Network-based detection of mobile malware exhibiting obfuscated or silent network behavior

Business demand for bring your own device (BYOD) or guest wireless networks will continue to increase, and enterprise security programs must change to enable and secure this new environment with mobile devices. In this paper, our aim is to demonstrate an intrusion detection alternative that can identify infected mobile devices that either produce no application-sourced Wi-Fi network traffic or highly disguise their Wi-Fi network traffic. We evaluate the detection capability of this tool by attempting to discern non-infected Android mobile devices from Android mobile devices that have been infected by Trojan-based malware. Our approach has two major contributions. (1) It is a network-based tool that does not need to be installed on a device, unlike anti-virus software that can be subverted by malware. (2) Results demonstrate that the network-based tool is capable of accurately detecting a class of malware that does not generate Wi-Fi network traffic or highly disguises its Wi-Fi network traffic.