NEMESYS: First Year Project Experience in Telecom Italia Information Technology

Transcription

1 NEMESYS: First Year Project Experience in Telecom Italia Information Technology Madalina Baltatu, Rosalia D Alessandro, and Roberta D Amico 1 Introduction Nowadays smartphones are ubiquitous, their usage continues to grow all over the world. With the International Telecommunication Union (ITU) estimating global mobile subscriptions at 6 billion at the end of 2011, it is calculated that global smartphones penetration is now 16.7 percent [7]. Smartphones are devices built on full-fledged operating systems, with advanced computing capabilities and enhanced connectivity (3G/4G, Wi-fi, bluetooth). They are also personal digital assistants, media players, compact digital cameras, video cameras, GPS navigation devices, and even tuners for musical instruments. Smartphones are also beginning to be used for direct paying (like debit cards), and to get access to enterprise premises. They are all equipped with web browsers and other network applications that use highspeed Wi-fi data access and mobile broadband, or proximity bluetooth access. Mobile application developers have immediately understood the opportunity presented by smartphones deployment, and, at the present time, mobile applications stores are the major drivers of smartphones adoption in everyday life. Unfortunately, smartphones are also becoming attractive for cyber criminals and malware developers. Ever since 2011, mobile malware has started to grow steadily. It seems that the trend is similar to that followed by malware developed for personal computers, but in a much faster way. Moreover, differently from traditional computer platforms, smartphones are natively a source of profit (since they have available the users phone and data traffic credit), and this makes them a great target of attacks. The spreading of smartphones also imply that Mobile Network Operators (MNOs) are required to provide appropriate protection and security mechanisms to their core network and, if possible, to their customers devices. Telecom M. Baltatu, R. D Alessandro, R. D Amico Security Lab, Telecon Italia Information Technology, Via Reiss Romoli 274, Turin, Italy, madalina.baltatu,rosalia.dalessandro,roberta.damico@it. telecomitalia.it 1

2 2 Madalina Baltatu, Rosalia D Alessandro, and Roberta D Amico Italia is aware of the potential threat compromissed smartphones represent to mobile networks. This is the main rational that motivates our presence in the NEMESYS project. NEMESYS aims to respond to these challenges by designing a comprehensive security infrastructure able to offer protection to both devices and mobile networks. Other contributions made in the context of the NEMESYS project are detailed in [1, 2, 3, 4, 5]. The material presented in this paper is organised as follows: Section 2 presents some statistics on mobile platforms market penetration and mobile malware spreading during the last years. Section 3 describes the main activities related to mobile security in Telecom Italia Information Technology. Section 4 presents the first year participation of our organization to the NEMESYS project, while the last Section contains the concluding remarks. 2 Mobile Platforms and Malware Statistics In this section we present some significant statistics computed from worldwide data, on mobile platforms distribution and malware spreading, in order to understand the importance of mobile security. 2.1 Mobile Platforms Statistics At the end of 2011 the smartphones market penetration worldwide has reached and surpassed one billion units [7]. In 2012 Andorid and ios account for the significant majority of the global smartphone installed base: [8] shows that these platforms represented 92 percent of global smartphone shipments in the fourth quarter of Furthermore, it appears that smartphones represent the technology that is spreading faster than any other technology in human history except for television [9], and this happens even in developing countries. Figure 1 illustrates the market shares of the main mobile operating systems in the first half of 2012, as presented in [10]. We can see that in the last two years, the four most popular mobile platforms are, in order: Android, Apple ios, Symbian OS and RIM (Blackberry). Statistics computed from real data collected in the mobile network of Telecom Italia during a single day in 2012 (the first half of the year) shows the following distribution of the mobile operating systems of the devices registered to the network: most of the registered phones still run the Symbian OS, they are followed by ios and Android. The distribution per OS of the traffic coming from these devices shows that 63 percent of the network data traffic is generated by ios smartphones, followed by Android devices. By the end of 2012, the situation changed significantly: Android surpassed both Symbian and ios, with 31 percent of the terminals registered to the network run-

3 NEMESYS: First Year Project Experience 3 Fig. 1 The mobile market: the shares of the main mobile OSes in ning Android, 29 percent Symbian OS and 21.6 percent ios. BlackBerry is at the 4th place, while a small number of devices run Nokia OS, Windows Phone, and Bada OS. The data traffic is still mainly generated by ios phones, but Android is following up very fast. According to a six-month study during 2012 presented in [12], 67 percent of the measured web traffic during this time period came from ios devices. Android accounted for about half of the overall traffic. As we may see, these findings are in line with the statistics performed on instantaneous data collected in Telecom Italia mobile network. In February 2013, another report [13] shows that Android took the lead from ios in mobile data traffic. 2.2 Malware Statistics Mobile malware spreading increased steadily all along 2012, overriding the predictions [14]. According to public statistics presented in [15], the malware volume doubled in the last quarter of 2012 if compared to the same period one year before. An interesting view on the phenomenon is offered in [16], which provides an image of the mobile malware spreading during 2012, where Android is the incontestable leader: 98,96 percent of all malware is Android malware! This situation is also illustrated in [15], which shows Android at 97 percent, followed by Symbian and Java ME. Even if the actual figures change slightly from one malware statistics to another, we can note that, Android always holds the leadership. Popularity comes at a price: the most open and the most spread mobile OS at the moment is also the preferred target of malware. Malware rates for the other platforms are so insignificant that, in the majority of malware reports, the statistics are only shown for Android.

