A Timeline of Mobile Botnets

A Timeline Of Mobile Botnets

Ruchna Nigam FortiGuard Labs, Fortinet Email: [email protected]

Abstract—The explosion of smartphones and their increasing will be discussed. adaptation by the masses, is a trend that hasn’t gone unnoticed by malware authors. In keeping with this trend, malware authors • Platform of operation : The platforms on which have also focussed their attention on mobile devices, leading to a botmasters and slaves run is a fundamental difference steep rise in mobile malware over the past couple of years. This between mobile and PC botnets. In the case of PC paper focusses particularly on mobile malware variants called malware, both the botmaster and slave run on the same bots, that can be controlled remotely by an attacker. platform i.e. a PC, whereas in the case of mobile The paper begins with a comparison between mobile and botnets, the bot slave is on a mobile phone, while PC botnets, discussing fundamental, conceptual and implemen- the botmaster runs on a PC, or on a phone manually tational differences between them. Next, some precursors to fully operated by an attacker. Botmasters haven’t yet been functional mobile bots are discussed, along with some Proofs of observed running autonomously on phones. One could Concept mobile botnets that have been published for research speculate this is due to constraints on resources in purposes. mobile phones such as battery life and computational The crux of the paper lies in an Inventory detailing known power. mobile bot variants in the wild, ordered chronologically based on their date of discovery, accompanied by features like the • Connectivity : Mobile botnets are subject to the Command and Control (C&C) channel used, C&C commands, connectivity of a mobile phone to a cellular network the bot’s abilities, the main motivation(s) behind it and the for communication with a C&C server, whereas PC number of known samples. Following the inventory, some vari- botnets are subject to the internet access of the PC ants are described further in detail, selected based on criteria which is mostly affected only by network glitches or like Unusual Functionalities, Anti-Debugging Tricks used, Code technical faults in the device itself. The field could be Obfuscation and Traffic Encryption, and whether they are served considered as leveled for both kinds of botnets in this using unusual Attack Vectors. case. The paper ends in Statistics based upon the analysis of the bot variants listed in the inventory and a Conclusion, including • Lucrativeness : Mobile devices fundamentally pro- inferences that can be drawn from these statistics. My motivation vide a more lucrative attack surface owing to the fact for this paper ultimately stems from the possibility of this that they are almost always carried around by the user, information helping in the design of mobile security systems in providing a greater probability of grabbing relevant the future. information from audio and video recordings, and camera captures, as opposed to PC botnets that depend I.INTRODUCTION upon the device’s uptime and a user’s availability 2014 saw mobile malware completing 10 years of its at the device. A particularly interesting motivation existence[1] beginning with the discovery of Cabir, the first for mobile botnets that their PC counterparts don’t mobile worm in 2004. Since then, mobile malware has broadly provide, is the ability to track the location of a victim followed the same evolution as PC malware, albeit at a much in real time. faster pace. This evolution included the evident emergence • Detection : Possibilities of detection using signs of of bots for mobile phones, pieces of malware that can be infection exist for both mobile and PC botnets. In controlled by a remote entity, called a Command and Control addition to that, mobile botnets also face the unique (C&C) server or botmaster, to perform various functions. risk of detection from phone bills i.e. either by The concept of this paper came about with the idea to unexpectedly high bills due to internet connection create an inventory of sorts of known mobile bot variants and/or SMS messages in fixed amount plans, or by and, more importantly, to study differences and commonalities unusual/unrecognized numbers in the call/SMS history between them. By means of this paper, the author analyzes and on bills. examines 60 odd mobile bot variants, starting with variants as • Takedown : Fortunately for security enforcers, mobile early as 2010, up until the recently discovered version of the botnets are still fairly easy to take down since all Cryptolocker ransomware targeting the Android platform that cases seen in the wild so far have a single point listens for deactivation commands from its botmaster. of takedown i.e. either a phone number, a server or an email address. However, with the emergence A. Botnets : PC vs Mobile of new variants with remotely upgradeable C&Cs, In this first section, some fundamental, conceptual and mobile botnets might be headed towards the level of implementational differences between PC and mobile botnets complexity of takedown seen in PC botnets. B. The Early Stages of Mobile Botnets because of the difficulty in monitoring and disrupting it. This section will introduce the infamous Yxes malware for the Symbian platform that was pitted as the first step towards • In 2011, the PoC for an advanced (at the time of mobile botnets, and some other Proofs of Concept mobile writing) Android botnet was introduced. The botnet, botnets. called Andbot[5], used a novel C&C strategy named URL Flux. The authors used a Username Generation In 2009, a Symbian malware named Yxes was discovered algorithm (UGA) to generate the username of a social that made the headlines particularly for being the foretaste of media account that served as the C&C. The account a mobile botnet[2]. There were mainly two reasons for this would generate encrypted tweets that would serve as speculation : commands after decryption by the bot. They found 1) Internet access : The malware collected information Andbot to be stealthy, resilient, and low cost. from the infected phone such as the serial number and • In the same year, another PoC was presented that subscription number and forwarded them to a remote made use of a mechanism for proxying the application server, fulfilling one requirement for qualification as layer and modem on the phone[6]. The concept was a bot client i.e. reporting to a remote server. based on previous work that used the same mechanism 2) SMS propagation : The malware, in effect, sent out for SMS fuzzing[7]. The botnet architecture presented SMS messages to the phone’s contacts containing a placed the bot functionality between the application download link. The link pointed to a copy of the layer and modem, which would then listen for received malware itself, qualifying it as a self-propagating SMS messages, decode them and check for a Bot key. worm. This further fueled doubts of it being part of a If the key was found, the payload functionality would botnet since the remote copy of the malware could be be performed. Else, the SMS message would be passed upgraded up by the attacker(s) to include the ability onto the application layer as is done by default. to listen for commands. • In 2012, the authors of [8] presented the detailed However, Yxes isn’t classified as a bot since it lacks this design of PoC mobile botnet. They also include attack fundamental bot functionality - the ability to take commands vectors for spreading the bot code to smartphones from a remote location. that wasn’t covered in previous works. They also used In the same year, another malware known as Eeki.B on SMS messages as the C&C channel. They compared the iOS was discovered. The variant posessed abilities to steal structured and unstructured P2P architectures and con- information from the infected phone such as its SMS database, cluded that the structured architecture (a modified iPhoneOS version and SQL version to a remote server in tar- Kademlia) was a better option. gzipped format. It also scanned fixed IP ranges and the phone’s local IP range for other Jailbroken iPhones and sent a copy of itself to them. This variant was not included in the Inventory for the following two reasons : 1) JailBroken Devices : The malware worked only on JailBroken devices, and in addition, only on ones that had an SSH-enabled application and used the default ssh password ’alpine’. 2) C&C Down : As with the previous case, the malware would need to be able to be commanded by a remote location in order to qualify as a bot. In this case, there were no confirmed cases of the exact response received from the C&C. It appears the C&C was taken down fairly soon. However, it is considered as a precursor due to the fact that it posessed the ability to receive and execute shell scripts from a remote server[3]. 1) Proofs of Concept (PoCs): This section lists out some PoCs of mobile botnets that have been released over the years. • In 2010, a PoC for a cellular botnet architecture was presented[4]. The authors evaluated a P2P-based C&C mechanism for mobile phone botnets and implemented it on Jailbroken iPhones. Finally, they compared multiple approaches for C&C communication - P2P, SMS, SMS-HTTP and concluded that an SMS-HTTP hy- brid approach was optimal for C&C communication C. The Inventory

