SMS/mTANstealing,Propagationof possiblemalware

177

Nov2011 Android/Geinimi.B HTTP

Same asAndroid/Geinimi.A

Same asAndroid/Geinimi.A

Send Email &SMS, Make phonecalls, Add newApplication Shortcuticons, Create aBookmark, Displaynotifications, Listrunning processes,Perform web search,Display Google Mapof current location

Propagation ofpossible mal-ware/Displayingads

105

Nov2011

Android/GoldenEagle.A SMS None

..>*<>>.a,

..>..*5r>,

..><<*b.*,

..>***h<,

..><<*>y,

..>...**j<,

..>>>*..w, ...*<.>,

..>****>.<,

..>.<.>*8<,

..>.*<.>*,

..>**>..8

Forward SMShistory, Call Logs,Contact List, AudioRecordings fromphone to hard-codedemail addresses.Update EmailDestination


2012

Jan2012

Android/DroidKungFu.F

HTTPPort9000

IMEI GETID, GETTASK,URLREPORT

Download, Installa-tion and Executionof other packages,Uninstallation of apackage


Feb2012 Android/Fjcon.A HTTP Phone IC-

CID

XML messagecontaining name anddownload URL foran application toinstall

Selective SMS Hid-ing, SMS Sending,Download and In-stall of other pack-ages


80






Feb2012

Android/Rootsmart.A HTTP

IMEI,IMSI,Cell ID,LocationAreaCode,MobileNetworkCode

action.host start,action.boot,action.shutdown,action.screen off,action.install,action.installed,action.check live,action.download shells,action.exploid,action.first commitlocalinfo,action.load taskinfo,action.download apk

Send SMS, Down-load and install ap-plications


15

Feb2012 Android/Zitmo.A SMS None on, off, set admin

SMS forwarding,Start/stop SMSforwarding, UpdateC&C phone #

SMS and mTANStealing 108

Apr2012

Android/DroidKungFu.G HTTP IMEI

Download, Installa-tion and Executionof other packages


May2012 Android/TigerBot.A SMS IMEI

**, *0000*11*,*[dddd]*15*[proc],*[dddd]*16*[proc],*[key]*21*,*[key]*13,*[key]*17*a*b,*[key]*19,*[key]*18,*[key]*22

SMS Sending to agiven Phone #, SendNetwork Info., Cap-ture Image, ChangeAPN, Notify of SIMchange, Kill specificrunning applications,Restart the device,Report Current Lo-cation, Send DebugInfo.

Financial,Spying/Datastealing

40

Jun2012

Android/NotCompatible.A

HTTPPort8014

None

connectProxy,newServer,sendError, sendPong,shutdownChanal

Use of the infecteddevice as a proxyserver (Probably togain access to privatenetworks)

Proxy 25

Jun2012 Android/Zitmo.E SMS IMEI,

IMSI#, /, !, comma +[NUMBER]

SMS forwarding,Change the C&CPhone #, MarkSoftware forUninstall, CleanSettings

SMS/mTANstealing 28

Jul2012 Android/FkToken.A HTTP

IMEI,IMSI,PhoneNumber

sms, catch, delete,httpRequest, param,update, screen, com-mand, wait, server

Selective SMSForwarding,Selective SMSDeletion, Forwardphone ContactList, ConfigurationUpdate

SMS and mTANStealing 688






Jul2012 Android/Spitmo.D SMS

IMEI,IMSI,PhoneNumber

#, /, !, comma +[NUMBER]

SMS forwarding,Update C&CPhone #, ToggleSMS Control andforwarding

SMS/mTANStealing 1

Jul2012 Android/Twikabot.A HTTP

IMEI,PhoneNumber

sms SMS Sending Financial 5

Aug2012 Android/Fakemart.A HTTP None sms

ConfigurationUpdate, SMSSending, SMSHiding

Financial 3

Aug2012 Android/Fakemart.B HTTP None sms

ConfigurationUpdate, SMSSending, SMSHiding

Financial 16

Aug2012 Android/LuckyCat.A

HTTPPort54321

PhoneNumber

mSendReport,GetDirList,mReadFileDataFun,mWriteFileDataFun

Browse DirectoryInfo, Download andUpload files, SendInformation suchas Phone # & IPAddress of victim’sphone


Aug2012 Android/Vdloader.A

HTTPPort8080

IMEI,IMSI,PhoneNumber,AndroidSDKVersion,NetworkType,PhoneType,PhoneModel,NetworkOperator

Flag= + 0,1,2

DisplayNotifications, SMSSending, Downloadand Install packages


151

Sep2012 Android/FakeLash.A HTTP

IMEI,PhoneNumber,SIMSerialNumber,AndroidID

MSG:, PPI:, NUM:,SMS:

Selective SMS Hid-ing and Forwarding,Send SMS, Updatelist of #s to hideSMS from

Financial 2






Sep2012 Android/Vidro.A HTTPS

IMEI,BuildInfo.,CountryCode,PhoneLanguage,SIM CardcountryISO, SIMCardOperator

service code,service text,Service interval,apk source

SelectiveSMS Hiding,SMS Sending,ConfigurationUpdate

Financial 159

Nov2012 Android/FkLookt.A HTTP None

clearFileList, clear-Alarm, getTexts, get-Dir, getFile, getSize

Delete files on thevictim’s phone, Up-load the phone’s FileListing to an FTPserver, Save SMS orMMS history fromthe phone to a partic-ular location.


