0% found this document useful (0 votes)
124 viewsMobile Network Security
Mobile Network Security
Uploaded by
Ta Thanh PhongCopyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF or read online on Scribd
0% found this document useful (0 votes)
124 viewsMobile Network Security
Mobile Network Security
Uploaded by
Ta Thanh PhongCopyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF or read online on Scribd
/ 31
WixirepiA
Mobile security
Mobile security, or mobile device security, is the protection of smartphones, tablets, and laptops from threats associated with wireless
‘computing! It has become increasingly important in mobile computing. The security of personal and business information now stored on
smartphones is of particular concern.
‘More and more users and businesses use smartphones to communicate, but also to plan and organize both their users’ work and private life,
‘Within companies, these technologies are causing profound changes in the organization of information systems and have therefore become the
source of new risks. Indeed, smartphones collect and compile an inereasing amount of sensitive information to which access must be controlled
to protect the privacy ofthe user and the intellectual property of the company.
All smartphones, as computers, are preferred targets of attacks. This is because these devices have family photos, pictures of pets, passwords, and
‘more. For attackers, these items are a digital passport to access everything they would need to know about a person, This is why atacks on
tmobile devices are on the rse21 These attacks exploit weaknesses inherent in smartphones that can come from the communication mode—Hke
Short Message Service (SMS, aka text messaging), Multimedia Messaging Service (MMS), Wil, Bluetooth and GSM, the de facto global standard
for mobile communications There ar alo exploits that target software vulnerabilities in the browser or operating system while some malicious
software relies on the week knowledge of an average user.
Security countermeasures are being developed and applied to smartphones, from security in different layers of software to the dissemination of
information to end users. There are good practices to he observed at all level, from design to use, through the development of operating systems,
software layers, and downloadable apps.
Contents
Challenges of smartphone mobile security
Threats
Consequences
‘Attacks based on communication
‘tack based on SMS and MMS
‘Attacks based on communication networks
‘Attacks based on the GSM networks
Allacks based on WIFI
Principle of Blustooth-based attacks
‘Attacks based on vulnerabilities in software applications
Web browser
Operating system
‘Attacks based on hardware vulnerabilities
Electromagnetic Waveforms
Juice Jacking
dalk-breaking and rooting
Password cracking
Malicious software (malware)
‘The three phases of malware attacks
Infection
‘Accomplishment of its goal
‘Spread to ather systems
Examples of malware
Viruses and trojans
Ransomware
Spyware
Number of malware
Portability of malware across platforms
Countermeasures
‘Security in operating systems,
Security software
Resource monitoring in the smartphone
Network surveillance
Manufacturer survellance
User awareness
Enable Android Device Encryption
Contralized storage of text messages
Limitations of certain security moasures
Next Generation of mobile security
See also
Notes.
References
Books
‘Ailes
Websites
Further reading
Challenges of smartphone mobile security
Threats
‘A smartphone user is exposed to various threats when they use their phone. In just the last two-quarters of 2012, the number of unique mobile
threats grew by 261%, according to ABI Research/'3) These threats can disrupt the operation of the smartphone, and transmit or modify user
data. So applications must guarantee privacy and integrity of the information they handle. In addition, since some apps could themselves be
malware, their functionality and activities should be limited (for example, restricting the apps from accessing location information via GPS,
Dlocking access to the user's address book, preventing the transmission of data on the network, sending SMS messages that are billed to the user,
etc).0 Since the recent rise of mobile attacks, hackers have increasingly targeted smartphones through credential theft and snooping, The
‘number of attacks targeting smartphones and other devices has risen by 50 percent. According to the study, mobile banking applications are
responsible forthe increase in attacks.
Malware is distributed by the attackers so that they can take over the targets’ transaction information, their rights to log in, and their money.
Various types of malware are also developed with anti~detection techniques to avoid detection. Triade malware comes pre-installed on some
mobile devices. In addition to Haddad, there is Lotoor, which exploits vulnerabilities in the system to repackage legitimate applications] The
devices are also vulnerable due to spyware and leaky behaviors through applications. Devices connected to publie networks are at risk of attacks.
Mobile devices are also effective conveyance systems for malware threats, breaches of information, and thefts. Potential attackers were looking,
for possible weak points once Apple's iPhone and the first Android devices came onto the market. The Department of Homeland Security's
cybersecurity department claims that the number of vulnerable points in smartphone operating systems has increased, As mobile phones are
‘connected to ulilties and appliances, hackers, cybercriminals, and even intelligence officials have access to these deviees.