TABLE I: Known mobile bot variants, in chronological order

Info. C&C Leaked Main Time1 Name of Variant Botnet Commands Bot Capabilities #2 Type by Motivation Default

2010

Send location using GPS + Google maps Sep Android/ ”How are you???” or Grab location of SMS None link to current geo- 18 2010 SmsHowU.A ”how are you?” victim graphic location via SMS ON, OFF, ADD SENDER, SET Sep SENDER, REM SMS/mTAN SymbOS/Zitmo.A SMS None SMS Forwarding 2 2010 SENDER, BLOCK stealing ON, BLOCK OFF, SET ADMIN

2011

PostUrl, call://, Phone email://, map://, Number, sms://, search://, IMEI, install://, shortcut://, Send Email & Network contact://, SMS, Make phone Operator wallpaper://, calls, Update C&C Details, bookmark://, http://, address, Selective IMSI, toast://, startapp://, Deletion of SMS Voice suggestsms://, messages, Add new Mail HTTP silentsms://, text:// Application Shortcut Jan Number, Propagation of Android/Geinimi.A Port contactlist, icons, Create a 632 2011 SIM possible malware 8080 smsrecord, Bookmark, Display Operator deviceinfo, location, notiﬁcations, List Details, sms, register, running processes, SIM call, suggestsms, Perform web search, Serial skiptime, Display Google Map Number, changefrequency, of current location SIM applist, updatehost, etc. State, install,uninstall, Build showurl, shell, kill, Info. start, smskiller, dsms ON, OFF, ADD SENDER, SET Feb SENDER, REM SMS/mTAN BlackBerry/Zitmo.A SMS None SMS Forwarding 1 2011 SENDER, BLOCK stealing ON, BLOCK OFF, SET ADMIN SMS Forwarding, In- SMS/mTAN stall new packages, Stealing, Feb UNINSTALL 45930, SymbOS/Zitmo.B SMS None Send an SMS with Propagation 2 2011 SET ADMIN text ”app installed of possible ok” malware [1] Time of Discovery of the First Sample [2] Number of Unique Samples TABLE I: Known mobile bot variants, in chronological order

Info. C&C Leaked Main Time1 Name of Variant Botnet Commands Bot Capabilities #2 Type by Motivation Default SMS/mTAN Install new packages, Stealing, Feb UNINSTALL 45930, Forward SMS, Send WinCE/Zitmo.B SMS None Propagation 2 2011 SET ADMIN an SMS with text of possible ”app installed ok” malware IMEI, IMSI, Insert Bookmark, Phone HTTP execMark, execPush, Send SMS, Install Financial, Propa- Mar Number, Android/PjApps.A Port execSoft, execTanc, a new application, gation of possible 320 2011 SMS 8118 execXbox Open URL in phone malware service browser center, ICCID Send SMS to all contacts on phone containing an HTTP Phone link, Send victim’s HTTP Number, HTTP : formula401, Email address via Propagation May Android/ + Network pacem HTTP. of possible 27 2011 Smspacem.A SMS Operator SMS : health SMS command malware, Spam Name sends an SMS back to the sender saying I¨ am infected and alive ver 1.00¨. Send SMS, Relay SMS, Update C&C address, List Installed Applications on Spying or Finan- phone, Delete Jun sms, insms, url, cial (by sending Android/CruseWin.A HTTP IMEI speciﬁc Application 26 2011 clean, listapp, update SMS to premium from phone, Visit numbers) speciﬁed URL if bot’s version is different from version number received from C&C Download, Installa- execDelete, tion and Execution Jun Android/ execInstall, of other packages, Propagation of HTTP IMEI 1000+ 2011 DroidKungFu.A execOpenUrl, Uninstallation of a possible malware execStartApp package, Open URL in Phone Browser [1] Time of Discovery of the First Sample [2] Number of Unique Samples TABLE I: Known mobile bot variants, in chronological order

Info. C&C Leaked Main Time1 Name of Variant Botnet Commands Bot Capabilities #2 Type by Motivation Default IMEI, Hide and delete IMSI, SMS from number User- starting with ”106”, Agent Set bot’s update string, rate, Download and Financial, Propa- Jun Android/ Cell 001, 002, 003, 004, HTTP install package, gation of possible 47 2011 JSmsHider.A Location, 005, 006, 007, 008 Update a package, malware SDK Send SMS, Add Version, APN of a Chinese Bot operator, Update version C&C address Number commandstatus, Set Browser Home- commands, activate, page, Get/Set Book- bookmarks, history, IMEI, marks, Get/Set list Jun installation, Propagation of Android/Plankton.A HTTP Build of Shortcuts on the 2000+ 2011 shortcuts, status, possible malware Info. phone’s main Ap- homepage, plication Page, Send terminate, Debugging Info. unexpectedexception Send SMS, Upgrade self, Widget element IMEI, of C&C’s XML IMSI, XML response HTTP response contains Jun Phone containing tags Android/YzhcSms.A Port a URL to contact, Financial 1 2011 Number, domreg, upgrade, 8080 Phone numbers Build address, time, widget to send SMS Info. to+Content of SMS to send Send SMS, Make a Phone Call, Download and Financial, Propa- Jul Android/ IMEI, HTTP 1 -8 Install new packages, gation of possible 405 2011 GoldDream.A IMSI Delete packages, malware Upload ﬁles to a URL IMEI, IMSI, HTTP Jul Phone Send SMS, Visit a Android/PjApps.B Port execTask, execXBox Financial 15 2011 Number, URL 8018 Location Info. [1] Time of Discovery of the First Sample [2] Number of Unique Samples TABLE I: Known mobile bot variants, in chronological order

Info. C&C Leaked Main Time1 Name of Variant Botnet Commands Bot Capabilities #2 Type by Motivation Default Send SMS history, Phone Contacts, Call Logs, Password# + record, Status of phone; contact, 0boot, Enable/Disable 1boot, 0log, 1log, Aug Booting Spying/Data Android/NickiSpy.B SMS IMEI sendlog, 0sms, 1sms, 20 2011 Notifications, Phone stealing sendsms, 0gps, 1gps, Call Monitoring, state, newnum, 0all, SMS Monitoring, 1all GPS Monitoring; Update C&C Number IMEI, Send SMS, Add IMSI, sendsms, blog down, Aug Bookmark, Open Android/Pirates.A HTTP Android free down, fav down, Financial 107 2011 URL in Phone SDK open wap Browser, Set APN version ###CellInfo:,,,;, ###SMSInfo:,,,;, ###SMSSend:[Param],,,;, ###EMailSend:[Param],,,;, Send SMS, Send ###Send- Email, Make a phone SMS/Data steal- File:[Param],,,;, Aug call, Send a file via ing, Propagation SymbOS/Spinilog.A HTTP None ###MakeA- 1 2011 Bluetooth, Send of possible mal- Call:[Param],,,;, phone information ware ###BtSendMy- to an email address File:[Param],,,;, ###LogInfo:,,,;, ###CalendarInfo:,,,;, ###Systemlist:,,,; Download, Install and Execution of other packages, execDelete, Download and execInstall, install a package in execHomepage, Sep Android/ the ”system/app” Propagation of HTTP IMEI execOpenUrl, 1000+ 2011 DroidKungFu.D folder, Set Browser possible malware execStartApp, Homepage, Open execUpBin, URL in Phone execSysInstall Browser, Download and edit DHCPCD and other files [1] Time of Discovery of the First Sample [2] Number of Unique Samples TABLE I: Known mobile bot variants, in chronological order