2013

Jan2013 Android/Stealer.B

HTTP+SMS

IMEI,IMSI,PhoneContacts

HTTP : time, sms,send, delete, smscfSMS : ServerKey +001, 002, anything

Specify time whenTrojan should nextcontact C&C, SMSSending, DeleteSMS from phone,Selective SMSHidingStart application,Forward receivedSMS, UpdateServerKey value

Financial,Spying/Datastealing

7

Jan2013 Android/Tascudap.A

HTTPat2700-2799

None #m, #u, #t

Send out SMS,Send large numberof UDP packetscontaining randomlychosen bytes tospecified URL

Financial, DDoS 40






Feb2013 Android/Claco.A

HTTPatport9999

Email Ad-dress reg-istered onphone

info, sms, call,exec, device reboot,get packages,open, get sd map,get file, get dir,get sms,del sms, ringer,get network info,creds attack,creds dropbox,get pics,get contacts,forward,forward unset,usb autorun attack,start track,commands

Send out SMSmessages, MakePhone Calls, Togglethe Wifi State,Reboot the Device,Start other Activitieson the device, DeleteSMS Messages,Change Ringer State.Upload NetworkInformation, Fileand DirectoryListing, SMSrecords, contactinformation, Androidand Dropbox usercredentials, Buildinformation

Financial,Spying/Datastealing(particularlyAccountCredentials).Propapgation ofmalware to PCwhen phone isconnected to it inUSB mode

4

Mar2013 Android/Chuli.A HTTP Phone

Numbercontact, location,sms, other

Send List of PhoneContacts, SendLocation Info.,SMS forwarding,Send info. regardingReceived Calls


Apr2013 Android/BadNews.A HTTP

IMEI,Phonenumber,64 bitAndroidID, BuildInfo.,PhoneLanguage

news, showpage,install, showinstall,iconpage, iconinstall,newdomen,seconddomen,stop, testpost

Display of notifica-tions that could leadto the further down-load and installationof packages, Updateaddress of the C&Cserver, Install Short-cuts on the infectedphone


Apr2013 Android/Perkel.A SMS None &&, @DELETE

Activate SMS lis-tener for a specificperiod of time, For-ward SMS to a hard-coded Phone #, De-activate Bot

SMS/mTANstealing 9

Apr2013 Android/SmsMngr.A HTTP

IMSI,PhoneNumber

GET RECIVE MESSAGE,GET SEND MESSAGE,MOD-IFY MESSAGE,DELETE MESSAGE,SHOW MESSAGE

Delete, Modify, For-ward SMS messagespresent in the Inbox

SMS/mTANstealing 1






Apr2013 Android/Smsilence.A SMS Phone

Number 112, 113

Uninstall self,Download andInstall payloadfrom hard-codedlocation, SMSfrom hard-codednumber results inDeletion of a specificApplication


Apr2013 Android/SMSSpy.F HTTP Phone

Number 219083

SMS forwarding, IfC&C respondswith thecommand(219083),the received SMSMessage is hiddenfrom the user

SMS/mTANstealing 105

May2013 Android/Pincer.A SMS

IMEI,PhoneNumber,BuildInfo.,NetworkOperatorName,AndroidID, PhoneLanguage,Rootingstate ofphone

command:start sms forwarding,start call blocking,stop sms forwarding,stop call blocking,send sms,execute ussd, sim-ple execute ussd,stop program,show message,delay change, ping

Selective SMSforwarding,Selective CallBlocking, SMSSending, UpdateCommand FetchingInterval, Stop bot


May2013 Android/Stels.A HTTP IMEI,

IMSI

wait, server,subPref, botId, re-moteAllSmsFilters,remoteAllCatch-Filters, deleteSms,catchSms, sendSms,httpRequest,update, uninstall,notifications,openUrl,sendContactList,sendPackageList,makeCall

Call a given Phone#, Send an attacker-defined SMS, Opengiven URL in PhoneBrowser, Toast a spe-cific message

Financial 3

Jun2013 Android/Tetus.A HTTP

IMEI,NetworkCarrier,NetworkOperatorName,BuildInfo.,FirmwareVersion

csc, keyword, ucsa

SMS forwarding,SMS Sending,Update SMSdestination &Content, Sendupdates when apartner applicationis installed







Jul2013 Android/IknoSpy.A HTTP

IMEI,Incoming&OutgoingCall Logsand SMSmessages

REQ TYPE = LOC,REQ TYPE = CAM

Toggle GPS status,Send LocationInformation, Capturepictures from PhoneCamera

Spy/Data stealing 1

Jul2013

Android/MSNewsSpy.A SMS IMEI,

IMSI!#10:, !#16:, !#20:,!#30:

Delete all SMS mes-sages, Send SMS toa hard-coded PhoneNumber, Hide In-coming SMS

Financial 4

Jul2013 Android/Rmspy.A SMS

IMEI,NetworkOperatorName

*#OLDPIN#INT#NEWPIN*

Update PIN valueused to identifySMS containingbot commands,SMS Sending whencalls received, HideIncoming Calls,Detect SIM change,Detect BatteryChange


Jul2013 Android/SaurFtp.A

HTTP+SMS

IMEI,IMSI,SIMSerialNumber,PhoneNumber,Location,Call logs,SMShistory,ContactInforma-tion

HTTP : No com-mandsSMS : 5&

HTTP C&C returnsaddress of FTPserver wherecollected data isuploaded.

