A Timeline Of Mobile Botnets Ruchna Nigam FortiGuard Labs, Fortinet Email: [email protected] Abstract—The explosion of smartphones and their increasing will be discussed. adaptation by the masses, is a trend that hasn’t gone unnoticed by malware authors. In keeping with this trend, malware authors • Platform of operation : The platforms on which have also focussed their attention on mobile devices, leading to a botmasters and slaves run is a fundamental difference steep rise in mobile malware over the past couple of years. This between mobile and PC botnets. In the case of PC paper focusses particularly on mobile malware variants called malware, both the botmaster and slave run on the same bots, that can be controlled remotely by an attacker. platform i.e. a PC, whereas in the case of mobile The paper begins with a comparison between mobile and botnets, the bot slave is on a mobile phone, while PC botnets, discussing fundamental, conceptual and implemen- the botmaster runs on a PC, or on a phone manually tational differences between them. Next, some precursors to fully operated by an attacker. Botmasters haven’t yet been functional mobile bots are discussed, along with some Proofs of observed running autonomously on phones. One could Concept mobile botnets that have been published for research speculate this is due to constraints on resources in purposes. mobile phones such as battery life and computational The crux of the paper lies in an Inventory detailing known power. mobile bot variants in the wild, ordered chronologically based on their date of discovery, accompanied by features like the • Connectivity : Mobile botnets are subject to the Command and Control (C&C) channel used, C&C commands, connectivity of a mobile phone to a cellular network the bot’s abilities, the main motivation(s) behind it and the for communication with a C&C server, whereas PC number of known samples. Following the inventory, some vari- botnets are subject to the internet access of the PC ants are described further in detail, selected based on criteria which is mostly affected only by network glitches or like Unusual Functionalities, Anti-Debugging Tricks used, Code technical faults in the device itself. The field could be Obfuscation and Traffic Encryption, and whether they are served considered as leveled for both kinds of botnets in this using unusual Attack Vectors. case. The paper ends in Statistics based upon the analysis of the bot variants listed in the inventory and a Conclusion, including • Lucrativeness : Mobile devices fundamentally pro- inferences that can be drawn from these statistics. My motivation vide a more lucrative attack surface owing to the fact for this paper ultimately stems from the possibility of this that they are almost always carried around by the user, information helping in the design of mobile security systems in providing a greater probability of grabbing relevant the future. information from audio and video recordings, and camera captures, as opposed to PC botnets that depend I. INTRODUCTION upon the device’s uptime and a user’s availability 2014 saw mobile malware completing 10 years of its at the device. A particularly interesting motivation existence[1] beginning with the discovery of Cabir, the first for mobile botnets that their PC counterparts don’t mobile worm in 2004. Since then, mobile malware has broadly provide, is the ability to track the location of a victim followed the same evolution as PC malware, albeit at a much in real time. faster pace. This evolution included the evident emergence • Detection : Possibilities of detection using signs of of bots for mobile phones, pieces of malware that can be infection exist for both mobile and PC botnets. In controlled by a remote entity, called a Command and Control addition to that, mobile botnets also face the unique (C&C) server or botmaster, to perform various functions. risk of detection from phone bills i.e. either by The concept of this paper came about with the idea to unexpectedly high bills due to internet connection create an inventory of sorts of known mobile bot variants and/or SMS messages in fixed amount plans, or by and, more importantly, to study differences and commonalities unusual/unrecognized numbers in the call/SMS history between them. By means of this paper, the author analyzes and on bills. examines 60 odd mobile bot variants, starting with variants as • Takedown : Fortunately for security enforcers, mobile early as 2010, up until the recently discovered version of the botnets are still fairly easy to take down since all Cryptolocker ransomware targeting the Android platform that cases seen in the wild so far have a single point listens for deactivation commands from its botmaster. of takedown i.e. either a phone number, a