Info. C&C Leaked Main Time1 Name of Variant Botnet Commands Bot Capabilities #2 Type by Motivation Default delete list, catch list, catch number=[NUM], delete number=[NUM], command name= removeAllSmsFilter, Selective SMS command name= SMS/mTAN deletion, Selective sendContactList, stealing, Oct IMEI, SMS forwarding, Android/FakeInst.B HTTP command name= Propagation 177 2011 IMSI Send Contact List, removeCurrent- of possible Contact URL, CatchFilter, malware Update Self wait seconds, http url=[URL] method=GET or POST, param name=[NAME], update, screen Send Email & SMS, Make phone calls, Add new Application Shortcut Propagation of Same as icons, Create a Nov Same as possible mal- Android/Geinimi.B HTTP Android/ Bookmark, Display 105 2011 Android/Geinimi.A ware/Displaying Geinimi.A notiﬁcations, List ads running processes, Perform web search, Display Google Map of current location ..>*<>>.a, ..>..*5r>, Forward SMS ..><<*b.*, history, Call Logs, ..>***h<, Contact List, Audio ..><<*>y, Nov Android/ Recordings from Spying/Data SMS None ..>...**j<, 1 2011 GoldenEagle.A phone to hard-coded stealing ..>>>*..w, ...*<.>, email addresses. ..>****>.<, Update Email ..>.<.>*8<, Destination ..>.*<.>*, ..>**>..8

2012

Download, Installa- HTTP tion and Execution Jan Android/ GETID, GETTASK, Propagation of Port IMEI of other packages, 61 2012 DroidKungFu.F URLREPORT possible malware 9000 Uninstallation of a package XML message Selective SMS Hid- containing name and ing, SMS Sending, Financial, Propa- Feb Phone IC- Android/Fjcon.A HTTP download URL for Download and In- gation of possible 80 2012 CID an application to stall of other pack- malware install ages [1] Time of Discovery of the First Sample [2] Number of Unique Samples TABLE I: Known mobile bot variants, in chronological order

Info. C&C Leaked Main Time1 Name of Variant Botnet Commands Bot Capabilities #2 Type by Motivation Default action.host start, action.boot, IMEI, action.shutdown, IMSI, action.screen off, Cell ID, action.install, Location action.installed, Send SMS, Down- Financial, Propa- Feb Android/ HTTP Area action.check live, load and install ap- gation of possible 15 2012 Rootsmart.A Code, action.download shells, plications malware Mobile action.exploid, Network action.first commit Code localinfo, action.load taskinfo, action.download apk SMS forwarding, Feb Start/stop SMS SMS and mTAN Android/Zitmo.A SMS None on, off, set admin 108 2012 forwarding, Update Stealing C&C phone # Download, Installa- Apr Android/ Propagation of HTTP IMEI tion and Execution 204 2012 DroidKungFu.G possible malware of other packages SMS Sending to a **, *0000*11*, given Phone #, Send *[dddd]*15*[proc], Network Info., Cap- *[dddd]*16*[proc], ture Image, Change *[key]*21*, APN, Notify of SIM Financial, May Android/TigerBot.A SMS IMEI *[key]*13, change, Kill specific Spying/Data 40 2012 *[key]*17*a*b, running applications, stealing *[key]*19, Restart the device, *[key]*18, Report Current Lo- *[key]*22 cation, Send Debug Info. Use of the infected connectProxy, HTTP device as a proxy Jun Android/ newServer, Port None server (Probably to Proxy 25 2012 NotCompatible.A sendError, sendPong, 8014 gain access to private shutdownChanal networks) SMS forwarding, Change the C&C Jun IMEI, #, /, !, comma + Phone #, Mark SMS/mTAN Android/Zitmo.E SMS 28 2012 IMSI [NUMBER] Software for stealing Uninstall, Clean Settings Selective SMS Forwarding, IMEI, sms, catch, delete, Selective SMS Jul IMSI, httpRequest, param, SMS and mTAN Android/FkToken.A HTTP Deletion, Forward 688 2012 Phone update, screen, com- Stealing phone Contact Number mand, wait, server List, Configuration Update [1] Time of Discovery of the First Sample [2] Number of Unique Samples TABLE I: Known mobile bot variants, in chronological order

Info. C&C Leaked Main Time1 Name of Variant Botnet Commands Bot Capabilities #2 Type by Motivation Default SMS forwarding, IMEI, Update C&C Jul IMSI, #, /, !, comma + SMS/mTAN Android/Spitmo.D SMS Phone #, Toggle 1 2012 Phone [NUMBER] Stealing SMS Control and Number forwarding IMEI, Jul Android/Twikabot.A HTTP Phone sms SMS Sending Financial 5 2012 Number Configuration Aug Update, SMS Android/Fakemart.A HTTP None sms Financial 3 2012 Sending, SMS Hiding Configuration Aug Update, SMS Android/Fakemart.B HTTP None sms Financial 16 2012 Sending, SMS Hiding Browse Directory Info, Download and mSendReport, HTTP Upload files, Send Aug Phone GetDirList, Spying/Data Android/LuckyCat.A Port Information such 18 2012 Number mReadFileDataFun, stealing 54321 as Phone # & IP mWriteFileDataFun Address of victim’s phone IMEI, IMSI, Phone Number, Android SDK Display HTTP Version, Financial, Propa- Aug Notifications, SMS Android/Vdloader.A Port Network Flag= + 0,1,2 gation of possible 151 2012 Sending, Download 8080 Type, malware and Install packages Phone Type, Phone Model, Network Operator IMEI, Phone Selective SMS Hid- Number, ing and Forwarding, Sep SIM MSG:, PPI:, NUM:, Android/FakeLash.A HTTP Send SMS, Update Financial 2 2012 Serial SMS: list of #s to hide Number, SMS from Android ID [1] Time of Discovery of the First Sample [2] Number of Unique Samples TABLE I: Known mobile bot variants, in chronological order

Info. C&C Leaked Main Time1 Name of Variant Botnet Commands Bot Capabilities #2 Type by Motivation Default IMEI, Build Info., Country Selective Code, service code, SMS Hiding, Sep Phone service text, Android/Vidro.A HTTPS SMS Sending, Financial 159 2012 Language, Service interval, Conﬁguration SIM Card apk source Update country ISO, SIM Card Operator Delete ﬁles on the victim’s phone, Up- load the phone’s File clearFileList, clear- Nov Listing to an FTP Spying/Data Android/FkLookt.A HTTP None Alarm, getTexts, get- 8 2012 server, Save SMS or stealing Dir, getFile, getSize MMS history from the phone to a partic- ular location.