It became increasingly popular to let employees use their own devices for work-related purposes in 2011. The Crowd Research Partners study,
published in 2017, reports that during 2017, most businesses that mandated the use of mobile devices were subjected to malware attacks and
breaches. It has become common for rogue applications to be installed on user devices without the user's permission. They breach privacy, which
hinders the effectiveness ofthe devices (1 As well as affecting the device, hidden malware is harmful.) Mobile malware has been developed to
exploit vulnerabilities in mobile devices. Ransomware, worms, botnets, Trojans, and viruses are some of the types. Since the introduction of
‘mobile banking apps and other apps, which are vital targets for hackers, malware has been rampant. Trojan-droppers can also avoid detection of
‘malware, The attackers who use the malware on the device are able to avoid detection by hiding malicious code. Despite the fact that the malware
inside a device does not change, the dropper generates new hashes each time. Additionally, droppers ean also create a multitude of files, which
‘ean lead to the ereation of viruses. Android mobile devices are prone to Trojan-Droppers. The banking Trojans also enable attacks on the banking
applications on the phone, which leads to the theft of data for use in stealing money and funds. Additionally, there are jailbreaks for iOS devices,
which work by disabling the signing of eades on iPhones so that applications not downloaded from the App Store can be operated. In this way, all
the protection layers offered by iOS are disrupted, exposing the device to malware. These ontside applications don't run in a sandbox, and as &
result, it exposes potential security problems. By installing malicious credentials and virtual private networks to direct information to malicious
systems, there are attack vectors developed to change the mobile devices’ configuration settings. In addition, there is spyware that tends to be
installed on mobile devices in order to track an individual. malicious apps ean also be installed without the owners’ permission or knowledge.
‘Wik interference technologies can also attack mobile devices through potentially insecure networks. By compromising the network, hackers are
able to gain access to Key data. A VPN, on the other hand, can be used fo secure networks. As soon as a system is threatened, an active VPN will
‘operate. There are also social engineering techniques, such as phishing. With phishing, unsuspecting victims are sent links to Tead them to
malicious websites. The attackers ean then hack into the vietim's device and copy all ofits information. However, mobile device attacks ean be
prevented with technologies. Containevization is an example, as it allows the creation of a hardware infrastructure that separates the business
data from other data, By detecting malicious traffic and rogue access points, there is network protection. Data security is also ensured through
authentication.
“There are three prime targets for attackers!71
' Data: smartphones are devices for data management, and may contain sensitive data Ike credit card numbers, authentication information,
private information, activity logs (calendar, call logs);
+ Identity: smartphones are highly customizable, ¢0 the device or its contents can easily be assoclated with a speci person
+ Availability: attacking a smartphone can limit access to it and deprive the owner of ts use.
‘There are a number of threats to mobile devices, including annoyance, stealing money, invading privacy, propagation, and malicious tools)
Vulnerability in mobile devices is a weak spot that will allow an attacker to decrease a systems security. There are three elements that intercepts
‘when vulnerability occurs and they are a system weakness, attacker access tothe flaw, and attacker competence to exploit the flaw.)
+ Botnets: attackers infect multiple machines with malware that victims generally acquire via e-mail attachments or from compromised
applications or websites. The malware then gives hackers remote contol of "zombie" devices, which can then be instructed to perform
harmful acts 8)
+ Malicious applications: hackers upload malicious programs or games to third-party smartphone application markatplaces. The programs steal
personal information and open backdoor communication channels to install additional applications and cause other problems
+ Malicious links on social networks: an effective way to spread malware where hackers can place Trojans, spyware, and backdoors 81
+ Spyware: hackers use this te hijack phones, allowing them te hear cals, see text messages and e-mails as well as track someone's location
through GPS updates.
The source ofthese attacks are the same actors found in the non-mobile computing space:(2]
+ Professionals, whether commercial or military, who focus on the thre targets mentioned above. They steal sensitive data from the general
public, as well as undertake industrial espionage. They wil also use the identity of those attacked to achieve other attacks;
+ Thieves who want to gain income through data or identities they have stolen. The thieves will attack many people to increase their potential
+ Black hat hackers who specifically altack avaitabity (] Their goalis to develop viruses, and cause damage lo the device! n some cases,
hhaceers have an interest in stealing data on devices.