SMS commandhides received SMS& replies withCellular NetworkDetails


Aug2013 Android/AndroRat.A HTTP

IMEI,PhoneNumber,CountryCode,OperatorName,SIMCountryCode,SIMSerial #

5, 101-123

Forward GPSinformation,Contacts, DirectoryListings andContents, SavedFiles, Call Logsand SMS history.Record Audio, Takea Picture, Displaya Popup on theuser’s phone, Open aURL in the Phone’sBrowser, Cause thephone to vibrate,Make a phone call,Send out SMS

Spying/Datastealing 1000+






Sep2013 Android/Crosate.A HTTP

IMEI,PhoneNumber,SIMCountryISO,NetworkOperatorName

setFilter start,setFilter stop,macros, forceZOn, forceZ Off,callBlock start,callBlock stop,getMessages in,getMessages out,keyHttpGate,keySmsGate,sendSms

Steal SMS, Call logs,Contact information;SMS Sending;Record a call; Makea phone call


Sep2013

Android/Hesperbot.A SMS None +[NUM], on, off,

uninstall

Set C&C Phone#, Switch on/offSMS Forwarding,UninstallApplication

SMS & mTANStealing 1

2014

Jan2014 Android/FakePlay.C HTTP


sms start, sms stop,call start, call stop,sms list, call list,start record, stoprecord, sendSMS,contact list, wipedata

Download and installof fake BankingApplications,SMS forwarding,Prevention ofReceived callnotifications+hidingfrom Call Logs,Send Contact List,Send list of InstalledApplications, SMSSending

Propagationof malware,Spying/Datastealing

3

Jan2014 Android/Nitmo.A SMS


sms start, sms stop,call start, call stop,sms list, call list,start record, stoprecord, sendSMS,contact list, wipedata

Start/stop SMSforwarding, Callforwarding, AudioRecording; ForwardSMS history, CallLogs, Contact List;SMS Sending,Reboot device anderase all user data


Jun2014 Android/Pletor.A

HTTPusingTOR

IMEI ”command”: ”stop” Deactivateransomware

Financial(Extortionof money) 54

Jun2014 Android/Pletor.B SMS IMEI stopec Deactivate

ransomwareFinancial(Extortionof money) 4






Jul2014 Android/Wroba.I SMS Phone

Number

ak49-[URL], ak40-[MSG], wokm-[MSG], ak60-[EMAIL], ak61-[PWD]

Update value ofURL or EMAIL& PWD wherestolen info. issent, Send SMScontaining MSG toall Phone Contacts,Leak Banking &Credit Card details,Download and installof fake banking app.updates

Propagationof possiblemalware,Financial,Installation ofbanking malware

77

Jul2014 Android/Wroba.M HTTP

IMEI,BuildInfo.,NetworkOperatorName,List ofKoreanBankingAppli-cationsinstalled,PhoneContactsList,IMSI,NetworkInfo., SIMOperatorInfo.,PhoneNumber,VoiceMailNumber

padding, right, left,top, margin

SMS sendingto phone contacts,Download and installof fake updates forexisting BankingApplications,Upgrade self

Propagationof possiblemalware,Installation ofbanking malware

156

Oct2014 Android/Xsser.A HTTP

IMEI,IMSI,SIMSerial #,SIM State

2-24, 40-46, 100,101

Grab SMSHistory, Call Logs,GPS/Location Info.,Phone Browser& Email History,Phone’s File Listing;Send Incoming &Outgoing PhoneCall Recordings andAudio Recordings;Run shell commandsreceived onphone; Download,Upload or DeleteFiles; Display aNotification



Fig. 1. Location grabbing functionality in Android/SmsHowU

D. Some particularly interesting variants

Variants with particularly unusual and/or interesting func-tionalities have been detailed in this section, followed bysubsections on Anti-Debugging Tricks, Code Obfuscation andTraffic Encryption, and unusual attack vectors seen in the wild.

• Android/SmsHowU : (sha256sum :a3444b5c12334b24a587c083eb6c73d3a982397abd0a5eff3d1718bc1c392896)This variant sends the user’s GPS location along with a Google maps linkto the sender of the innocent looking SMS command ”how are you?”. Thelocation grabbing functionality is implemented by the code seen in Figure 1.

The requestLocationUpdates() function registers the current activity to beupdated periodically by a provider matching the requirements specified bylocalCriteria, with location updates[9]. The function specifies no constraintson a time interval between updates but the distance between the user’slocation at the time of updates is constrained to 10 meters.The Google maps link creation is implemented by the code below which isbased on snippets from the original malware code

Geocoder localGeocoder;localGeocoder = new Geocoder(this.context, Locale

.getDefault());localList = localGeocoder.getFromLocation(paramLocation

.getLatitude(), paramLocation.getLongitude(), 1);Address localAddress = (Address)localList.get(0);if (localList != null){

localStringBuffer2 = new StringBuffer();localStringBuffer2.append

("Android device map link: \n");localStringBuffer2.append

("http://maps.google.de/maps?q=");localStringBuffer2.append(URLEncoder

.encode(localAddress.getAddressLine(i) + ","));}Object localObject = localStringBuffer2;

The collected information is then sent via SMS, asimplemented in the code below

if (localObject != null){

String str4 = localObject.toString();SmsManager sms;this.sms.sendTextMessage(this._to, null, str4,

this.sentIntent, null);}

where to is the sender of the SMS command i.e. thebotmaster.