2013

Specify time when Trojan should next contact C&C, SMS Sending, Delete IMEI, HTTP : time, sms, HTTP SMS from phone, Financial, Jan IMSI, send, delete, smscf Android/Stealer.B + Selective SMS Spying/Data 7 2013 Phone SMS : ServerKey + SMS Hiding stealing Contacts 001, 002, anything Start application, Forward received SMS, Update ServerKey value Send out SMS, HTTP Send large number Jan at of UDP packets Android/Tascudap.A None #m, #u, #t Financial, DDoS 40 2013 2700- containing randomly 2799 chosen bytes to speciﬁed URL [1] Time of Discovery of the First Sample [2] Number of Unique Samples TABLE I: Known mobile bot variants, in chronological order

Info. C&C Leaked Main Time1 Name of Variant Botnet Commands Bot Capabilities #2 Type by Motivation Default Send out SMS info, sms, call, messages, Make exec, device reboot, Phone Calls, Toggle get packages, the Wifi State, open, get sd map, Financial, Reboot the Device, get file, get dir, Spying/Data Start other Activities get sms, stealing on the device, Delete del sms, ringer, (particularly HTTP Email Ad- SMS Messages, get network info, Account Feb at dress reg- Change Ringer State. Android/Claco.A creds attack, Credentials). 4 2013 port istered on Upload Network creds dropbox, Propapgation of 9999 phone Information, File get pics, malware to PC and Directory get contacts, when phone is Listing, SMS forward, connected to it in records, contact forward unset, USB mode information, Android usb autorun attack, and Dropbox user start track, credentials, Build commands information Send List of Phone Contacts, Send Mar Phone contact, location, Location Info., Spying/Data Android/Chuli.A HTTP 2 2013 Number sms, other SMS forwarding, stealing Send info. regarding Received Calls IMEI, Display of notifica- Phone tions that could lead news, showpage, number, to the further down- install, showinstall, 64 bit load and installation Apr iconpage, iconinstall, Propagation of Android/BadNews.A HTTP Android of packages, Update 50 2013 newdomen, possible malware ID, Build address of the C&C seconddomen, Info., server, Install Short- stop, testpost Phone cuts on the infected Language phone Activate SMS lis- tener for a specific Apr period of time, For- SMS/mTAN Android/Perkel.A SMS None &&, @DELETE 9 2013 ward SMS to a hard- stealing coded Phone #, De- activate Bot GET RECIVE MESSAGE, GET SEND MESSAGE, IMSI, Delete, Modify, For- Apr MOD- SMS/mTAN Android/SmsMngr.A HTTP Phone ward SMS messages 1 2013 IFY MESSAGE, stealing Number present in the Inbox DELETE MESSAGE, SHOW MESSAGE [1] Time of Discovery of the First Sample [2] Number of Unique Samples TABLE I: Known mobile bot variants, in chronological order

Info. C&C Leaked Main Time1 Name of Variant Botnet Commands Bot Capabilities #2 Type by Motivation Default Uninstall self, Download and Install payload from hard-coded Apr Phone Propagation of Android/Smsilence.A SMS 112, 113 location, SMS 18 2013 Number possible malware from hard-coded number results in Deletion of a specific Application SMS forwarding, If C&C responds with the Apr Phone SMS/mTAN Android/SMSSpy.F HTTP 219083 command(219083), 105 2013 Number stealing the received SMS Message is hidden from the user IMEI, Phone command: Number, start sms forwarding, Build start call blocking, Selective SMS Info., stop sms forwarding, forwarding, Network stop call blocking, Selective Call May Operator Spying/Data Android/Pincer.A SMS send sms, Blocking, SMS 10 2013 Name, stealing execute ussd, sim- Sending, Update Android ple execute ussd, Command Fetching ID, Phone stop program, Interval, Stop bot Language, show message, Rooting delay change, ping state of phone wait, server, subPref, botId, re- moteAllSmsFilters, remoteAllCatch- Call a given Phone Filters, deleteSms, #, Send an attacker- catchSms, sendSms, May IMEI, defined SMS, Open Android/Stels.A HTTP httpRequest, Financial 3 2013 IMSI given URL in Phone update, uninstall, Browser, Toast a spe- notifications, cific message openUrl, sendContactList, sendPackageList, makeCall IMEI, Network SMS forwarding, Carrier, SMS Sending, Network Update SMS Jun Operator destination & Spying/Data Android/Tetus.A HTTP csc, keyword, ucsa 181 2013 Name, Content, Send stealing Build updates when a Info., partner application Firmware is installed Version [1] Time of Discovery of the First Sample [2] Number of Unique Samples TABLE I: Known mobile bot variants, in chronological order

Info. C&C Leaked Main Time1 Name of Variant Botnet Commands Bot Capabilities #2 Type by Motivation Default IMEI, Incoming Toggle GPS status, & Send Location Jul REQ TYPE = LOC, Android/IknoSpy.A HTTP Outgoing Information, Capture Spy/Data stealing 1 2013 REQ TYPE = CAM Call Logs pictures from Phone and SMS Camera messages Delete all SMS messages, Send SMS to Jul Android/ IMEI, !#10:, !#16:, !#20:, SMS a hard-coded Phone Financial 4 2013 MSNewsSpy.A IMSI !#30: Number, Hide In- coming SMS Update PIN value used to identify SMS containing IMEI, bot commands, *#OLD Jul Network SMS Sending when Spying/Data Android/Rmspy.A SMS PIN#INT#NEW 3 2013 Operator calls received, Hide stealing PIN* Name Incoming Calls, Detect SIM change, Detect Battery Change IMEI, IMSI, HTTP C&C returns SIM address of FTP Serial server where Number, collected data is Phone HTTP HTTP : No com- uploaded. Jul Number, Spying/Data Android/SaurFtp.A + mands 2 2013 Location, stealing SMS SMS : 5& SMS command Call logs, hides received SMS SMS & replies with history, Cellular Network Contact Details Informa- tion Forward GPS information, IMEI, Contacts, Directory Phone Listings and Number, Contents, Saved Country Files, Call Logs Code, and SMS history. Aug Operator Record Audio, Take Spying/Data Android/AndroRat.A HTTP 5, 101-123 1000+ 2013 Name, a Picture, Display stealing SIM a Popup on the Country user’s phone, Open a Code, URL in the Phone’s SIM Browser, Cause the Serial # phone to vibrate, Make a phone call, Send out SMS [1] Time of Discovery of the First Sample [2] Number of Unique Samples TABLE I: Known mobile bot variants, in chronological order

Info. C&C Leaked Main Time1 Name of Variant Botnet Commands Bot Capabilities #2 Type by Motivation Default setFilter start, IMEI, setFilter stop, Phone macros, forceZ Number, On, forceZ Off, Steal SMS, Call logs, SIM callBlock start, Contact information; Sep Spying/Data Android/Crosate.A HTTP Country callBlock stop, SMS Sending; 30 2013 stealing ISO, getMessages in, Record a call; Make Network getMessages out, a phone call Operator keyHttpGate, Name keySmsGate, sendSms Set C&C Phone #, Switch on/off Sep Android/ +[NUM], on, off, SMS & mTAN SMS None SMS Forwarding, 1 2013 Hesperbot.A uninstall Stealing Uninstall Application

