Mobile Botnets: are all around us!

Anticipations on mobile botnets’ existence have been ended by the Damballa Research Laboratory official reports which discovered 40,000 infected mobile devices that have communicated through cybercriminal C&C servers for the first six months of 2011. Moreover, the McAfee research lab early prediction on advent of widely-distributed and more resilient mobile botnets come closer to reality as the Zeus botnet migrated from computers to mobile devices and targeted mobile banking. Recently nearby a million mobile devices has been infected by botnets in china via 7000 Trojanized applications.

“Security researchers say they have discovered a huge botnet running on the smartphones of more than a million unsuspecting mobile users in China. The botnet can allow the smartphones to be hijacked remotely and potentially used for fraudulent purposes. (BBC)”

The early generations of botnets (e.g. IRC, HTTP, and P2P) have been operating on computer and computer networks with their most common targets being less-monitored computers, computers with high-bandwidth connections, university and company servers and home computers. Recently, mobile devices are well integrated with advanced capabilities and technologies which provides efficient environment to attract botmasters. In addition, soaring use of smartphones and Internet along with their convenience and mobility has motivated botmasters to migrate to mobile infrastructures.

Examples of Real Mobile Botnets

• Zeus

The Zeus in the Mobile or Zitmo infects variety of mobile operating systems, such as Symbian, Windows Mobile, BlackBerry, and Android mainly by social engineering approaches. It sends an infected SMS to victims contain a fake URL to dupe users to download a security certificate which is, in fact, the Zitmo bot. It also intercepts messages which are sent by banks to customers and authenticates illegal transactions by stealing mobile Transaction Authentication Numbers (TAC).

• DroidDream

Back in 2007, David Barroso termed botnets “the silent threat” as they try to control the infected devices without the knowledge of owners. They do not make any unusual or suspicious use of the CPU, memory, or other resources, which may uncover their activities. DroidDream was one of a good example of these silent patterns, since it is activated silently and at night (11pm to 8 am) when the mobile’s users are asleep. It was designed to gain root privileges on infected mobiles and install second application to steal sensitive information and protect itself from removal.

• Android.Bmaster

The Android.Bmaster has infected high number of mobile devices by using Trojan applications and exploited techniques. The Symantec named Bmaster as “A Million-Dollar Mobile Botnet” since it has gained millions of dollars through premium SMS, telephony or video services. However, recently a new mobile botnet called MDK has overtaken the Bmaster by infecting nearby 7000 applications and having one million mobile devices under the control of its botmaster.

• Ikee.B

Although the Ikee.B is a simple botnet in nature, it can be named as one of the early generations of mobile botnets that operates on jailbreak iPhones with almost the same functionality as computer-based botnets. Scanning the IP range of iPhone networks, looking for other vulnerable iPhones in global scale and self-propagation are the main activities of this malware.

• AnserverBot

Amongst different types of mobile botnets the AnserverBot can be considered as one of the most sophisticated malwares.  Its command and control is designed based on a complex two-layer mechanism and implemented over public blog. In addition to detect and disable the security solution in infected device, the AnserverBot periodically checks its signature to verify its integrity in order to protect itself from any type of changes.

• TigerBot

TigerBot is fully controlled by SMS instead of the Internet and web technologies. However, it detects the C&C messages and makes them invisible to the mobile device owners. In addition to collecting private data like SMS messages, it has sophisticated capabilities to record voice call conversations and even surrounding sounds.

The aforementioned botnets are only a few examples of current mobile botnets to emphasize their existence and their negative impacts on mobile network environments.  Although the mobile botnets are newly developed, they are growing extremely fast specially in popular platform such as Android.

“Since July 2012, more than 100 million Android phones have found their way to new owners, which represents slightly more than half of the market in smartphones (sorry, iPhones). Fake apps and bad SMS messaging is the entire rave with the malware writers these days, and as the new year unwinds, we have already seen report after report of this rising tide of “new” target exploits. (Drew Williams, President, Condition Zebra )”

On the other hand, mobile environments are less protected compare to computers and computer networks and their specific characteristics bring notable challenges to mobile botnet and malware detection.