• Android/NotCompatible : (sha256sum :

1a18e48fbd79ce84d946b4d065a7e30c5f10a4762437a6c8d888348afbab685f)

This malware family supports a command called”connectProxy” that makes it interesting. Whenreceived, the bot opens a connection to the IP addressand port specified by the package’s configuration file,and redirects traffic to this location, thus allowing aremote attacker to use the infected device as a proxyserver.

Fig. 2. Strings used for C&C Address Generation

• Android/Twikabot : (sha256sum :

b63c33cc71eda01b79572e1f8b82b703f9c088fde6966c7cf855f00f8c77775d)

This bot variant contacts Twitter accounts toacquire the names of C&C servers to contact. Thisfunctionality is implemented in the following steps

1) Once launched, the StatisticsUploader classgenerates a random string using an algorithmusing predefined strings present in the pack-age.

2) This string serves as a nickname for a Twitteraccount. The malware then sends an HTTP re-quest to http://mobile.twitter.com/[GeneratedUsername].

3) From the response to the HTTP request, itextracts the string present between a randomlychosen tag from arrayOfString3 and a ran-domly chosen domain name from arrayOf-String1 whose values are shown in the Figure2.

4) Next, it sends a POST requestto the URL ”http://”+[ExtractedString]+”/carbontetraiodide” with arandomly generated user agent. The infectedphone’s IMEI, Android ID and phone numberare included as POST parameters.

5) It then checks the response to the POSTrequest to see if it contains a command called”sms”. If yes, it sends out an SMS messageusing information in the POST response suchas ”phone” (SMS destination), ”data” (SMSbody) and ”interval” (number of times to sendthe SMS).

• Android/Tascudap : (sha256sum :

c88a6e66e300268bcb6bd8f725565c24a04bc70bbba8c522235bfb505623ed2d)

This bot variant shows no explicit signs of itspresence once it is installed. However, it is launchedevery time the official Google Play application is

Fig. 3. Android/Tascudap’s functionality to ensure it is launched with GooglePlay

Fig. 5. Android/Claco’s ”usb autorun attack” Command

launched. It implements this functionality by addingthe application’s main intent to the the categoryandroid.intent.category.APP MARKET that is sentout when the Google Play application is launched.The implementation is seen in Figure 3.

More interestingly, apart from being able to processcommands for sending out SMS messages andheartbeat messages back to the attacker, it can alsobe made to send out numerous UDP packets to aspecific destination. This is implemented in the codeshown in Figure 4 and can only be explained as anattempt at a Denial Of Service (DoS) attack on adestination specified by the attacker.

The exact implementation of this command canbe explained as

ifUser receives SMS containing

"\#u[Dst]:[Port]:[c]:[d]" or"\#u[Dst]:[Port]:[d]"

thenSend large number of UDP packets containingrandomly generated byte array of random lengthto the address Dst at port Port, d number oftimes. The value c, whose default value is 500,is used for the generation of the byte array.

• Android/Claco : (sha256sum :

7b1746778d0196bf01251fd1cf5110a2ef41d707dc7c67734550dbdf3e577bb9)

This bot variant is interesting for its ability to processa command called ”usb autorun attack” that leadsto the download of certain files from the C&C thatcould be used to infect a PC when the phone isconnected to it in USB mode. The implementation ofthis functionality in the code is seen in Figure 5.

It also implements another interesting commandcalled ”ringer” that is followed by a parameter.Depending upon the value of this parameter, thephone’s ringer state is set to ”silent” or ”normal”.The corresponding code is seen in Figure 6.

Fig. 6. Android/Claco’s ”ringer” Command

Fig. 7. Anti-Debugging Trick in Android/NickiSpy.B

1) Anti-Debugging Tricks: Anti-debugging tricks are aswidely employed by authors of PC malware however, thesetechniques aren’t as commonly observed in mobile malware.This section will focus on the few mobile bot samples that doemploy them, that were analyzed as part of this study.

• Android/NickiSpy.B (sha256sum :

498b425a8536ce03b5738e1ba3339f70ec2680bc437e1650084d8b908a343405)

checks the IMEI value of the device it is being runon and forwards it to a URL specified in the package.The application continues to run only if the response”y” is received, else it exits. The code implementingthis anti-debugging trick that allows the selective,IMEI-based, attacker-determined execution of thisbot, is seen in Figure 7.

The check() function implements the HTTP requestmade and returns ”true” if the response ”y” isreceived.

• Android/Crosate.A (sha256sum :

15281dbe2603f5973d53c5fddabbcc3de6ad3ec65146aa2ffb34a779ea604f82)

checks the IMEI value of the device it runs on andif it contains the string ”000000000000000”, theapplication exits. This is a useful emulator detectionmechanism since this corresponds to the IMEI valueon the widely-used emulators that come with theAndroid SDK[10]. The implementation can be seenin Figure 8.