2014

Download and install of fake Banking Applications, sms start, sms stop, IMEI, SMS forwarding, call start, call stop, IMSI, Prevention of Propagation sms list, call list, Jan Phone Received call of malware, Android/FakePlay.C HTTP start record, stop 3 2014 Number, notiﬁcations+hiding Spying/Data record, sendSMS, Build from Call Logs, stealing contact list, wipe Info. Send Contact List, data Send list of Installed Applications, SMS Sending Start/stop SMS sms start, sms stop, forwarding, Call IMEI, call start, call stop, forwarding, Audio IMSI, sms list, call list, Recording; Forward Jan Phone Spying/Data Android/Nitmo.A SMS start record, stop SMS history, Call 1 2014 Number, stealing record, sendSMS, Logs, Contact List; Build contact list, wipe SMS Sending, Info. data Reboot device and erase all user data HTTP Jun Deactivate Financial(Extortion Android/Pletor.A using IMEI ”command”: ”stop” 54 2014 ransomware of money) TOR Jun Deactivate Financial(Extortion Android/Pletor.B SMS IMEI stopec 4 2014 ransomware of money) [1] Time of Discovery of the First Sample [2] Number of Unique Samples TABLE I: Known mobile bot variants, in chronological order

Info. C&C Leaked Main Time1 Name of Variant Botnet Commands Bot Capabilities #2 Type by Motivation Default Update value of URL or EMAIL & PWD where stolen info. is Propagation ak49-[URL], ak40- sent, Send SMS of possible [MSG], wokm- Jul Phone containing MSG to malware, Android/Wroba.I SMS [MSG], ak60- 77 2014 Number all Phone Contacts, Financial, [EMAIL], ak61- Leak Banking & Installation of [PWD] Credit Card details, banking malware Download and install of fake banking app. updates IMEI, Build Info., Network Operator Name, List of Korean Banking Appli- SMS sending cations to phone contacts, Propagation installed, Download and install of possible Jul padding, right, left, Android/Wroba.M HTTP Phone of fake updates for malware, 156 2014 top, margin Contacts existing Banking Installation of List, Applications, banking malware IMSI, Upgrade self Network Info., SIM Operator Info., Phone Number, Voice Mail Number Grab SMS History, Call Logs, GPS/Location Info., Phone Browser & Email History, Phone’s File Listing; IMEI, Send Incoming & IMSI, Oct 2-24, 40-46, 100, Outgoing Phone Spying/Data Android/Xsser.A HTTP SIM 1 2014 101 Call Recordings and stealing Serial #, Audio Recordings; SIM State Run shell commands received on phone; Download, Upload or Delete Files; Display a Notiﬁcation [1] Time of Discovery of the First Sample [2] Number of Unique Samples Fig. 1. Location grabbing functionality in Android/SmsHowU

D. Some particularly interesting variants Variants with particularly unusual and/or interesting functionalities have been detailed in this section, followed by subsections on Anti-Debugging Tricks, Code Obfuscation and Trafﬁc Encryption, and unusual attack vectors seen in the wild.

• Android/SmsHowU : (sha256sum : a3444b5c12334b24a587c083eb6c73d3a982397abd0a5eff3d1718bc1c392896) This variant sends the user’s GPS location along with a Google maps link to the sender of the innocent looking SMS command ”how are you?”. The location grabbing functionality is implemented by the code seen in Figure 1. Fig. 2. Strings used for C&C Address Generation The requestLocationUpdates() function registers the current activity to be updated periodically by a provider matching the requirements specified by localCriteria, with location updates[9]. The function specifies no constraints on a time interval between updates but the distance between the user’s • Android/Twikabot : (sha256sum : location at the time of updates is constrained to 10 meters. b63c33cc71eda01b79572e1f8b82b703f9c088fde6966c7cf855f00f8c77775d) The Google maps link creation is implemented by the code below which is based on snippets from the original malware code This bot variant contacts Twitter accounts to acquire the names of C&C servers to contact. This Geocoder localGeocoder; functionality is implemented in the following steps localGeocoder = new Geocoder(this.context, Locale .getDefault()); 1) Once launched, the StatisticsUploader class localList = localGeocoder.getFromLocation(paramLocation generates a random string using an algorithm .getLatitude(), paramLocation.getLongitude(), 1); Address localAddress = (Address)localList.get(0); using predefined strings present in the pack- if (localList != null) age. { 2) This string serves as a nickname for a Twitter localStringBuffer2 = new StringBuffer(); localStringBuffer2.append account. The malware then sends an HTTP re- ("Android device map link: \n"); quest to http://mobile.twitter.com/[Generated localStringBuffer2.append Username]. ("http://maps.google.de/maps?q="); localStringBuffer2.append(URLEncoder 3) From the response to the HTTP request, it .encode(localAddress.getAddressLine(i) + ",")); extracts the string present between a randomly } Object localObject = localStringBuffer2; chosen tag from arrayOfString3 and a randomly chosen domain name from arrayOf- The collected information is then sent via SMS, as String1 whose values are shown in the Figure implemented in the code below 2. 4) Next, it sends a POST request if (localObject != null) { to the URL ”http://”+[Extracted String str4 = localObject.toString(); String]+”/carbontetraiodide” with a SmsManager sms; randomly generated user agent. The infected this.sms.sendTextMessage(this._to, null, str4, this.sentIntent, null); phone’s IMEI, Android ID and phone number } are included as POST parameters. 5) It then checks the response to the POST where to is the sender of the SMS command i.e. the request to see if it contains a command called botmaster. ”sms”. If yes, it sends out an SMS message using information in the POST response such • (sha256sum : Android/NotCompatible : as ”phone” (SMS destination), ”data” (SMS 1a18e48fbd79ce84d946b4d065a7e30c5f10a4762437a6c8d888348afbab685f) body) and ”interval” (number of times to send This malware family supports a command called the SMS). ”connectProxy” that makes it interesting. When received, the bot opens a connection to the IP address • Android/Tascudap : (sha256sum : and port specified by the package’s configuration file, c88a6e66e300268bcb6bd8f725565c24a04bc70bbba8c522235bfb505623ed2d) and redirects traffic to this location, thus allowing a This bot variant shows no explicit signs of its remote attacker to use the infected device as a proxy presence once it is installed. However, it is launched server. every time the official Google Play application is Fig. 3. Android/Tascudap’s functionality to ensure it is launched with Google Play

