Automated Remote Repair for Mobile Malware Yacin Nadji, Jonathon Giffin, and Patrick Traynor School of Computer Science, Georgia Institute of Technology {yacin.nadji, giffin, traynor}@cc.gatech.edu ABSTRACT such mechanisms are unlikely to be able to continue to re- Mobile application markets currently serve as the main line spond rapidly. Specifically, cellular providers will not be of defense against malicious applications. While market- able to rely solely upon the rapid identification and removal of malware by mobile market operators. place revocations have successfully removed the few overtly 1 malicious applications installed on mobile devices, the antic- In this paper, we propose, design, and implement Airmid , ipated coming flood of mobile malware mandates the need a system for the automated detection of and response to ma- for mechanisms that can respond faster than manual inter- licious software infections on handheld mobile devices. Our vention. In this paper, we propose an infrastructure that architecture leverages cooperation between network moni- automatically identifies and responds to malicious mobile tors and on-device software components. We place the main applications based on their network behavior. We design detection component within the network so that no malware- and implement a prototype, Airmid, that uses cooperation specific knowledge needs to be stored at every mobile device. between in-network sensors and smart devices to identify When the network sensor detects malicious traffic (which the provenance of malicious traffic. We then develop sam- can be done using traditional security tools including DNS ple malicious mobile applications exceeding the capabilities blacklists, domain firewall policies, an IDS, etc), it notifies of malware recently discovered in the wild, demonstrate the devices sending or receiving that traffic via an authenticated ease with which they can evade current detection techniques, channel. A protected software agent on each device then and then use Airmid to show a range of automated recovery identifies executing processes responsible for the malicious responses ranging from on-device firewalling to application traffic and initiates a recovery action to repair the infection: removal. traffic can be filtered at the device, apps can be sandboxed or deleted, or the device itself can be patched or restored to its factory defaults. This system allows malware detection 1. INTRODUCTION and response to occur at machine speed without human in- Malware infections on mobile phones have flourished in teraction and without burdening small handheld systems with recent years. Nearly immediately after the introduction of the computation, storage, and power consumption typical of functionality beyond basic telephony, researchers have sug- traditional anti-virus systems. gested that such devices were likely targets of malicious soft- As in desktop malware, we expect malicious apps to in- ware [14, 24]. However, even as mobile operating systems crease in sophistication as defensive utilities become widespread; move towards greater sophistication and an increasing num- however, current malicious applications remain rather sim- ber of malicious applications have been discovered, large- plistic. To facilitate testing with complex malicious apps, we scale infection has been avoided. This relative safety can be developed laboratory samples of mobile malware exhibiting largely attributed to the revocation capabilities of mobile characteristics common to mature desktop-class malware. application markets which, upon discovering or being noti- The basic functionality of the malware reflects attacks al- fied of the existence of a malicious program, can remove it ready occuring in cellular devices: our apps leak private from both the marketplace and installed platforms. data [39], dial premium numbers [26], and participate in Manually-triggered revocations have been successful be- botnet activity [36]. To this we added complex evasive func- cause the number of malicious applications has been small. tionality: our samples detect the presence of an emulated As the rate with which new mobile malware is discovered environment and change their behavior, create hidden back- begins to approach that of traditional malware, estimated ground processes, scrub logs, and restart on reboot. These by some as greater than 70,000 new samples per day [38], samples demonstrate that mobile device software architec- tures permit the creation of advanced malware that can- not be easily identified prior to distribution, underscoring the need for rapid recovery after infection. For safety, our Permission to make digital or hard copies of all or part of this work for malware lacks propagation ability and was tested only on a personal or classroom use is granted without fee provided that copies are closed network. not made or distributed for profit or commercial advantage and that copies In summary, we make the following contributions: bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. 1 ACSAC ’11 Dec. 5-9, 2011, Orlando, Florida USA Airmid is the Celtic goddess of healing, and is known for Copyright 2011 ACM 978-1-4503-0672-0/11/12 ...$10.00. her ability to bring the dead back to life. • Identification of current remediation shortcom- low level API calls [7] and anomalous power usage pro- ings: While mobile application markets have thus far files [28,30]. These device-only approaches fail for a number successfully removed most discovered malware, we ar- of reasons, including excessive power requirements for tradi- gue that such mechanisms are unlikely to remain suc- tional anti-virus system scanning and false positives caused cessful as the only mechanism given the expected in- by untrained benign behavior. Tools such as TaintDroid [16] crease in malicious software for mobile environments. and PiOS [15] can identify information flows in applications, In particular, markets do not have access to all traf- but they require significant manual assistance and do not au- fic generated by such applications, nor the perfectly tomatically identify \malicious" behavior; rather, they iden- analyze all incoming applications prior to distribution. tify the presence of specific information flows (e.g., IMEIs and IMSIs). Neither approach is currently scalable as a • Design and implementation of advanced proto- means of analyzing all available mobile applications. type malware: We build three proof-of-concept mal- Traffic attribution and provenance are generally difficult ware instances based on samples collected\in the wild". problems. IP addresses are well known as weak indicators We then demonstrate the ease with which such mal- of the origin of malicious traffic on the Internet. Regular ware can resist static and dynamic analysis in a mar- backscatter traffic measurements indicate wide-spread ad- ket, making their pre-deployment detection unlikely dress spoofing [32]. Balasubramaniyan et al. attempt to and the need for a more dynamic \kill switch" mecha- solve a similar problem in the larger telephony space [5]. nism. Because cellular networks maintain a cryptographic relation- • Cooperatively neutralize malware on infected ship with each user device, attribution of a specific packet to mobile phones: We pair a software agent running an individual device is possible. However, additional steps within a hardened, modified version of the stock An- must be taken to identify the specific process responsible droid Linux kernel with a network sensor running Snort. for traffic. In the context of virtualized desktop systems, Our network sensor initiates a range of remediation ac- Srivastava et al. [40] developed a virtual machine introspec- tions that successfully sanitize our advanced prototype tion based technique that attributes network traffic to an malware in under 10 ms. Remediation results can be executing process for the purpose of implementing firewall fed back to mobile markets, allowing both providers rules. Our work uses an in-kernel approach to identify a and application vendors to more quickly protect cus- similar correlation between network behaviors and process tomers from malware. execution for the purpose of malware infection remediation. The remainder of this paper is organized as follows: Sec- 3. MOBILE MALWARE tion 2 compares related research. Section 3 presents an Malware has begun to move from desktop computing into overview of the current state of mobile malware creation mobile environments. This section briefly considers mobile and detection, and it demonstrates by example how mobile malware already deployed, and it then extensively presents malware can implement evasive behaviors similar to those highly capable laboratory samples that we created to demon- of desktop-class malware. Section 4 proposes our remote strate both the evasive technologies available to malware au- repair architecture for in-network detection of malware and thors on Android platforms and the utility of our proposed automatic on-device remediation of the infection. Section 5 remote repair design. presents our specific prototype implementation for Android and an evaluation of the prototype's performance using the 3.1 In the wild evasive malware instances first presented in Section 3. Sec- By the first quarter of 2011, over 1000 mobile malware tion 6 includes a discussion of the system, its potential ap- instances have been discovered in the wild, primarily tar- plications,