• Android/Pincer.A (sha256sum :

032a095067442d60d0df9fadab07553152e5500a67fc95084441752eafd43f70)

checks whether it is being run on an emulator, bychecking certain parameters like the IMEI, modelname, phone number etc. for default values found onan emulator. This can only be assumed to be donewith the intention of hindering dynamic analysis

Fig. 4. Android/Tascudap’s Denial of Service feature

Fig. 8. Emulator Detection in Android/Crosate.A

of the malware on an emulator. These values arementioned below :

Build.PRODUCT = "sdk" or "generic"Build.MODEL = "sdk" or "generic"IMEI = "351565050260436" or "000000000000000"

or "357242043237517" or "012345678912345"Phone Number = "15555215554"Build.HARDWARE = "goldfish"Nw = "Android

If any of the above values are true, the malwaredoesn’t launch the function implementing its botnetcapabilities, thereby effectively hiding it’s maliciousbehaviour.

• Android/Wroba.I (sha256sum :

b103f3897b1619dee157e62a1737e864452a85bab613ad971ac6193b3f6a4834)

checks for the value of the device’s IMEI and phonenumber to detect an emulator. This is implementedusing a code snippet similar to that shown below

this.telephonyManager = ((TelephonyManager)getSystemService("phone"));

String deviceId = "deviceid:" + this.telephonyManager.getDeviceId();

String phoneIdentity = this.telephonyManager.getLine1Number();

if ((phoneIdentity.startsWith("15555")) ||(deviceId.startsWith("00000000")))

System.exit(0);

The IMEI value used for emulator detection is”00000000” however, this check doesn’t function dueto a coding flaw. If the phone number on the de-vice begins with ”15555”, the application exits. Thishelps with emulator detection since the default PhoneNumber on a standard emulator is ”15555215554”.For multiple emulator instances running in parallel,the last 4 digits of the phone number are incrementedto the next even number, within the range 5554 and5584[11].

2) Code Obfuscation and Traffic Encryption: This sectiondetails bot variants that employ techniques to hide code bymeans of obfuscation or encryption, and those that make use oftraffic encryption to prevent detection by analysis of networktraffic. Each example also shows the implementation of theobfuscation, decryption or encryption schemes in the bot’scode.

• Android/PjApps.A : (sha256sum :b84ebe48e60d74984e7e9f5d8c12c2c578ea3554b73df4af8209bbdb7276c839)The C&C URL is ’encrypted’ with a simple algorithmthat uses only alternate characters of a given string.The decryption routine is implemented in the functioncom.android.main.a.a() of the package that takes theencrypted string and an integer as arguments. Thisclass is defined as

public static String a(String paramString, int paramInt){

StringBuffer localStringBuffer = new StringBuffer();String str1, str2;int i = paramString.length();for (int j = 0; ; j++){

if (j >= i / 2){

str2 = localStringBuffer.toString();

String str3 = str2.substring(0, paramInt);if (paramInt <= 0){

str1 = str2.substring(paramInt, str2.length() - 3) + "." + str2.substring(str2.length() - 3);

}str1 = str3 + "." + str2.substring(paramInt,

str2.length() - 3) + "." +str2.substring(str2.length() - 3);

break;}localStringBuffer.append(paramString.substring

(1 + j * 2, 2 + j * 2));}return str1;

}

To give an example of its application in a bot sample,

a("3lgoagdmfejekgfos9t15chojm", 3) = "log.meego91.com"

• Android/Vdloader.A : (sha256sum :7a771f17e3315c9a93b6ccb1cd5e5e03ca8feeb2d02369d13e5dcdb0b95aaca8)This sample uses a custom string encryption method.The decrypted string is calculated as [char -position].The decryption code can be found at [12].

To give an example from the bot code, decryption ofthe string below results in a configuration string usedby the bot.

decrypt d = new decrypt();String str=d.a("7B237868263F283F36392C372E7B7183324B3443364138807B8D3C553E4D404B42849796465F8149909D9E9B665C5D909193949697999A9C9D679DAAA977766F787171B372AFB9B76AA6766DBFB6708972838284768178BAC17B947D8D7FDB");

System.out.println ("Decryption result: "+str);

gives the output

Decryption result: {"ve":"8.0","nct":"0","ict":"0","cus":["http://aabbccddee.com:8080/p.jsp"],"si":"201","ci":"1"}

• Android/Tascudap.A : (sha256sum :c88a6e66e300268bcb6bd8f725565c24a04bc70bbba8c522235bfb505623ed2d)This variant also makes use of a custom encryptionmethod based on arithmetic and logical operations,for hiding the C&C address. The decryption can befound at [13]. The decrypted output looks like this

Output = gzqtmtsnidcdwxoborizslk.com

• Android/NotCompatible : (sha256sum :

1a18e48fbd79ce84d946b4d065a7e30c5f10a4762437a6c8d888348afbab685f)

In this case, the configuration file is encrypted usingAES. The bot decrypts a file in the package assetsusing AES with a key that is the SHA-256 hash of ahard-coded string. This implementation is seen in thebot’s code in Figure 9

• Android/LuckyCat : (sha256sum :

5d2b0d143f09f31bf52f0ffa0810c66f94660490945a4ee679ea80f709aae3bd)

This variant XOR ’encrypts’ the traffic sent to theC&C. The encryption can be seen in Figure 10,where paramArrayOfByte contains the information tothe be sent to the C&C.