Fig. 6. Android/Claco’s ”ringer” Command

Fig. 5. Android/Claco’s ”usb autorun attack” Command Fig. 7. Anti-Debugging Trick in Android/NickiSpy.B

launched. It implements this functionality by adding the application’s main intent to the the category android.intent.category.APP MARKET that is sent 1) Anti-Debugging Tricks: Anti-debugging tricks are as out when the Google Play application is launched. widely employed by authors of PC malware however, these The implementation is seen in Figure 3. techniques aren’t as commonly observed in mobile malware. This section will focus on the few mobile bot samples that do More interestingly, apart from being able to process commands for sending out SMS messages and employ them, that were analyzed as part of this study. heartbeat messages back to the attacker, it can also be made to send out numerous UDP packets to a • Android/NickiSpy.B (sha256sum : specific destination. This is implemented in the code 498b425a8536ce03b5738e1ba3339f70ec2680bc437e1650084d8b908a343405) shown in Figure 4 and can only be explained as an checks the IMEI value of the device it is being run attempt at a Denial Of Service (DoS) attack on a destination specified by the attacker. on and forwards it to a URL specified in the package. The application continues to run only if the response The exact implementation of this command can ”y” is received, else it exits. The code implementing be explained as this anti-debugging trick that allows the selective,

if IMEI-based, attacker-determined execution of this User receives SMS containing bot, is seen in Figure 7. "\#u[Dst]:[Port]:[c]:[d]" or "\#u[Dst]:[Port]:[d]" then The check() function implements the HTTP request Send large number of UDP packets containing made and returns ”true” if the response ”y” is randomly generated byte array of random length received. to the address Dst at port Port, d number of times. The value c, whose default value is 500, is used for the generation of the byte array. • Android/Crosate.A (sha256sum : 15281dbe2603f5973d53c5fddabbcc3de6ad3ec65146aa2ffb34a779ea604f82) checks the IMEI value of the device it runs on and • Android/Claco : (sha256sum : if it contains the string ”000000000000000”, the 7b1746778d0196bf01251fd1cf5110a2ef41d707dc7c67734550dbdf3e577bb9) application exits. This is a useful emulator detection This bot variant is interesting for its ability to process mechanism since this corresponds to the IMEI value a command called ”usb autorun attack” that leads on the widely-used emulators that come with the to the download of certain ﬁles from the C&C that Android SDK[10]. The implementation can be seen could be used to infect a PC when the phone is in Figure 8. connected to it in USB mode. The implementation of this functionality in the code is seen in Figure 5. • Android/Pincer.A (sha256sum : 032a095067442d60d0df9fadab07553152e5500a67fc95084441752eafd43f70) It also implements another interesting command checks whether it is being run on an emulator, by called ”ringer” that is followed by a parameter. checking certain parameters like the IMEI, model Depending upon the value of this parameter, the name, phone number etc. for default values found on phone’s ringer state is set to ”silent” or ”normal”. an emulator. This can only be assumed to be done The corresponding code is seen in Figure 6. with the intention of hindering dynamic analysis Fig. 4. Android/Tascudap’s Denial of Service feature

System.exit(0);

The IMEI value used for emulator detection is ”00000000” however, this check doesn’t function due to a coding flaw. If the phone number on the device begins with ”15555”, the application exits. This helps with emulator detection since the default Phone Fig. 8. Emulator Detection in Android/Crosate.A Number on a standard emulator is ”15555215554”. For multiple emulator instances running in parallel, the last 4 digits of the phone number are incremented of the malware on an emulator. These values are to the next even number, within the range 5554 and mentioned below : 5584[11]. Build.PRODUCT = "sdk" or "generic" Build.MODEL = "sdk" or "generic" 2) Code Obfuscation and Traffic Encryption: This section IMEI = "351565050260436" or "000000000000000" details bot variants that employ techniques to hide code by or "357242043237517" or "012345678912345" Phone Number = "15555215554" means of obfuscation or encryption, and those that make use of Build.HARDWARE = "goldfish" traffic encryption to prevent detection by analysis of network Nw = "Android traffic. Each example also shows the implementation of the obfuscation, decryption or encryption schemes in the bot’s If any of the above values are true, the malware code. doesn’t launch the function implementing its botnet • Android/PjApps.A : (sha256sum : capabilities, thereby effectively hiding it’s malicious b84ebe48e60d74984e7e9f5d8c12c2c578ea3554b73df4af8209bbdb7276c839) behaviour. The C&C URL is ’encrypted’ with a simple algorithm that uses only alternate characters of a given string. • Android/Wroba.I (sha256sum : The decryption routine is implemented in the function b103f3897b1619dee157e62a1737e864452a85bab613ad971ac6193b3f6a4834) com.android.main.a.a() of the package that takes the checks for the value of the device’s IMEI and phone encrypted string and an integer as arguments. This number to detect an emulator. This is implemented class is defined as using a code snippet similar to that shown below public static String a(String paramString, int paramInt) { this.telephonyManager = ((TelephonyManager) StringBuffer localStringBuffer = new StringBuffer(); getSystemService("phone")); String str1, str2; String deviceId = "deviceid:" + this. int i = paramString.length(); telephonyManager.getDeviceId(); for (int j = 0; ; j++) String phoneIdentity = this. { telephonyManager.getLine1Number(); if (j >= i / 2) if ((phoneIdentity.startsWith("15555")) || { (deviceId.startsWith("00000000"))) str2 = localStringBuffer.toString(); String str3 = str2.substring(0, paramInt); if (paramInt <= 0) { str1 = str2.substring(paramInt, str2. length() - 3) + "." + str2. substring(str2.length() - 3); } str1 = str3 + "." + str2.substring(paramInt, str2.length() - 3) + "." + str2.substring(str2.length() - 3); break; } localStringBuffer.append(paramString.substring (1 + j * 2, 2 + j * 2)); } return str1; } Fig. 9. AES decryption using a key obtained from the SHA256 hash of a To give an example of its application in a bot sample, hard-coded string in Android/NotCompatible

a("3lgoagdmfejekgfos9t15chojm", 3) = "log.meego91.com"

• Android/Vdloader.A : (sha256sum : 7a771f17e3315c9a93b6ccb1cd5e5e03ca8feeb2d02369d13e5dcdb0b95aaca8) This sample uses a custom string encryption method. The decrypted string is calculated as [char -position]. The decryption code can be found at [12]. To give an example from the bot code, decryption of the string below results in a conﬁguration string used by the bot.

decrypt d = new decrypt(); String str=d.a("7B237868263F283F36392C372E7B7183324 B3443364138807B8D3C553E4D404B42849796465F8149909D 9E9B665C5D909193949697999A9C9D679DAAA977766F78717 Fig. 10. Trafﬁc Encryption by Android/LuckyCat 1B372AFB9B76AA6766DBFB6708972838284768178BAC17B94 7D8D7FDB"); System.out.println ("Decryption result: "+str);

gives the output

Decryption result: {"ve":"8.0","nct":"0","ict":"0", "cus":["http://aabbccddee.com:8080/p.jsp"], "si":"201","ci":"1"}

Fig. 11. XOR decryption in Android/SaurFtp with a key providing life advice • Android/Tascudap.A : (sha256sum : c88a6e66e300268bcb6bd8f725565c24a04bc70bbba8c522235bfb505623ed2d) This variant also makes use of a custom encryption method based on arithmetic and logical operations, the ﬁle between the characters ”<####” and ”####>” for hiding the C&C address. The decryption can be are read and then XOR decrypted as shown in the found at [13]. The decrypted output looks like this Figure 11.

Output = gzqtmtsnidcdwxoborizslk.com The result of the decryption is shown below #### http://android.uyghur.dnsd.me/default.htm #### android.uyghu?O????I?E[\U?SBQE???1?S??F?PFR???,U??? • Android/NotCompatible : (sha256sum : ?JWNFNEJ?GLMT?RF?JM?P?XVQQZMPGG\TUT?T[P?ARBRWMP[Q?X 1a18e48fbd79ce84d946b4d065a7e30c5f10a4762437a6c8d888348afbab685f) ˆT?A\Kˆ[GJ?SLNNJT In this case, the configuration file is encrypted using AES. The bot decrypts a file in the package assets This result is split at ”####” and the first half of the using AES with a key that is the SHA-256 hash of a split serves as the C&C server address from where the hard-coded string. This implementation is seen in the bot acquires the address of an FTP server where all bot’s code in Figure 9 the collected information is finally uploaded.

