Detecting Mobile Malware

A couple of weeks ago, my colleague Alina Oprea and I participated in the ZISC Workshop on Secure Mobile and Cloud Computing 2012 sponsored by the ETH here in Zürich. The second day of the workshop focused on cloud security, ending with Alina’s great presentation on research that RSA Labs is doing on mechanisms that enterprises could use to validate the security and availability of data entrusted to a cloud service provider. There were also very interesting talks by Vinod Vaikuntanathan (University of Toronto) on fully homomorphic encryption and George Danezis (Microsoft) on considerations for deploying cryptographic protocols for the cloud.

The first day focused on security for the world of mobile devices, starting off with a talk by Patrick Traynor of Georgia Tech University that for me was the most interesting one of that part of the workshop. Patrick spoke about research his team has been doing on mobile malware, describing how they’ve used a machine learning technique called Multiple Correspondence Analysis (MCA) to get to a “ground truth” about how pervasive mobile malware is, including their surprising conclusion that so far there is little evidence of significant malware infection in the mobile world.

The Georgia Tech research hasn’t been published yet, but the technique he described was similar to one discussed in a 2011 University of California, Berkelely, paper on mobile malware, ”A Survey of Mobile Malware in the Wild”, describing how  application requests for mobile phone permissions could be used to distinguish malware from legitimate applications. That paper showed how analyzing the grouping of permissions requests by malware versus legitimate applications provided strong indications of certain kinds of malware. It also suggested, however, that “more sophisticated rules and classification features, such as future work on permission sets” are required to make this approach effective. This future work on permission sets is an important part of the Georgia Tech research, which hopefully will be published soon.

In his presentation, Patrick also described several other aspects of his research that are an important complement to the analytical technique. First, the analysis could be performed against the service provider records of call activity, rather than on the device itself. Second, the results of permissions analysis can be combined with other information, such as by correlating the permission-related behavior of an app with comparison of the sites accessed by the app against known malicious or infected sites. Finally, the analysis can be used as means to prioritize which malware samples should be subjected to more in-depth analysis and potentially to determine what kind of in-depth analysis would be of interest for the suspected malware.

In these areas, Patrick’s approach to finding mobile malware fits very closely with our view here at RSA about detecting security issues, whether malicious or inadvertent. Effective security has to draw on a broad set of information, to apply a broad range of analytic techniques and perform analysis in ways that don’t degrade the user experience. But it seems to me that there is at least one important implication of the Georgia Tech research that wasn’t explored in Patrick’s presentation:  helping users to detect and avoid social engineering attacks.

It’s clear that mobile users are increasingly targeted by social engineering attacks. The Juniper Mobile Security Report for 2011, published in February of this year, called out “a new level of sophistication in many attacks” that “relied on social engineering”. Could techniques such as Multiple Correspondence Analysis be used to help users protect their privacy, for example by flagging suspicious mobile apps when they ask for permissions? In a world in which the user is the new perimeter, whatever we can do to help users detect and combat malware is at least worth considering. As the Juniper report says, 2012 will be a “remarkable year in mobile device security”, in which we can expect a “rapid increase in malware”. Perhaps techniques like those being developed by Patrick and his team at Georgia Tech can also make 2012 a remarkable year in achieving mobile device security.

No Comments