+ Grey hat hackers wno reveal vulnerabiities. |") Their goals to expose vulnerabilities ofthe device. Grey hat hackers do not intend on
damaging the device or stealing data!"
Consequences
When a smartphone is infected by an attacker, the attacker ean attempt several things
+ The attacker can manipulate the smariphone as a zombie machine, thats to say, @ machine with which the attacker can communicate and
send commands which will be used to send unsolicited messages (spam) via ems or email)
+ The altacker can easily force the smartphone to make phone calls. For example, one can use the API (brary that contains the basic
functions net present in the smartphone) PhoneMakeCall by Microsoft, which collects telephone numbers from any source such as yellow
pages, and then call them. But the attacker can also use this method to call paid services, resulting in a charge to the owner of the
smartphone. Its also very dangerous because the smartphone could call emergency services and thus disrupt those services"
+ Acompromised smartphone can record conversations between the user and others and send them toa third party] This can cause user
privacy and industrial security problems;
+ An attacker can also steal a user's identity, usurp the'r identity (with a copy ofthe user's sim card or even the telephone tse), and thus
impersonate the owner. This raises security concems in counties where smartphones can be used to place orders, view bank accounts of
are used as an identity card")
+ The altacker can reduce the usabily ofthe smartphone, by discharging the battery] For example, they can launch an application that will
run continuously on the smartphone processor, requiring a lt of energy and draining the battery. One factor that distinguishes mobile
Computing from traditional desktop PCs is the limited performance, Frank Stajano and Ross Anderson fist described ths form af attack,
caling it an attack of "battery exhaustion” or *sleep deprivation torture" 5)
+ The attacker can also prevent the operation andlor use ofthe smartphone by making it unusable "8 This attack can ether delete the boot
scripts, resulting in a phone without a functioning OS, or modify certain fles to make It unusable (e.g. a serpt that launches at startup that
forces the smartphone to restart} or even emibed a startup application that would empty the battery)
+ The attacker can remave the personal (photos, music, videos, etc) or professional data (contacts, calendars, notes) ofthe user!)
Attacks based on communication
Attack based on SMS and MMS
‘Some attacks derive from flaws in the management of SMS and MMS,
‘Some mobile phone models have problems in managing binary SMS messages. It is possible, by sending an il-formed block, to cause the phone
to restart, leading to the denial of service attacks. Ifa user with a Siemens S55 received a text message containing a Chinese character, it would
lead to a denial of service (7 In another case, while the standard requires that the maximum size of a Nokia Mail address is 32 characters, some
[Nokia phones did not verify this standard, so ifa user enters an email address aver 32 characters, that leads to complete dysfunction of the e-mail
handler and puts it out of commission. This attack is ealled "curse of silence". A study on the safety of the SMS infrastructure revealed that SMS
‘messages sent from the Internet can be used to perform a distributed denial of service (DDoS) attack against the mobile telecommunications
infrastructure of a bi ety. The attack exploits the delays in the delivery of messages to overload the network.
Another potential attack could begin with a phone that sends an MMS to other phones, with an attachment. This attachment is infected with a
viras. Upon receipt of the MMS, the user can choose to open the attachment. If it is opened, the phone is infected, and the virus sends an MMS
with an infected attachment to all the contacts in the address book. There is a real-world example of this attack: the virus Commwarriorl uses
the address book and sends MMS messages including an infected file to recipients, A user installs the software, as received via MMS message.
"Then, the virus began to send messages to recipients taken from the address book.
Attacks based on communication networks
‘Attacks based on the GSM networks
‘The attacker may try to break the encryption of the mobile network. The GSM network encryption algorithms belong to the family of algorithms
called 45, Due to the policy of security through obscurity it has not heen possible to openly test the robustness ofthese algorithms. There were
originally two variants of the algorithm: Ag/s and AS/2 (stream ciphers), where the former was designed tobe relatively strong, and the latter
‘was designed to be weak on purpose to allow easy eryptanalysis and eavesdropping. ETSI forced some counties (typically outside Europe) to use
‘Ag/a. Since the encryption algorithm was made publi, it was proved it was possible to break the encryption: Ag/2 could be broken on the fy,
and 45/1 in about 6 hours 51 m July 2007, the GPP approved a change request to prohibit the implementation of Ag/a in any new mobile
Phones, which means that it has been decommissioned and is no longer implemented in mobile phones. Stronger public algorithms have been
sudded to the GSM standard, the As/3 and Ag/ (Block ciphers), otherwise known as KASUMI or UEALH®| published by the ETSI Ifthe network
Ales not support 5/1, oF any other Ag algorithm implemented by the phone, then the base station can specify AS/0 which isthe mull algorithm,
‘whereby the radio traf is sent unencrypted. Even in case mobile phones are abe to use 3G oF 4G which have much stronger encryption than 26
GSM, the base station ean downgrade the radio communication to 2G GSM and specify A5/0 (no encryption) .2°1 This is the basis for
‘eavesdropping attacks on mobile radio networks using a fake base station commonly called an IMI catcher.