• Android/SaurFtp.A : (sha256sum :9390a145806157cadc54ecd69d4ededc31534a19a1cebbb1824a9eb4febdc56d)This bot variant gets its C&C address from a file inthe package assets called proper.ini. The contents of

Fig. 9. AES decryption using a key obtained from the SHA256 hash of ahard-coded string in Android/NotCompatible

Fig. 10. Traffic Encryption by Android/LuckyCat

Fig. 11. XOR decryption in Android/SaurFtp with a key providing life advice

the file between the characters ”<####” and ”####>”are read and then XOR decrypted as shown in theFigure 11.

The result of the decryption is shown below

#### http://android.uyghur.dnsd.me/default.htm ####android.uyghu?O????I?E[\U?SBQE???1?S??F?PFR???,U????JWNFNEJ?GLMT?RF?JM?P?XVQQZMPGG\TUT?T[P?ARBRWMP[Q?XˆT?A\Kˆ[GJ?SLNNJT

This result is split at ”####” and the first half of thesplit serves as the C&C server address from where thebot acquires the address of an FTP server where allthe collected information is finally uploaded.

• Android/JSmsHider.A : (sha256sum :

522e7ded785cfedb5e5200bcf29be072d4e16ba5868b83dcf729d769231303fb)

This variant DES encrypts values of the POSTparameters i.e. the collected data, in traffic sent tothe C&C, as can be seen from the bot’s code shownin Figure 12.

• Android/DroidKungFu.E : (sha256sum :

66d90617f49aa2449e338455d3b9ce852c2ca45d5460c1e9e40bb050333b7dfb)

This bot variant contains an encrypted binary in thepackage assets under the name WebView.db.init. The

Fig. 12. Android/JSmsHider.A DES encrypts traffic to C&C

Fig. 13. AES Decryption routine in Android/KungFu.E. The byte array WPcontains the hard-coded key

Fig. 14. Bitwise NOT decryption of strings in native libraries used byAndroid/DroidKungfu.F, G

file is decrypted using AES with a hard-coded key,as seen in Figure 13. The resulting decrypted file isan ELF-binary that is then executed and contains themalicious bot functionality of communicating withthe C&C, downloading other packages and installingthem.

• Android/DroidKungFu.F, G : (sha256sum :

6c4aebf5043ea6129122ebf482366c9f7cb5fbe02e2bb776345d32d89b77a2e0)

These variants make use of Java code from a nativelibrary in order to drop an executable onto a rootedAndroid device. The native library contains encryptedstrings that are first decrypted before the librarycan drop the malicious executable. The decryptionscheme used is a Bitwise NOT operation on eachbyte of the encrypted string. This is shown in thenative library’s IDA disassembly seen in Figure 14.

• Android/Wroba.I : (sha256sum :

b103f3897b1619dee157e62a1737e864452a85bab613ad971ac6193b3f6a4834)

This variant hides its main malicious activity withina package that is encrypted and hidden within itself.The inner malicious package is present in the originalpackage as an asset file and is decrypted using DESbefore it can be loaded and the malicious functionscalled. The implemented of this decryption and classloading is seen in the code in Figure 15The code in the figure shows the DES decryption of anasset file ”ds” using the key ”gjaoun”. The decryption

Fig. 15. Decryption and loading of an inner malicious package by An-droid/Wroba.I

results in an Android package that is saved in thepackage directory as ”x.zip” and loaded using thecommand

localDexFile = (DexFile)Class.forName("dalvik.system.DexFile").getMethod("loadDex", arrayOfClass).invoke(null, arrayOfObject);

that invokes the ”dalvik.system.DexFile.loadDex()”function using reflection, a commonly used techniqueto hide function calls.

3) Unusual Attack Vectors: Most mobile malware followthe classic method of uploading Trojanized versions of le-gitimate applications to Android markets (Official or Third-Party/non-Market), in order to propagate in the wild.

It must be mentioned that installation of any applicationthat doesn’t originate from the official ”Google Play Store”Android market requires users to have the ”Allow Installationof non-Market applications” option checked in the phone’sApplication settings. If this is not already the case, the userhas to go through the extra step of checking this option beforethe installation of a non-Market application.

Some examples detailed below deviate from the ’norm’ ofpassing through an Android market and use unusual attackvectors for distribution.

• Android/NotCompatible.A : These variants aremostly served by means of malicious iframes on com-promised websites. An unsuspecting user visiting sucha compromised website would automatically havethe malware downloaded to his/her phone. However,installation of the malware would still require userintervention.

• Android/Chuli.A : This variant was touted as thefirst Android malware delivered using a targetedattack[14]. It was sent as an email attachment tothe accounts of Tibetan human rights advocates &activists in an email regarding the the World UyghurCongress (WUC) Conference that took place inGeneva from 11-13 March, 2013. The malware col-lected contact and location information, received SMSinformation and call records from the infected phones.This spyware functionality combined with its targetednature, led to doubts of political motivations behindthe malware.