• Android/LuckyCat : (sha256sum : • Android/JSmsHider.A : (sha256sum : 5d2b0d143f09f31bf52f0ffa0810c66f94660490945a4ee679ea80f709aae3bd) 522e7ded785cfedb5e5200bcf29be072d4e16ba5868b83dcf729d769231303fb) This variant XOR ’encrypts’ the trafﬁc sent to the This variant DES encrypts values of the POST C&C. The encryption can be seen in Figure 10, parameters i.e. the collected data, in trafﬁc sent to where paramArrayOfByte contains the information to the C&C, as can be seen from the bot’s code shown the be sent to the C&C. in Figure 12.

• Android/DroidKungFu.E : (sha256sum : • Android/SaurFtp.A : (sha256sum : 66d90617f49aa2449e338455d3b9ce852c2ca45d5460c1e9e40bb050333b7dfb) 9390a145806157cadc54ecd69d4ededc31534a19a1cebbb1824a9eb4febdc56d) This bot variant gets its C&C address from a ﬁle in This bot variant contains an encrypted binary in the the package assets called proper.ini. The contents of package assets under the name WebView.db.init. The Fig. 15. Decryption and loading of an inner malicious package by An- Fig. 12. Android/JSmsHider.A DES encrypts trafﬁc to C&C droid/Wroba.I

results in an Android package that is saved in the package directory as ”x.zip” and loaded using the command

localDexFile = (DexFile)Class.forName("dalvik.system Fig. 13. AES Decryption routine in Android/KungFu.E. The byte array WP .DexFile").getMethod("loadDex", arrayOfClass) contains the hard-coded key .invoke(null, arrayOfObject);

that invokes the ”dalvik.system.DexFile.loadDex()” function using reflection, a commonly used technique to hide function calls. 3) Unusual Attack Vectors: Most mobile malware follow the classic method of uploading Trojanized versions of legitimate applications to Android markets (Official or Third- Party/non-Market), in order to propagate in the wild. It must be mentioned that installation of any application that doesn’t originate from the official ”Google Play Store” Android market requires users to have the ”Allow Installation of non-Market applications” option checked in the phone’s Fig. 14. Bitwise NOT decryption of strings in native libraries used by Application settings. If this is not already the case, the user Android/DroidKungfu.F, G has to go through the extra step of checking this option before the installation of a non-Market application. file is decrypted using AES with a hard-coded key, Some examples detailed below deviate from the ’norm’ of as seen in Figure 13. The resulting decrypted file is passing through an Android market and use unusual attack an ELF-binary that is then executed and contains the vectors for distribution. malicious bot functionality of communicating with the C&C, downloading other packages and installing • Android/NotCompatible.A : These variants are them. mostly served by means of malicious iframes on compromised websites. An unsuspecting user visiting such • Android/DroidKungFu.F, G : (sha256sum : a compromised website would automatically have 6c4aebf5043ea6129122ebf482366c9f7cb5fbe02e2bb776345d32d89b77a2e0) the malware downloaded to his/her phone. However, These variants make use of Java code from a native installation of the malware would still require user library in order to drop an executable onto a rooted intervention. Android device. The native library contains encrypted strings that are first decrypted before the library • Android/Chuli.A : This variant was touted as the can drop the malicious executable. The decryption first Android malware delivered using a targeted scheme used is a Bitwise NOT operation on each attack[14]. It was sent as an email attachment to byte of the encrypted string. This is shown in the the accounts of Tibetan human rights advocates & native library’s IDA disassembly seen in Figure 14. activists in an email regarding the the World Uyghur Congress (WUC) Conference that took place in • Android/Wroba.I : (sha256sum : Geneva from 11-13 March, 2013. The malware col- b103f3897b1619dee157e62a1737e864452a85bab613ad971ac6193b3f6a4834) lected contact and location information, received SMS This variant hides its main malicious activity within information and call records from the infected phones. a package that is encrypted and hidden within itself. This spyware functionality combined with its targeted The inner malicious package is present in the original nature, led to doubts of political motivations behind package as an asset file and is decrypted using DES the malware. before it can be loaded and the malicious functions called. The implemented of this decryption and class • Android/FakePlay.C : This variant was interesting loading is seen in the code in Figure 15 for its ability to propagate from an infected PC to a The code in the figure shows the DES decryption of an mobile phone connected to it in USB mode. The attack asset file ”ds” using the key ”gjaoun”. The decryption vector was, thus, from PC to mobile, the inverse of 43 31 30 40 25 30 20

20 20 15 10 10 # of Bot Variants # of Bot Variants 10 5 3 2 0 0 HTTP/S3 SMS HTTP+SMS4 Port=80 Port<>80 Others5

Fig. 16. C&C Channels used by different bot variants Fig. 17. Ports used by variants using an HTTP C&C Channel

that employed by Android/Claco.A. The PC malware 42 propagating this mobile bot variant has been detected as W32/BackDoor.VX!tr by Fortinet. This Windows malware made use of Android’s Debug Bridge[15] for 35 communication between the PC & connected mobile 30 device and for installation of the mobile malware. 26 24 • Android/Xsser.A : This variant, discovered in 2014, 25 was uniquely served as links in messages on the mo- 20 bile messaging service Whatsapp. It was particularly sent to several participants of the 2014 Hong Kong 15 13 protests in September, 2014 as part of the ”Occupy # of Bot Variants Central” pro-democracy civil disobience campaign. 10 The Whatsapp message provided a link that claimed 5 4 to be ”designed by CODE4HK for the coordination of OCCUPYCENTRAL”[16], however the shortened link led to a site with a Chinese TLD, with the URL 6 deliberately made to look like a legitimate Code4HK IMEI IMSI link. This case, once again, led to doubts of political Location motivations behind malware creation. An iOS variant of the same malware was found on the C&C that the Phone Number Android Trojan communicates with, but no reports Build Information of the iOS variant being distributed in public were received. Fig. 18. Information Leaked by Default by Different Variants

E. Statistics Information Leaked By Default This section focusses on statistics based on the different Figure 18 plots what information is leaked by default properties of the bot variants detailed in the Inventory. against the number of variants. Information leaked by default C&C Channel Used refers to data that is sent simply upon launching the malware, without the receipt of any command from the botmaster. Figure 16 shows a plot of the kind of C&C Channel used for communication with the C&C by different bot variants Device Administrator Privileges Of the 43 variants that make use of HTTP, Figure 18 Device Administration is a feature available on devices that shows a plot of the number of variants that make use of HTTP run an Android version >= 2.2. This feature is available by communication to the standard port i.e. 80 vs those that use a means of an API[17] that mainly provides device adminis- non-standard port. tration features at the system level. It was introduced mainly to facilitate the development of security-aware applications, 3Variants using HTTP or HTTPS 4Variants using both HTTP and SMS as C&C channels 6This information covers everything accessible through the ’an- 5These 2 variants used HTTPS and HTTP with TOR respectively droid.os.Build’ class 35 35

30 12.12% 25 25 24

87.88% 15

# of Bot Variants 10

Variants requesting Device Administrator Privileges = 8 5 3

Variants not requesting Device Administrator Privileges = 58 [!t] 0

Fig. 19. Percentage of Variants Requesting Device Administrator Privileges

Others(5%) however, is also interesting to attackers for the escalated rights Financial(36%) it provides an application. The most common motivation seen for its use in malware is to make uninstallation of the malware tricky. If the user accepts Spying/Data stealing(53%) to provide Device Administrator Privileges to an application after installation, it can only be uninstalled if its corresponding Device Administrator is deactivated from the phone’s ”Loca- Propagation of Possible Malware(38%) tion & security” Settings menu. Without knowledge of this information, a user could assume the application in question Fig. 20. Main Motvations behind creation of bot variant is uninstallable.