server or an email address. However, with the emergence A. Botnets : PC vs Mobile of new variants with remotely upgradeable C&Cs, In this first section, some fundamental, conceptual and mobile botnets might be headed towards the level of implementational differences between PC and mobile botnets complexity of takedown seen in PC botnets. B. The Early Stages of Mobile Botnets because of the difficulty in monitoring and disrupting it. This section will introduce the infamous Yxes malware for the Symbian platform that was pitted as the first step towards • In 2011, the PoC for an advanced (at the time of mobile botnets, and some other Proofs of Concept mobile writing) Android botnet was introduced. The botnet, botnets. called Andbot[5], used a novel C&C strategy named URL Flux. The authors used a Username Generation In 2009, a Symbian malware named Yxes was discovered algorithm (UGA) to generate the username of a social that made the headlines particularly for being the foretaste of media account that served as the C&C. The account a mobile botnet[2]. There were mainly two reasons for this would generate encrypted tweets that would serve as speculation : commands after decryption by the bot. They found 1) Internet access : The malware collected information Andbot to be stealthy, resilient, and low cost. from the infected phone such as the serial number and • In the same year, another PoC was presented that subscription number and forwarded them to a remote made use of a mechanism for proxying the application server, fulfilling one requirement for qualification as layer and modem on the phone[6]. The concept was a bot client i.e. reporting to a remote server. based on previous work that used the same mechanism 2) SMS propagation : The malware, in effect, sent out for SMS fuzzing[7]. The botnet architecture presented SMS messages to the phone’s contacts containing a placed the bot functionality between the application download link. The link pointed to a copy of the layer and modem, which would then listen for received malware itself, qualifying it as a self-propagating SMS messages, decode them and check for a Bot key. worm. This further fueled doubts of it being part of a If the key was found, the payload functionality would botnet since the remote copy of the malware could be be performed. Else, the SMS message would be passed upgraded up by the attacker(s) to include the ability onto the application layer as is done by default. to listen for commands. • In 2012, the authors of [8] presented the detailed However, Yxes isn’t classified as a bot since it lacks this design of PoC mobile botnet. They also include attack fundamental bot functionality - the ability to take commands vectors for spreading the bot code to smartphones from a remote location. that wasn’t covered in previous works. They also used In the same year, another malware known as Eeki.B on SMS messages as the C&C channel. They compared the iOS was discovered. The variant posessed abilities to steal structured and unstructured P2P architectures and con- information from the infected phone such as its SMS database, cluded that the structured architecture (a modified iPhoneOS version and SQL version to a remote server in tar- Kademlia) was a better option. gzipped format. It also scanned fixed IP ranges and the phone’s local IP range for other Jailbroken iPhones and sent a copy of itself to them. This variant was not included in the Inventory for the following two reasons : 1) JailBroken Devices : The malware worked only on JailBroken devices, and in addition, only on ones that had an SSH-enabled application and used the default ssh password ’alpine’. 2) C&C Down : As with the previous case, the malware would need to be able to be commanded by a remote location in order to qualify as a bot. In this case, there were no confirmed cases of the exact response received from the C&C. It appears the C&C was taken down fairly soon. However, it is considered as a precursor due to the fact that it posessed the ability to receive and execute shell scripts from a remote server[3]. 1) Proofs of Concept (PoCs): This section lists out some PoCs of mobile botnets that have been released over the years. • In 2010, a PoC for a cellular botnet architecture was presented[4]. The authors evaluated a P2P-based C&C mechanism for mobile phone botnets and implemented it on Jailbroken iPhones. Finally, they compared multi- ple approaches for C&C communication - P2P, SMS, SMS-HTTP and concluded that an SMS-HTTP hy- brid approach was optimal for C&C communication C. The Inventory TABLE I: Known mobile bot variants, in chronological order Info. C&C Leaked Main Time1 Name of Variant Botnet Commands Bot Capabilities #2 Type by Motivation Default 2010 Send location using GPS + Google maps