• Android/FakePlay.C : This variant was interestingfor its ability to propagate from an infected PC to amobile phone connected to it in USB mode. The attackvector was, thus, from PC to mobile, the inverse of

HTTP/S3 SMS HTTP+SMS4

0

10

20

30

40

43

20

3

#of

Bot

Vari

ants

Fig. 16. C&C Channels used by different bot variants

that employed by Android/Claco.A. The PC malwarepropagating this mobile bot variant has been detectedas W32/BackDoor.VX!tr by Fortinet. This Windowsmalware made use of Android’s Debug Bridge[15] forcommunication between the PC & connected mobiledevice and for installation of the mobile malware.

• Android/Xsser.A : This variant, discovered in 2014,was uniquely served as links in messages on the mo-bile messaging service Whatsapp. It was particularlysent to several participants of the 2014 Hong Kongprotests in September, 2014 as part of the ”OccupyCentral” pro-democracy civil disobience campaign.The Whatsapp message provided a link that claimedto be ”designed by CODE4HK for the coordinationof OCCUPYCENTRAL”[16], however the shortenedlink led to a site with a Chinese TLD, with the URLdeliberately made to look like a legitimate Code4HKlink. This case, once again, led to doubts of politicalmotivations behind malware creation. An iOS variantof the same malware was found on the C&C that theAndroid Trojan communicates with, but no reportsof the iOS variant being distributed in public werereceived.

E. Statistics

This section focusses on statistics based on the differentproperties of the bot variants detailed in the Inventory.

C&C Channel Used

Figure 16 shows a plot of the kind of C&C Channel usedfor communication with the C&C by different bot variants

Of the 43 variants that make use of HTTP, Figure 18shows a plot of the number of variants that make use of HTTPcommunication to the standard port i.e. 80 vs those that use anon-standard port.

3Variants using HTTP or HTTPS4Variants using both HTTP and SMS as C&C channels5These 2 variants used HTTPS and HTTP with TOR respectively

Port=80 Port<>80 Others5

0

5

10

15

20

25

3031

10

2

#of

Bot

Vari

ants

Fig. 17. Ports used by variants using an HTTP C&C Channel

IMEI

IMSI

Phone

Numbe

r

Build Inf

ormati

on6

Locati

on

5

10

15

20

25

30

35

42

2426

13

4

#of

Bot

Vari

ants

Fig. 18. Information Leaked by Default by Different Variants

Information Leaked By Default

Figure 18 plots what information is leaked by defaultagainst the number of variants. Information leaked by defaultrefers to data that is sent simply upon launching the malware,without the receipt of any command from the botmaster.

Device Administrator Privileges

Device Administration is a feature available on devices thatrun an Android version >= 2.2. This feature is available bymeans of an API[17] that mainly provides device adminis-tration features at the system level. It was introduced mainlyto facilitate the development of security-aware applications,

6This information covers everything accessible through the ’an-droid.os.Build’ class

Variants requesting Device Administrator Privileges = 8

Variants not requesting Device Administrator Privileges = 58

87.88%

12.12%

[!t]

Fig. 19. Percentage of Variants Requesting Device Administrator Privileges

however, is also interesting to attackers for the escalated rightsit provides an application.

The most common motivation seen for its use in malware isto make uninstallation of the malware tricky. If the user acceptsto provide Device Administrator Privileges to an applicationafter installation, it can only be uninstalled if its correspondingDevice Administrator is deactivated from the phone’s ”Loca-tion & security” Settings menu. Without knowledge of thisinformation, a user could assume the application in questionis uninstallable.

Figure 19 shows the percentage of bot variants studied thatrequest for these privileges from the user after installation.

Main motivation

During classification of variants based upon the motivationsbehind them, the lines between different categories can getblurry and it can be assumed that they all finally merge towardsmonetary gains. During the writing of this paper, the mostevident motivation was given preference.

Figure 20 shows a plot based on the main motivationsbehind the creation of a bot variant, guessed based upon thebot’s functionalities.

Spying/Data stealing : This category includes all botvariants that also had ’SMS/mTAN Stealing’ as their mainmotivation

Financial : This category includes bot variants that rely onsending SMS to Premium Phone Numbers in order to makemoney and also ransomware.

Propagation of Possible Malware : All variants classifiedunder this category either have the ability to download andinstall new packages onto an infected phone, or send outSMS messages containing links pointing to possible malwareto the Contacts saved on the infected phone. The malwareAndroid/Claco that can infect a PC via USB also falls underthis category.

Signing Certificates

Figure 21 plots the variants against the certificates used tosign one sample of each variant. The certificates have been

Spying

/Data

steali

ng(53

%)

Financ

ial(36

%)

Propag

ation

ofPos

sible

Malw

are(38

%)

Others(

5%)

0

5

10

15

20

25

30

3535

24 25

3

#of

Bot

Vari

ants

Fig. 20. Main Motvations behind creation of bot variant

Androi

d Develo

per Cert

ificate

Custom

Certifica

te

CN=Androi

d

10

15

20

25

30

35

17

37

11

#of

Bot

Vari

ants

Fig. 21. Certificates Used for Signing Different Bot Variants

classified under 3 categories explained in detail below thegraph.

The Android Developer Certificate corresponds to the cer-tificate that comes with the Android SDK. It can be identifiedby the following values

Owner: CN=Android Debug, O=Android, C=USIssuer: CN=Android Debug, O=Android, C=US

A Custom Certificate describes a developer specific certifi-cate. An example is given below

Owner: CN=YabaIssuer: CN=YabaSerial number: 4fc1f17dValid from: Sun May 27 11:18:53 CEST 2012

until: Sat May 19 11:18:53 CEST 2046

Several variants were found to be signed using a certificatelike the one seen below and have hence been grouped undera category of their own.