Figure 19 shows the percentage of bot variants studied that 37 request for these privileges from the user after installation. 35 Main motivation

During classification of variants based upon the motivations 30 behind them, the lines between different categories can get blurry and it can be assumed that they all finally merge towards monetary gains. During the writing of this paper, the most 25 evident motivation was given preference. Figure 20 shows a plot based on the main motivations 20 17 behind the creation of a bot variant, guessed based upon the # of Bot Variants bot’s functionalities. 15 Spying/Data stealing : This category includes all bot 11 variants that also had ’SMS/mTAN Stealing’ as their main 10 motivation Financial : This category includes bot variants that rely on sending SMS to Premium Phone Numbers in order to make money and also ransomware. CN=Android Propagation of Possible Malware : All variants classified under this category either have the ability to download and Custom Certificate install new packages onto an infected phone, or send out SMS messages containing links pointing to possible malware to the Contacts saved on the infected phone. The malware Android Developer Certificate Android/Claco that can infect a PC via USB also falls under this category. Fig. 21. Certificates Used for Signing Different Bot Variants Signing Certificates Figure 21 plots the variants against the certificates used to classified under 3 categories explained in detail below the sign one sample of each variant. The certificates have been graph. The Android Developer Certificate corresponds to the cer- ACKNOWLEDGMENT tificate that comes with the Android SDK. It can be identified The author would like to thank Axelle Apvrille and Guil- by the following values laume Lovet for their help. Many thanks also to all authors Owner: CN=Android Debug, O=Android, C=US whose work was referenced during the writing of the paper. Issuer: CN=Android Debug, O=Android, C=US REFERENCES A Custom Certificate describes a developer specific certifi- [1] Fortinet, 2014, http://www.fortinet.com/sites/default/files/whitepapers/10- cate. An example is given below Years-of-Mobile-Malware-Whitepaper.pdf. [2] A. Apvrille, “Symbian worm yxes: Towards mobile botnets ?” in Owner: CN=Yaba EICAR, 2010, http://www.fortiguard.com/files/EICAR2010 Symbian- Issuer: CN=Yaba Yxes Towards-Mobile-Botnets.pdf. [3] H. S. Phillip Porras and V. Yegneswaran, “An analysis of the ikee.b Serial number: 4fc1f17d (duh) iphone botnet,” http://mtc.sri.com/iPhone/. Valid from: Sun May 27 11:18:53 CEST 2012 [4] J.-P. S. Collin Mulliner, “Rise of the iBots: 0wning a telco network,” until: Sat May 19 11:18:53 CEST 2046 in Proceedings of the 5th IEEE International Conference on Malicious and Unwanted Software (Malware), Nancy, France, October 2010. Several variants were found to be signed using a certificate [5] Y. L. L. X. Z. T. Ciu Xiang, Fang Binxing, “Andbot: like the one seen below and have hence been grouped under Towards advanced mobile botnets,” in USENIX, 2011, a category of their own. https://www.usenix.org/legacy/events/leet11/tech/slides/xiang.pdf. [6] G. Weidman, “Transparent botnet control for smartphones over sms,” in ISSA-DC, 2011, http://www.issa- Owner: [email protected], dc.org/presentations/04192011 weidman smartphone botnets.pdf. CN=Android, OU=Android, O=Android, [7] C. M. Collin Mulliner, “Fuzzing the phone in your phone,” in L=Mountain View, ST=California, C=US Blackhat USA, 2009, http://www.blackhat.com/presentations/bh-usa- Issuer: [email protected], 09/MILLER/BHUSA09-Miller-FuzzingPhone-SLIDES.pdf. CN=Android, OU=Android, O=Android, [8] X. H. Yuanyuan Zeng, Kang G.Shin, “Design of sms commanded-and- L=Mountain View, ST=California, C=US controlled and p2p-structured mobile botnets,” in 5th ACM Conference on Security and Privacy in Wireless and Mobile Networks, 2012, http://www-personal.umich.edu/ gracez/mobilebotnet.pdf. ONCLUSION II.C [9] Android, “Location manager,” https://developer.android.com/reference/ By means of this paper, it was shown that malware authors android/location/LocationManager.html#request LocationUpdates%28java.lang.String,%20long, continue to be mainly driven by motivations of spying, finan- %20float,%20android.location.LocationListener%29. cial gains and further propagation of malware. The precedence [10] “Android sdk download,” https://developer.android.com/sdk/index.html. of financial motivations over spying in the statistics could be [11] DGODDARD, “Changing the imei, provider, model, and phone number explained by the fact that they don’t take into account how in the android emulator,” http://vrt-blog.snort.org/2013/04/changing- many successful infections of each variant exist in the wild. imei-provider-model-and-phone.html. [12] “Tascudap string decryption,” https://github.com/slojo/Decryptors/ Based on the statistics collected and the variants de- blob/master/Tascudap decrypt.java. scribed, it can be concluded that although attackers’ mo- [13] “Vdloader string decryption,” https://github.com/slojo/Decryptors/ tivations haven’t changed much, the strategies used while blob/master/Vdloader decrypt.java. writing malware continue to evolve. Be it the employment [14] S. Gallagher, “First targeted attack to use android malware dis- of Anti-Debugging tricks or the increasing use of encryption covered,” http://arstechnica.com/security/2013/03/first-targeted-attack- and obfuscation in new malware. It was also shown through to-use-android-malware-discovered/. examples that mobile bot variants are still relatively easy to [15] Android, “Android debug bridge,” https://developer.android.com/tools/ take apart, fortunately for the analyst, and are yet to achieve help/adb.html. the level of complexity of their PC counterparts, [16] Code4HK, “Fake code4hk mobile app,” https://code4hk.hackpad.com/Fake-Code4HK-Mobile-App- More importantly, the emergence of new and innovative HQXXrylI6Wi. attack vectors, even attacks that can move from one attack [17] Android, “Device administration,” http://developer.android.com/guide/ surface to another (Android/Claco.A, Android/FakePlay.C), topics/admin/device-admin.html. provides a multi-level threat. Combining that with the fact that mobile phones are increasingly being used for diverse purposes e.g. to control a smart TV, interfacing with a fitness tracker, or interfacing with any other Internet connected device for that matter, more attacks spanning attack surfaces can be expected to be seen. Finally, with the use of multiple C&C channels by a single bot variant and remotely configurable C&C addresses, mobile botnets are becoming more resilient to takedown. All these factors hint at the need for systems/applications designed specifically for detection and takedown of mobile botnets to be put in place, where this paper aims to prove useful.