4 4 Madalina Baltatu, Rosalia D Alessandro, and Roberta D Amico 2.3 Malware Classification Usually, an application is classified as malware if it performs one or more of the following actions: leaks device or personal information (including user credentials), or spies on users activity; sends premium rate SMS messages, makes premium rate calls, makes subscription to paid services; exploits a vulnerability or software bug on the device to cause it to do something the user does not expects; roots (or jailbreaks) the device to give the attacker control over it; installs a backdoor or turns the device into a bot client; downloads a secondary piece of malicious code from a website (using the http/https channel) or an arbitrary remote server; is destructive to users device or data stored therein; sends spam messages via SMS or spam s from the device; steals private users information and publish it on the Internet, demanding a price to delete it. It is also interesting to take into consideration malware classifications implicitly proposed by the major mobile antivirus companies in their periodical reports. For example, [17] estimates that, from more than six million people affected by Android malware from June 2011 to June 2012, many were affected by Toll Fraud applications. The prevalence of Toll Fraud malware grew from 29 percent of the application-based threats in the third quarter of 2011 to more than 62 percent in the second quarter of The classification proposed in [17] is: Toll fraud, Bot client, App Downloader, Infostealer, Contact Spammer, Rooter, Destructive. In [19], while describing the mobile security trends in 2013, a malware classification is proposed, based on the main malware behaviour patterns: Info Stealers, Spyware, Adware, Premium SMS, Fraud, Exploit, Rooting Malware, Backdoor/Botnet, Hacktool, Downloader/Installer, Destructive, SMS Spam. The distribution in the wild of these typologies is also given for a long period of observation, from 2007 to 2012, where Info stealers, Spywares, SMS senders and Adware are placed at the top of the list. 3 Mobile Security in Telecom Italia Information Technology In the followings, we offer an overview on some ongoing activities in Telecom Italia Information Technology (Security Lab) in the field of mobile security. 3.1 SMS Spam Reporting Service During 2012 Security Lab developed a prototype spam reporting service, that helps the operator to identify the spam received by mobile users over the SMS channel. The service is specified by the GSMA [27], which states that a mobile network operator has to dedicate a specific short number in order for its customers to be able to report any SMS they received which they consider spam.

5 NEMESYS: First Year Project Experience 5 At the beginning of 2013 we started a trial of this service (implemented on Android platforms), dedicated exclusively to employees. The idea is to understand what is the actual level of SMS spam received by this category of users, and, also to investigate if such initiatives of participative security services are well accepted by the users. The next steps will be to extend the trial to other categories of customers, and, also to evaluate possible countermeasures to deploy in order to mitigate the problem. 3.2 Mobile Malware and Application Analisys Security Lab started to study mobile malware in a systematic manner (and as a separate phenomenon from generic PC malware) since 2010/2011, when mobile malware displayed a significant growth (mainly for Android platforms). Since Android is the preferred target of attacks, an automated applications analyser was developed to evaluate the potential danger of an Android application package (apk). The system implements static analysis techniques to obtain a detailed application s behaviour description together with a comprehensive risk value, and uses and extends the Androguard framework [23]. Briefly, the system looks at all APIs used by the application and maps them to the requested permissions (declared in the application s Manifest) [22], in order to detect incoherencies between them. Our work enhances a similar approach proposed in [24], by exhaustively checking whether the declared permissions are effectively used, and whether actions that are not explicitly permitted are performed (in order to avoid permission escalation). We also look for critical APIs usage and Intents abuse. Furthermore, we propose a risk taxonomy and a mapping between the application behaviour and this set of risks. Briefly, the most relevant risks are related to the root privileges escalation, the use of encrypted code, the presence of binary code and/or dynamic code loading, Internet activities, the presence of exploits, the use of dangerous APIs, SMS receipt, sending and interception, phone call activities, user privacy violations (leakage of device and user information), the presence of critical system permissions, and the monitoring and/or modification of the device state (e.g., phone state, network state, active tasks, etc.). Some activities (SMS, calls and Internet) are also related to the economic loss risk. A detailed analysis of the apk archive is also performed, in order to detect potential threats, like embedded applications, infected files (e.g., apk or elf binary libraries already classified as malicious), and shell scripts with potentially dangerous commands. Many malware applications attempt to conceal their purposes. Often, they alter files with some innocuous extension (e.g., png or jpg). Morover, the system is also able to look for URLs and phone numbers, which might be used by the application to communicate with C&C servers or spend the user s money by making calls or sending SMS messages to premium numbers. The risk computation extends the original risk.py module implemented in Androguard by adding additional risks categories, which concur to compute the global