Challenges in mobile botnet detection can be reviewed from two different perspectives as follows:

1)      Inherent Challenges of Botnets:

Regardless of their operational environments, botnets have several characteristics that make them difficult to detect. They are distributed very fast and the botmasters are always trying different techniques to protect their bots from existing detection solutions.

• Developed by Skilful Developers: Botnet developers have higher technical capabilities than any other online attackers. Unlike other types of Cyber threats, botnets are designed and developed for long-term goals, therefore, various strategies are employed by botmasters to keep the bots safe and uncovered, as long as possible.

• Having Dynamic and Flexible Nature: Bot and botnets are continuously being updated and their codes change from day to day. The McAfee Research Lab reported that “every success in Botnet detection is only temporary “as the botmasters frequently change their strategies, and design new methods to recover and restore their detected bots, within a short time. For instance, based on the Zeus Tracker statistics, there are 17 different versions for Zeus botnets alone.

• Using Standard Protocols: Some botnets are using standard protocols to establish their communication infrastructure. For instance, one of the latest generations of botnet, called HTTP-based, uses the standard HTTP protocol to impersonate normal web traffic and bypass the current network security systems (e.g. firewalls and signature based Antiviruses). The AnserverBot discussed above is another example in which a public blog is used to implement command and control mechanism.

“Based on the evaluation with four representative mobile security software, our experiments in November, 2011 show that the best case detects 79.6% of them while the worst case detects only 20.2% in our dataset. These results clearly call for the need to better develop next-generation anti-mobile-malware solutions. (Android Malware Genome Project)”

• Working in Silent Mode: Without doubts botmasters take a good lesson from what Ram Dass said before! “The quieter you become, the more you can hear”. The bots on infected targets try to avoid any unusual or suspicious use of the CPU, memory, or other computer resources, which may uncover their presence. 

1)      Mobile Environments’ Point of View:

In addition to the aforementioned general challenges there are some mobile based characteristics that bring more difficulties in mobile botnet detection.

• Lack of Protection and Users’ Awareness: Mobile devices are not properly protected compared to computer and computer networks, and their users pay less attention to the security updates

• Resource Limitations: Mobile device resources, such as CPU, memory, and battery life, are limited. Therefore, it is difficult to deploy existing botnet detection solutions for mobile botnets.

• Mobile-Specific Characteristics: There are some mobile-specific characteristics that have differentiated mobile security management from that of computers such as mobility, strict personalization, and different types of connectivity, technology convergence, and variety of capabilities.

• Diversity in Infection: Unlike computer-based botnets, the MoBots can use different mediums (e.g. SMS/MMS/Bluetooth) along with the Internet to spread. Moreover, this diversity makes it default to detect infection processes using current security systems.

• Lack of Central Security Management: Among all of the aforementioned issues, the main challenge with mobile security is the lack of central security management, as it can track and monitor security threats and update the security policies on mobile devices accordingly.

These sophisticated characteristics show that mobile botnet detection is a notable challenge in mobile security management. There are several methods and techniques that have been used to track botnet activities and detect them in computer networks such as Honeypots and Honeynets, attack’s behavior analysis, monitoring and analyzing the DNS, signature-based botnet detection and behavioral analysis techniques. Regardless of the efficiency and accuracy of these techniques, they are mostly designed based on computer and computer network behaviors and characteristics and may not be directly applicable for mobile devices. Therefore, creative solutions are needed to address the challenges discussed in this article.

Meisam Eslahi is an information security researcher and digital forensic investigator, received his Masters’ of Computer Science in Network Security filed from University of Malaya, Malaysia. He is working toward the Ph.D. degree in Computer Engineering and his domain of interests includes Cyber security Threats Detection, Mitigation and Response (Mobile Botnets in Particular), Behavioral Analysis, Cyber safety and Digital Awareness. He has over 11 years of experience in the field of Information Technology with 5 being focused on Cyber Security related domains and holds multiple certifications such as CEH (Certified Ethical Hacking), CHFI (Computer Hacking Forensic Investigator), and IBM certified Solution Advisor for Cloud Computing.  

(By Meisam Eslahi)