Owner: [email protected],CN=Android, OU=Android, O=Android,L=Mountain View, ST=California, C=US

Issuer: [email protected],CN=Android, OU=Android, O=Android,L=Mountain View, ST=California, C=US

II. CONCLUSION

By means of this paper, it was shown that malware authorscontinue to be mainly driven by motivations of spying, finan-cial gains and further propagation of malware. The precedenceof financial motivations over spying in the statistics could beexplained by the fact that they don’t take into account howmany successful infections of each variant exist in the wild.

Based on the statistics collected and the variants de-scribed, it can be concluded that although attackers’ mo-tivations haven’t changed much, the strategies used whilewriting malware continue to evolve. Be it the employmentof Anti-Debugging tricks or the increasing use of encryptionand obfuscation in new malware. It was also shown throughexamples that mobile bot variants are still relatively easy totake apart, fortunately for the analyst, and are yet to achievethe level of complexity of their PC counterparts,

More importantly, the emergence of new and innovativeattack vectors, even attacks that can move from one attacksurface to another (Android/Claco.A, Android/FakePlay.C),provides a multi-level threat. Combining that with the fact thatmobile phones are increasingly being used for diverse purposese.g. to control a smart TV, interfacing with a fitness tracker, orinterfacing with any other Internet connected device for thatmatter, more attacks spanning attack surfaces can be expectedto be seen.

Finally, with the use of multiple C&C channels by a singlebot variant and remotely configurable C&C addresses, mobilebotnets are becoming more resilient to takedown.

All these factors hint at the need for systems/applicationsdesigned specifically for detection and takedown of mobilebotnets to be put in place, where this paper aims to proveuseful.

ACKNOWLEDGMENT

The author would like to thank Axelle Apvrille and Guil-laume Lovet for their help. Many thanks also to all authorswhose work was referenced during the writing of the paper.

REFERENCES

[1] Fortinet, 2014, http://www.fortinet.com/sites/default/files/whitepapers/10-Years-of-Mobile-Malware-Whitepaper.pdf.

[2] A. Apvrille, “Symbian worm yxes: Towards mobile botnets ?” inEICAR, 2010, http://www.fortiguard.com/files/EICAR2010 Symbian-Yxes Towards-Mobile-Botnets.pdf.

[3] H. S. Phillip Porras and V. Yegneswaran, “An analysis of the ikee.b(duh) iphone botnet,” http://mtc.sri.com/iPhone/.

[4] J.-P. S. Collin Mulliner, “Rise of the iBots: 0wning a telco network,”in Proceedings of the 5th IEEE International Conference on Maliciousand Unwanted Software (Malware), Nancy, France, October 2010.

[5] Y. L. L. X. Z. T. Ciu Xiang, Fang Binxing, “Andbot:Towards advanced mobile botnets,” in USENIX, 2011,https://www.usenix.org/legacy/events/leet11/tech/slides/xiang.pdf.

[6] G. Weidman, “Transparent botnet control for smart-phones over sms,” in ISSA-DC, 2011, http://www.issa-dc.org/presentations/04192011 weidman smartphone botnets.pdf.

[7] C. M. Collin Mulliner, “Fuzzing the phone in your phone,” inBlackhat USA, 2009, http://www.blackhat.com/presentations/bh-usa-09/MILLER/BHUSA09-Miller-FuzzingPhone-SLIDES.pdf.

[8] X. H. Yuanyuan Zeng, Kang G.Shin, “Design of sms commanded-and-controlled and p2p-structured mobile botnets,” in 5th ACM Conferenceon Security and Privacy in Wireless and Mobile Networks, 2012,http://www-personal.umich.edu/ gracez/mobilebotnet.pdf.

[9] Android, “Location manager,” https://developer.android.com/reference/android/location/LocationManager.html#requestLocationUpdates%28java.lang.String,%20long,%20float,%20android.location.LocationListener%29.

[10] “Android sdk download,” https://developer.android.com/sdk/index.html.[11] DGODDARD, “Changing the imei, provider, model, and phone number

in the android emulator,” http://vrt-blog.snort.org/2013/04/changing-imei-provider-model-and-phone.html.

[12] “Tascudap string decryption,” https://github.com/slojo/Decryptors/blob/master/Tascudap decrypt.java.

[13] “Vdloader string decryption,” https://github.com/slojo/Decryptors/blob/master/Vdloader decrypt.java.

[14] S. Gallagher, “First targeted attack to use android malware dis-covered,” http://arstechnica.com/security/2013/03/first-targeted-attack-to-use-android-malware-discovered/.

[15] Android, “Android debug bridge,” https://developer.android.com/tools/help/adb.html.

[16] Code4HK, “Fake code4hk mobile app,”https://code4hk.hackpad.com/Fake-Code4HK-Mobile-App-HQXXrylI6Wi.

[17] Android, “Device administration,” http://developer.android.com/guide/topics/admin/device-admin.html.

a timeline of mobile botnets - botconf 2018 · a timeline of mobile botnets ruchna nigam fortiguard...

Documents