6 6 Madalina Baltatu, Rosalia D Alessandro, and Roberta D Amico risk score. This value is computed by combining all the risk values in a fuzzy [21] system. During 2012, some interesting statistics have been computed, based on real apk data organized in two databases. The first database is a set of free applications downloaded from GooglePlay, while the second contains 1488 known malware samples classified in 90 distinct families, most of them available on Contagio- MiniDump [25]. Figure 2 shows the risk scores distribution for these two datasets. We can see that free applications from GooglePlay are concentrated in the score intervals from 60 to 80, while malware in the intervals which goes from 70 to 90. There is a significant overlapping window which can imply both false positives and false negatives in anomaly based malware detection systems. In our experience, applications that obtain security risk scores major than 70 are to be considered potentially damaging for the device and its user. Fig. 2 Risk scores distribution for malware and legitimate apps. Moreover, legitimate applications obtained unexpected high risk values on several categories like dynamic, exploit, root privileges, dangerous APIs, while the malware set obtained high values on economic loss, Internet, SMS, and privacy violation categories, and significant risks on their archive files. As far as malware is concerned, the privacy violation is the most significant risk encountered, while, for applications downloaded from GooglePlay, the dangerous API usage risk is the highest. These results show that, quite often, a legitimate free application is not as innocuous as users may believe. This may be an effect of either poor programming or the presence of potentially unwanted code (mainly related to adware or due to recycled code).

7 NEMESYS: First Year Project Experience 7 4 The First Year Participation in NEMESYS The participation in the NEMESYS European project is considered a great opportunity in Telecom Italia Information Technology, since this project can provide effective tools for mobile malware monitoring and infection prevention. The value of the NEMESYS approach if compared to the existing approaches nowadays consists in the fact that it takes into consideration a plethora of input information sources to offer a better response to incidents, together with a prevention mechanism. Current mobile security solutions are entirely reactive and non predictive. We envision that NEMESYS can become the starting point for MNOs to cooperate in providing an extended mobile malware response and prevention network. The goal of NEMESYS is to create and develop new security technologies in mobile networks. These technologies are meant to protect both terminals (in particular smartphone devices) and the network core elements. Mobile security is a fast moving field, where new vulnerabilities and their exploits need to be detected and analyzed on a (quasi) real time basis. In order to advance in the field of mobile security, the new technologies must become proactive and work on predicting threats and vulnerabilities. Ideally, the defences must be built before threats materialize. Therefore, the NEMESYS s purpose is to gather and analyse information about the nature of attacks targeting smart mobile devices, so that appropriate countermeasures can be taken to prevent all potential damage (to the core network and devices themselves). NEMESYS will adopt the honeypot scheme for the most popular smartphone platforms. An infrastructure will be developed to collect all susceptible information (possible attack traces), detect and provide early warning of attacks on mobile devices and mobile networks. By correlating the extracted information with the known patterns of attacks extracted from wireline networks, NEMESYS plans to reveal and identify the possible synergies between the two ecosystems (wired and wireless). The first activity related to this kind of realization is the compilation of a thorough state of the art in security threats and attacks against mobile devices and in the field of analysis of current practices. The state of the art and the trends in mobile malware are to be closely monitored during all the project life time. An important activity that TIIT will continue to perform inside NEMESYS is the active monitoring of mobile malware spreading in its own mobile network. To this purpose, TIIT will leverage the deployment of mobile honeypots, in order to better understand the phenomenon of mobile malware spreading and to offer optimal protection to the mobile network and its users. A honeypot is a computer system, built and deployed only for the goal of being attacked and compromised, in order to study new attacks and to serve as an early warning system [26]. A mobile honeypot is a new concept in network security. At the present moment, the majority of honeypots are PC-based, at best they only simulate a mobile environment (like Android and ios). Security Lab already deploys a PC-based passive honeypots that emulate Android and ios responses for some services.

