The Core of the Matter: Analyzing Malicious Traffic in Cellular Carriers

Much of the attention surrounding mobile malware has focused on the in-depth analysis of malicious applications. While bringing the community valuable information about the methods used and data targeted by malware writers, such work has not yet been able to quantify the prevalence with which mobile devices are actually infected. In this paper, we present the first such attempt through a study of the hosting infrastructure used by mobile applications. Using DNS traffic collected over the course of three months from a major US cellular provider as well as a major US noncellular Internet service provider, we identify the DNS domains looked up by mobile applications, and analyze information related to the Internet hosts pointed to by these domains. We make several important observations. The mobile malware found by the research community thus far appears in a minuscule number of devices in the network: 3,492 out of over 380 million (less than 0.0009%) observed during the course of our analysis. This result lends credence to the argument that, while not perfect, mobile application markets are currently providing adequate security for the majority of mobile device users. Second, we find that users of iOS devices are virtually identically as likely to communicate with known low reputation domains as the owners of other mobile platforms, calling into question the conventional wisdom of one platform demonstrably providing greater security than another. Finally, we observe two malware campaigns from the upper levels of the DNS hierarchy and analyze the lifetimes and network properties of these threats. We also note that one of these campaigns ceases to operate long before the malware associated with it is discovered suggesting that network-based countermeasures may be useful in the identification and mitigation of future threats.

[1]  Paul V. Mockapetris,et al.  Domain names - implementation and specification , 1987, RFC.

[2]  Paul V. Mockapetris,et al.  Domain names - concepts and facilities , 1987, RFC.

[3]  Paul Albitz,et al.  DNS and BIND , 1994 .

[4]  Robert Tappan Morris,et al.  DNS performance and the effectiveness of caching , 2001, IMW '01.

[5]  Duane Wessels,et al.  Measurements and Laboratory Simulations of the Upper DNS Hierarchy , 2004, PAM.

[6]  Fabio Ricciato Unwanted traffic in 3G networks , 2006, CCRV.

[7]  Paul Albitz,et al.  DNS and BIND (5th Edition) , 2006 .

[8]  Patrick D. McDaniel,et al.  On Attack Causality in Internet-Connected Cellular Networks , 2007, USENIX Security Symposium.

[9]  Felix C. Freiling,et al.  Measuring and Detecting Fast-Flux Service Networks , 2008, NDSS.

[10]  Wenke Lee,et al.  Increased DNS forgery resistance through 0x20-bit encoding: security via leet queries , 2008, CCS.

[11]  Thomas F. La Porta,et al.  Exploiting open functionality in SMS-capable cellular networks , 2008, J. Comput. Secur..

[12]  Thomas F. La Porta,et al.  On cellular botnets: measuring the impact of malicious devices on a cellular network core , 2009, CCS.

[13]  Lawrence K. Saul,et al.  Beyond blacklists: learning to detect malicious web sites from suspicious URLs , 2009, KDD.

[14]  Patrick D. McDaniel,et al.  Understanding Android Security , 2009, IEEE Security & Privacy Magazine.

[15]  Patrick D. McDaniel,et al.  On lightweight mobile phone application certification , 2009, CCS.

[16]  Thomas F. La Porta,et al.  Mitigating Attacks on Open Functionality in SMS-Capable Cellular Networks , 2006, IEEE/ACM Transactions on Networking.

[17]  N. Feamster,et al.  An Internet-Wide View into DNS Lookup Patterns , 2010 .

[18]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[19]  Deborah Estrin,et al.  A first look at traffic on smartphones , 2010, IMC '10.

[20]  Nick Feamster,et al.  Building a Dynamic Reputation System for DNS , 2010, USENIX Security Symposium.

[21]  Wenke Lee,et al.  Detecting Malware Domains at the Upper DNS Hierarchy , 2011, USENIX Security Symposium.

[22]  Helen J. Wang,et al.  Permission Re-Delegation: Attacks and Defenses , 2011, USENIX Security Symposium.

[23]  David A. Wagner,et al.  Analyzing inter-application communication in Android , 2011, MobiSys '11.

[24]  Swarat Chaudhuri,et al.  A Study of Android Application Security , 2011, USENIX Security Symposium.

[25]  Thomas F. La Porta,et al.  From mobile phones to responsible devices , 2011, Secur. Commun. Networks.

[26]  Steve Hanna,et al.  A survey of mobile malware in the wild , 2011, SPSM '11.

[27]  Leyla Bilge,et al.  EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis , 2011, NDSS.

[28]  Steve Hanna,et al.  Android permissions demystified , 2011, CCS '11.

[29]  David A. Wagner,et al.  The Effectiveness of Application Permissions , 2011, WebApps.

[30]  K. K. Ramakrishnan,et al.  Over the top video: the gorilla in cellular networks , 2011, IMC '11.

[31]  Aditya Akella,et al.  A Comparative Study of Handheld and Non-handheld Traffic in Campus Wi-Fi Networks , 2011, PAM.

[32]  Yajin Zhou,et al.  Dissecting Android Malware: Characterization and Evolution , 2012, 2012 IEEE Symposium on Security and Privacy.

[33]  Yajin Zhou,et al.  Hey, You, Get Off of My Market: Detecting Malicious Apps in Official and Alternative Android Markets , 2012, NDSS.