In addition, tracing of mobile terminals is difficult since each time the mobile terminal is accessing or being accessed by the network, a new
temporary identity CTMSI) is allocated to the mobile terminal. The TMSI is used as the identity of the mobile terminal the next time it accesses
the network. The TMSI is sent to the mobile terminal in enerypted messages,
(Once the encryption algorithm of GSM is broken, the attacker can intercept all unencrypted communications made by the victim's smartphone.
Attacks based on WF
‘might define short encryption keys that contain only numbers. This increases the likelihood —_“°°°8* Point spoofing
supposed to be safe enough to withstand a brute force attack. Free Wi-Fi is usually provided by organizations such as airports, coe shops, and
restaurants for «number of reasons. In adltion to spending more time on the premises, Wi-F! access helps ther to slay productive" Its Tikely
theyl end up spending more money if they spend more time on the premises. Enhancing customer tracking is another reason. A lot of
restaurants and coffee shops eompile data about their customers so they ean target advertisements directly to their devices, This means that
customers know what services the facility provides. Generally, individuals filter business premises based on Internet connections as another
reason to gain a competitive edge. The ability to access free and fast Wi-Fi gives a business an edge over those who do not. Network security i the
responsibility ofthe organizations. There are numerous risks associated with their unsecured WicFi networks, however. The man-in-the-middlle
attack entails the interception and modification of data between parties. Additionally, malware can be distributed via the free Wi-Fi network and
hackers can exploit software vulnerabilities to smuggle malware onto connected devices. I is also possible to eavesdrop and sniff Wifi signals,
-apturing login credentials and hijacking accounts!
using special software and devices,
‘As with GSM, ifthe attacker succeeds in breaking the identification key, it wll be possible to attack not only the phone but also the entire network
itis connected to.
‘Many smartphones for wireless LANs remember they are already connected, and this mechanism prevents the user from having to re-dentify
with each connection. However, an attacker could create a WIFI access point twin with the same parameters and characteristics as the real
network. Using the fact that some smartphones remember the networks, they could confuse the two networks and connect to the network of the
attacker who can intercept data if it does not transmit its data in encrypted form, 1241
Lasco is a worm that initially infects a remote device using the SIS file format. SIS file format (Software Installation Script) is a serip file that
can be executed by the system without user interaction. The smartphone thus believes the file to come from a trusted source and downloads it,
infecting the machine 31
Principle of Blustooth-based attacks
Security issues related to Bluetooth on mobile devices have been studied and have shown numerous problems on different phones. One easy to
exploit vulnerability: unregistered services do not require authentication, and vulnerable applestions have a virtual serial port used to contr!
the phone. An attacker only needed to connect to the port to take full control ofthe deviee #4! Another example: a phone must be within reach
and Bluetooth in discovery mode. The attacker sends a file via Bluetooth, Ifthe recipient accepts, a virus is transmitted. For example: Cabiris a
‘worm that spreads via Bluetooth connection. (I The worm searches for nearby phones with Bluetooth in discoverable made and send itself to
the target device, The user must acept the incoming file and install the program. After installing, the worm infects the machine.
Attacks based on vulnerabilities in software applications
‘Other attacks are based on flaws in the OS or applications on the phone.
Web browser
‘The mobile web browser is an emerging attack vector for mobile devices. Just as common Web browsers, mobile web browsers are extended from
pure web navigation with widgets and plug-ins, or are completely native mobile browsers
Jailbreaking the iPhone with firmware 1.1.1 was based entirely on vulnerabilities on the web browser 25) As a result, the exploitation of the
vulnerability described here underlines the importance of the Web browser as an attack vector for mobile devices. In this ease, there was 2
‘vulnerability based on a stack-based buffer overflow ina library used by the web browser (Libtiff).