8 8 Madalina Baltatu, Rosalia D Alessandro, and Roberta D Amico Nevertheless, PC-based or emulated environments are to be considered far insufficient in order to have a real perception of mobile malware. To get the pulse of the situations the honeypot has to actually become mobile and collect all the activities that the users perform on their devices. Since we consider this approach of great importance, TIIT will have an active role in all the processes that are related to testing all practical instruments provided by NEMESYS (both mobile honeypots and the virtualization mechanisms proposed by our partners). TIIT is also involved in the definition of both system requirements and framework architecture. We hope to bring a significant contribution to these two tasks, leveraging our experience on mobile network systems and our interaction with customers, which helps us to be very sensitive to our real end users needs. 5 Conclusions The NEMESYS projet represents a great challenge and a great opportunity for Telecom Italia Information Technology. In our vision, NEMESYS can change the way people look at mobile security. This project tries to modify the paradigm that mobile security has adopted all along its first years of existence. Mobile security is basically deployed on terminals only (antiviruses, mobile security suites and the same). Some research work was proposed in order to begin the monitor at a more centralized level (through IP-based honeypost that emulate a mobile OS). But, at the present time, there is no correlation between these mechanisms, and no correlation between these and mobile network security mechanisms (if they exist at all). NEMESYS tries to combine the device-side security instruments with network side anomalies monitoring, in order to offer an effective global security to all mobile network components. In our opinion, both mobile users and MNOs can benefit from this approach. Acknowledgements The work presented in this paper is part of the Project NEMESYS (Enhanced Network Security for Seamless Service Provisioning in the Smart Mobile Ecosystem) which has received funding from the European Union Seventh Framework Programme (FP7) under grant agreement References 1. E. Gelenbe, G. Görbil, D. Tzovaras, S. Liebergeld, D. Garcia, M. Baltatu, G. Lyberopoulos, NEMESYS: Enhanced Network Security for Seamless Service Provisioning in the Smart Mobile Ecosystem, in Proc. 28th Int. Symp. on Computer and Information Sciences (IS- CIS 13), Paris - France, 2013, accepted for publication 2. S. Papadopoulos, D. Tzovaras, Towards Visualizing Mobile Network Data, Proc. 28th Int. Symp. on Computer and Information Sciences (ISCIS 13), Paris - France, 2013, accepted for publication

9 NEMESYS: First Year Project Experience 9 3. L. Delosieres, D. Garcia, Infrastructure for Detecting Android Malware, Proc. 28th Int. Symp. on Computer and Information Sciences (ISCIS 13), Paris - France, 2013, accepted for publication 4. S. Liebergeld, M. Lange, Android Security, Pitfalls, Lessons Learned and BYOD, Proc. 28th Int. Symp. on Computer and Information Sciences (ISCIS 13), Paris, France, 2013, accepted for publication 5. O. Abdelrahman, E. Gelenbe, G. Gorbil, B. Oklander, Mobile Network Anomaly Detection and Mitigation: The NEMESYS Approach, Proc. 28th Int. Symp. on Computer and Information Sciences (ISCIS 13), Paris, France, 2013, accepted for publication 6. Portio Research Ltd. UK, Mobile Factbook 2012, com 7. mobithinking, Global mobile statistics 2012 Part A, 8. Strategy Analytics, Android and Apple ios Capture a Record 92 Percent Share of Global Smartphone Shipments in Q4 2012, 9. Technology Review, Are Smart Phones Spreading Faster than Any Technology in Human History?, Gartner, Market Share: Mobile Devices, Worldwide, 2Q12, com/resid= ZDNet, ios users generate twice as much web traffic than Android users, zdnet.com 12. Chitika Insights, Six-Month Study: Apple ios Users Consume Growing Amount of Web Traffic, December InfoWorld, Android takes the lead from ios in mobile data traffic, February, 2013, http: // 14. Trend Micro, Mobile malware surged from 30K to 175K, Q3 2012, trendmicro.com 15. McAfee, Threats Report: Fourth Quarter 2012, Kaspersky Labs, Kaspersky Security Bulletin The overall statistics for 2012, http: // 17. Lookout Inc. US, State of mobile security 2012, resources/reports/state-of-mobile-security F-Secure Labs, Mobile Threats Report Q3 2012, McAfee, Mobile Security: McAfee Consumer Trends Report 2013, mcafee.com 20. Droidbox Team, Droidbox. Android Application Sandbox, com/p/droidbox/ 21. J. Jantzen, Tutorial on Fuzzy Logic, Technical University of Denmark, Oersted-DTU, Automation, Bldg 326, 2800 Kongens Lyngby, DENMARK. Tech. report no 98-E 868 (logic), revised 17 Jun Google Inc., Android Permissions, Androguard Team, Androguard: Reverse engineering, Malware and goodware analysis of Android applications, A.Apvrille, T.Strazzere, Reducing the window of opportunity for Android malware. Gotta catch em all, Journal in Computer Virology 8(1-2): (2012) 25. Contagio malware, Mobile malware mini dump archive, blogspot.it/ 26. C. Mulliner, S. Liebergeld, and M. Lange, Poster: HoneyDroid - Creating a Smartphone Honeypot, IEEE Symposium on Security and Privacy, March GSMA, GSMA SPAM Reporting Services, technicalprojects/gsma-spam-reporting-services