A vulnerability in the web browser for Android was discovered in October 2008 [2 As the iPhone vulnerability above, it was due to an obsolete
and vulnerable library. A significant difference with the iPhone vulnerability was Android's sandboxing architecture which limited the effects of
this vulnerability to the Web browser process.
‘Smartphones are also victims of classic piracy related to the web: phishing, malicious websites, software that run in the background, etc. The big
difference is that smartphones do not yet have strong antivirus software avalable!#1
‘The internet offers numerous interactive features that ensure a higher engagement rate, capture more and relevant data, and inerease brand
loyalty. Blogs, forums, social networks, and wikis are some of the most common interactive websites. Due to the tremendous growth of the
internet, there has been a rapid rise in the number of security breaches experienced by individuals and businesses over the past few years. Users
can balance the need to utilize the interactive features while also maintaining caution regarding security issues in several ways.*7l Reviewing
computer security regularly and correcting, upgrading, and replacing the necessary features are a few of the ways to do this. Installation of
antivirus and anti-spyware programs is the most effective way of protecting the computer, and they offer protection against malware, spyware,
and viruses. As well, they use firewalls, which are typically installed between the internet and the computer network in order to find a balance. By
acting as a web server, the firewall prevents external users from accessing the internal computer system. Also, secure passwords and not sharing
them help maintain the balance
Operating system
‘Sometimes itis possible to overcome the security safeguards by modifying the operating system itself. As real-world examples, ths section covers
the manipulation of firmware and malicious signature certificates. These attacks are difficult,
In 2004, vulnerabilities in virtual machines running on certain devices were revealed. It was possible to bypass the bytecode verifier and access
the native underlying operating system! The results of this research were not published in detail. The firmware security of Nokia's Symbian
Platform Security Architecture (PSA) is based on a central configuration file called SWIPolicy. In 2008 it was possible to manipulate the Nokia,
firmware before itis installed, and in fact in some downloadable versions of it, this fle was human-readable, soit was possible to modify and
change the image ofthe firmware 2) This vulnerability has been solved by an update from Nokia
In theory, smartphones have an advantage over bard drives since the OS files are in ROM, and cannot be changed by malware. However, in some
systems it was possible to circumvent this: in the Symbian OS it was possible to overwrite a file with a file of the same name.®9] On the Windows
(0S, itwas possible to change a pointer from a general configuration file to an editable file.
‘When an application is installed, the signing of this application is verified by a series of certificates. One can create a valid signature without
using a valid certificate and add it to the lst. In the Symbian OS all certificates are in the directory: c: \resource\suicertstore\dat. With
firmware changes explained above its very easy to insert a seemingly valid but malicious certificate,
‘Android is the OS that has been attacked the most, Because it has most of users among the operation systems. According to cybersecurity
‘company, it reported that they have blocked about 18 millions attack in 2016.12]
Attacks based on hardware vulnerabilities
Electromagnetic Waveforms
In 2015, researchers at the French government agency Agence nationale de la sécurité des systtmes d'information (ANSSD) demonstrated the
capability to trigger the voice interface of certain smartphones remotely by using "specifi electromagnetic waveforms” 5] The exploit took
advantage of antenna-properties of headphone wires while plugged into the audio-output jacks of the vulnerable smartphones and effectively
spoofed audio input to inject commands via the audio interface (5!
Juice Jacking
Juice Jacking is a physical or hardware vulnerability specific to mobile platforms. Utilizing the dual purpose of the USB charge port, many
devices have been susceptible to having data exfiltrated from, or malware installed onto a mobile device by utilizing malicious charging kiosks set
‘up in public places or hidden in normal charge adapters.
Jail-breaking and rooting
Jail-breaking is also a physical access vulnerability, in which mobile device users initiate to hack into the devices to unlock it, and exploit
‘weaknesses in the operating system. Mobile device users take control of their own device by jail-breaking it, and customize the interface by
installing applications, change system settings that are not allowed on the devices, Thus, allowing to tweak the mobile devices operating systems
processes, run programs in the background, thus devices are being expose to variety of malicious attack that can lead to compromise important
private data!#!
Password cracking
In 2010, researcher from the University of Pennsylvania investigated the possibility of cracking a device's password through a smudge attack
Citerally imaging the finger stdgea onthe screen to discern the use’ pasword) 2) The researchers were able to dicern the device password
"up 068% ofthe time under certain conditions 1 Outsiders may’ perform over-the-shoulder on victims such as watching specific keystrokes or
pattem gestures, to unlock deve password or passcode
Malicious software (malware)
{As smartphones are a permanent point of access to the internet (mostly on), they can be compromised as easily as computers with malware, A
‘malware is a computer program that aims to harm the system in which it resides. Mobile malware variants have increased by 54% in the year
2017!) Trojans, worms and viruses are all considered malware. A Trojan is a program that is on the smartphone and allows external users to
connect disereetly. A worm is a program that reproduces on multiple computers across a network. A virus is malicious software designed to
spread to other computers by inserting itself into legitimate programs and running programs in parallel. However, it must be said that the
‘malware are fr less numerous and important to smartphones as they are to computers.
ss Toi
sone
“Types ofmaleare based on ther number of emarshones in 2008
‘Nonetheless, recent studies show that the evolution of malware in smartphones have rocketed inthe last few years posing threat to analysis and
detection 281
The three phases of malware attacks
‘Typically an attack on a smartphone made by malware takes place in 3 phases: the infection of a host, the accomplishment of its goal, and the
spread of the malware to other systems. Mahware often uses the resources offered by infected smariphones. It wil use the output devices such as
Bluetooth or infrared, but it may also use the address book or email address of the person to infect the user's acquaintances. The malware
‘exploits the trust that is given to data sent by an acquaintance.
Infection
Infection is the means used by the malware to get into the smartphone, it can either use one of the faults previously presented or may use the
jgulibility of the user. Infections are lassified into four lasses according to their degree of user interaction:
Explicit permission
“The mast benign interaction is to ask the user itis allowed to infect the machine, clealy indicating its potential malicious behavior. This is
'ypleal behavior ofa proof of eoncept malware,
Implied permission
‘This infection is based on the fact that the user has a habit of instaling software. Most trojans try to seduce the user ito installing attractive
applications (games, useful applications etc.) that actually contain malware,
‘Common interaction
This infection is related to a common behavior, such as opening an MMS or email
No interaction
‘The last class of infection is the most dangerous. Indeed, a worm that could infect a smartphone and could infect other smartphones
without any interaction would be catastrophic.
‘Accomplishment of its goal
‘Once the malware has infected a phone it will also seck to accomplish its goal, which is usually one of the following: monetary damage, damage
data and/or device, and concealed damage:51
Monetary damages
“The attacker can steal user data and ether sell them to the same user or sell to third party.
Damage
Malware can partially damage the device, or delete or modify data on the device.
Concealed damage
‘The two aforementioned types of damage are detectable, but the malware can also leave a backdoor fr fulure attacks or even conduct
wiretaps.
Spread to other systems
‘Once the malware has infected a smartphone, it always aims to spread one way or another:25)
+ It.can spread through proximate devices using WE-Fi, Bluetooth and infrared;
+ It-can also spread using remote networks such as telephone calls or SMS or emails.
Examples of malware
Here are various malware that exist in the world of smartphones with a short description ofeach.
Viruses and trojans
+ Cable also known as Caribe, SybmOS/Cabir, Symblan/Cabir and EPOC. cab) isthe name af a computer worm developed in 2004, designed
to infect mobile phones running Symbian OS. It's believed to have been the frst computer worm that can infect mabile phones.
‘Commvarrior found March 7, 2005, was the first worm that can infect many machines from MMS." tis sent as COMMWARRIOR.ZIP
Containing he fle COMMWARRIOR.SIS. When this fle is executed, Commwearrior attempts to connect to nearby devices by Bluetoath or
Infrared under a random name. I then atiempts to send MMS message to the contacts inthe smariphane with diferent header messages for
‘8ach person, who receive the MMS and often open them without further verification.
Phage isthe first Palm OS virus discovered "it transfers to the Palm from a PC via synchronization. It infects all applications in the
smartphone and emibeds its own code to function without the user and the system detecting it. All thatthe system wil detect is that is usual
applications are functioning,
RedBrowser is a Trojan based on java." The Trojan masquerades as a program called "RedBrowser” which allows the user to visit WAP
siles without a WAP connection. Ouring application installation, the user sees a request on their phone that the applicalion needs permission
to send messages. Ifthe user accepts, RedBrowser can send SMS to paid call centers. This program uses the smartphone's connection to
social networks (Facebook, Twitter, et) to get the contact information for the user's acquaintances (provided the required permissions have
been given) and wil send them messages.
WinCE. PmCryplic.A is malicious software on Windows Mobile which aims to eam money for ts authors It uses the infestation of memory
cards that are inserted in the smartphone to spread more effectively.
CardTrap is a virus that is available on diferent types of smartphone, which aims to deactivate the system and third-party applications. It
works by replacing the fles used to start the smartphone and application to prevent them from executing. There are different variants of
this vius such as Cardirap A for SymbOS devices. It als infects the memory card with malware capable of infecting Windows
+ Gost Push is malicious software on Android OS which automatically roois the android device and installs malicious applications directly to
system partion then unroots the device to prevent users from removing the threat by master reset (The threat can be remaved only by
Feflashing). It ripples the system resources, executes quickly, and is hard to detect.
Ransomware
“Mobile ransomware isa type of malware that locks users out of their mobile deviees in a pay-to-unlock-your-deviee ploy, it has grown by leaps
and bounds asa threat category since 2014, Specific to mobile computing platforms, users are often less security-conscious, particularly as it
pertains to serutinizing applications and web links trusting the native protection capability of the mobile device operating system. Mobile
Fansomware poses a significant threat to businesses reliant on instant access and availability oftheir proprietary information and contacts. The
likelihood of a traveling businessman paying a ransom to unlock their device is significantly higher since they are at a disadvantage given
inconveniences such as timeliness and les likely direct access to IT staff, Recent ransomware attack has caused a stir inthe world asthe attack
‘caused many ofthe intemet connected devices to not work and companies spent a large amount to recover from these attacks
Spyware
+ Flexispy is an application that can be considered as a tojan, based on Symbian. The program sends all information received and sent from
the smartphone to a Flexispy server. It was orginally created ta protect children and spy on adulterous spouses, 18123
Number of malware
Below is a diagram which loads the different behaviors of smariphone malware in terms of their effects on smartphones: {#41
ete des matwarer
‘Wecan see from the graph that a lest 50 malware varieties exhibit no negative behavior, except ther ability to spread, 8)
Portability of malware across platforms
‘There is a multitude of malware. This is partly due to the variety of operating systems on smartphones. However attackers can also choose to
‘make their malware target multiple platforms, and malware can be found which attacks an OS but is able to spread to different systems.
‘To begin with, malware can use runtime environments like Java virtual machine or the INET Framework. They can also use other libraries
present in many operating systems.4°l Other malware carry several executable files in order to run in raultiple environments and they utilize
these during the propagation process. In practice, this type of malware requires a connection between the two operating systems to use as an
attack vector. Memory cards can be used for this purpose, or synchronization software can be used to propagate the virus
Countermeasures
‘The security mechanisms in place to counter the threats described above are presented in this section. They are divided into different categories,
as all do not act at the same level, and they range from the management of security by the operating system to the behavioral education of the
user. The threats prevented by the various measures are not the sare depending on the case. Considering the two cases mentioned above, in the
first case one would protect the system from corruption by an application, and in the second ease the installation of a suspicious software would
be prevented
‘Security in operating systems
‘The first layer of sceurity in a smartphone is the operating system (OS). Beyond needing to handle the usual roles of an operating system (e.g
resource management, scheduling processes) on the device, it must also establish the protocols for introducing external applications and data
‘without introducing risk
‘A central paradigm in mobile operating systems is the idea of a sandbox. Since smartphones are currently designed to accommodate many
applications, they must have mechanisms to ensure these applications are safe for the phone itself, for other applications and data on the system,
fand for the user, Ifa malicious program reaches a mobile device, the vulnerable area presented by the system must be as stall as possible
‘Sandboxing extends this idea to compartmentalize different processes, preventing them from interacting and damaging each other. Based on the
history of operating systems, sandboxing has different implementations. For example, where iOS will focus on limiting access to its publie API for
applications from the App Store by default, Managed Open In allows you to restrict which apps ean access which types of data, Android bases i's
sandboxing om its legacy of Linux and TrustedBSD.
‘The following points highlight mechanisms implemented in operating systems, especially Android,
Rootkit Detectors
Tha intrusion of a rootkit in the system isa great danger inthe same way as on a computer. I is important to prevant such intrusions, and
to be able to detect them as often as possible. Indeed, here is concer that with this type of malicious program, the resull could be a partial
‘or complete bypass of the device security, and the acquisition of administrator rights by the attacker. If his happens, then nothing prevents
the attacker from studying or disabling the safety features that were circumvented, deploying the applications they want, or disseminating a
‘method of intrusion by a rootkit toa wider audience [142 We can cite, as a defense mechanism, the Chain of trust in OS. This
mechanism relies on the signature ofthe different applications required to start the operating system, and a certificate signed by Apple, In
the event thatthe signature checks are inconclusive, the device detects this and stops the boot-up If the Operating System is
compromised du to Jalbreaking, rootkit detection may not work fit is disabled by the Jailbreak method or software is loaded after
Jailbreak disables Rootkit Detection,
Process isolation
‘Android uses mechanisms of user process isolation inherited from Linux. Each application has a user associated with it, and a tuple (UID,
GID). This approach serves as a sandbox: while applications can be malicious, they can nol get out of the sandbox reserved far them by
their identifiers, and thus cannot interfere withthe proper functioning of the system. For example, since itis impossible for a process to end
‘the process of another user, an application can thus not stop the execution of anathr.*tI4#14s146i47)
File permissions
From the legacy of Linux, there are also filesystem permissions mechanisms. They help with sandboxing: a process can not edit any fles it
wants. tis therefore not possible to freely corrupt files necessary for the operation of another application or system. Furthermore, in
‘Android there isthe method of locking memory permissions Itis not possible to change the permissions of files installed on the SD card
from the phone, and consequently its impossible to install applications. 4819150)
Memory Protection
In the same way as on a computer, memory protection prevents privlege escalation, Indeed, i process managed to reach the area
allocated to other processes, it could write in the memory of a process with ights superior to their own, with oat in the worst case, and
perform actions which are beyond its permissions on the system. It would suffice to insert function calls are authorized by the privileges of
the malicious application. 7
Development through runtime environments
Software is often developed in high-level languages, which can control what s being done by a running program. For example, Java Virtual
Machines continuously monitor the actions of the execution threads they manage, monitor and assign resources, and prevent malicious
‘actions. Buffer overflows can be prevented by these contros,°"1°2147]
Security software
Above the operating system security, there isa layer of security software. This layer is composed of individual components to strengthen various
‘vulnerabilities: prevent malware, intrusions, the identification of a user as a human, and user authentication, It contains software components
that have learned from their experience with computer security; however, on smartphones, this software must deal with greater constraints (see
limitations)
Antivirus and firewall
‘An antivirus software can be deployed on a device to verify that itis not infected by a known threat, usualy by signature detection software
that detects malicious executable files. A frewal, meanwhile, can watch over the existing traffic on the neiwork and ensure that a malicious
application does not sack to communicate through it. It may equally vey that an installed application does not soek to establish suspicious
‘communication, which may prevent an intrusion attempt (1541851221
A mobile antivirus produet would sean files and compare them against a database of known mobile malware code signatures.
Visual Notifications
Tn order to make the user aware of any abnormal actions, such as a call they did not inate, one can lik some functions toa visual
notification that is impossible to circumvent. For example, when a cal is tiggered, tne called number should always be displayed. Thus, a
‘allistriggered by a malicious application, the user can see, and take appropriate action.
Turing test
In the same vein as above, itis important to confi certain actions by a user decision. The Turing tost is used to distinguish between a
human and a viral user, and itoften comes as a captcha,
Biometric identification
‘Another method to use is biometrics Biometrics isa technique of identifying a person by means oftheir morphology(by recognition of
‘tho face or eye, for example) or their behavior (their signature or way of wilting for example}. One advantage of using biometric security is
‘hal users can avoid having to remember a password or other secrel combination to authenticate and prevent malicious users from
‘accessing thelr devices, In a system with strong biometric secur, only the primary user can access the smartphone
Resource monitoring in the smartphone
‘When an application passes the various security barriers, it can take the actions for which it was designed. When such actions are triggered, the
activity of a malicious application ean be sometimes detected if one monitors the various resources used on the phone. Depending on the goals of
the malware, the consequences of infection are not always the same; all malicious applications are not intended to harm the devices on which
they are deployed. The following sections describe different ways to detect suspicious activity. 7
Battery
‘Some malware is aimed at exhausting the energy resources of the phone. Monitoring the energy consumption ofthe phone can be a way
to detect certain malware applications.)
Memory usage
‘Memory usage is inherent in any application. However, if one finds that a substantial proportion of memory is used by an application, it may
be flagged as suspicious.
Network traffic
‘On a smartphone, many applications are bound to connect via the network, as part of their normal operation. However, an application using
a lot of bandwiath can be strongly suspected of attempting to communicate & lt of information, and disseminate data to many other