|
Rootkits on Smart Phones:
<br />Attacks, Implications and Opportur
<br />o n ❑
<br />Jeffrey Bickford Ryan Ol=aret Arati Baligat Vinod Ganapathy Liv o rode
<br />Department of Computer Science, Rutgers University
<br />ABSTRACT
<br />Smart phones are increasingly being equipped with operating sys-
<br />tems that compare in complexity with those on desktop comput-
<br />ers. This trend makes smart phone operating systems vulnerable to
<br />many of the same threats as desktop operating systems.
<br />In this paper, we focus on the threat posed by smart phone rootk-
<br />its. Rootkits are malware that stealthily modify operating system
<br />code and data to achieve malicious goals, and have long been a
<br />problem for desktops. We use three example rootkits to show that
<br />smart phones are just as vulnerable to rootkits as desktop operating
<br />systems. However, the ubiquity of smart phones and the unique
<br />interfaces that they expose, such as voice, GPS and battery, make
<br />the social consequences of rootkits particularly devastating. We
<br />conclude the paper by identifying the challenges that need to be
<br />addressed to effectively detect rootkits on smart phones.
<br />Categories and Subject Descriptors:
<br />C.2.0 [Computer -communication networks] : General —Security
<br />and Protection;
<br />D.4.6 [Operating Systems]: Security and Protection Invasive soft-
<br />ware (e.g., viruses, worms, Trojan horses)
<br />General Terms: Experimentation, Security
<br />Keywords: rootkits, smart phones
<br />1. INTRODUCTION
<br />Over the last several years, the decreasing cost of advanced com-
<br />puting and communication hardware has allowed mobile phones to
<br />evolve into general-purpose computing platforms. Over 115 mil-
<br />lion such smart phones were sold worldwide in 2007 M. These
<br />phones are equipped with a rich set of hardware interfaces and
<br />application programs that let users interact better with the cyber
<br />and the physical worlds. For example, smart phones are often
<br />pre -installed with a number of applications, including clients for
<br />location -based services and general-purpose web browsers. These
<br />applications utilize hardware features such as GPS and enhanced
<br />network access via 3G or r WimaTc . To support the increasing com-
<br />plexity of software and hardware on smart -phones, smart phone
<br />operating systems have similarly evolved. Modern smart phones
<br />typically run complex operating 'systems, such as Linux, Windows
<br />Mobile, Android and Symbian OS, which comprise tens of millions
<br />of lines of code.
<br />`This work was supported in part by NSF grants CNS-0831268, CNS-
<br />0915394, CNS-0931992, a grant from the US Army-RDECOM CERDEC,
<br />and a Rutgers University Computing Coordination Council grant.
<br />t Current affiliation: BAE Systems, Wayne, NJ.
<br />*Current of iation: W1NLAB, Rutgers University.
<br />Permission to make digital or hard copies of all or part of this work for
<br />personal or classroom use is granted without fee provided that copies are
<br />not made or distributed for profit or commercial advantage and that copies
<br />bear this notice and the full citation on the first page. To copy otherwise, to
<br />republish, to post on servers or to redistribute to lists, requires prior specific
<br />permission and/or a fee.
<br />HotMobile'10, February 22-23, 2010, Annapolis, Maryland, USA.
<br />Copyright (3 2010 ACM 978-1-4503-0005-6/10/02 ...$10.00.
<br />The increasing complexity of smart phones has also increased
<br />their vulnerability to attacks. Recent years have witnessed the emer-
<br />gence of mobile malware, which are viruses and worms that infect
<br />smart phones. For instance, F-Secure reported an almost 400%
<br />increase in mobile malware within a two year period from 2005-
<br />2007 [17]. Mobile malware typically use many of the same attack
<br />vectors as do malware for traditional computing infrastructures, but
<br />often spread via interfaces and services unique to smart phones, in-
<br />cluding Bluetooth, SMS and MMS. The Cabir worm, for instance,
<br />exploited a vulnerability in the Bluetooth interface and replicated
<br />itself to other Bluetooth enabled phones. Recent research has also
<br />explored the security implications of connecting smart phones to
<br />the Internet: Enck et al. [14] demonstrated attacks that could com=
<br />promise open interfaces for SMS (e.g., web sites that allow users to
<br />send SMS messages) to cripple large portions of a cellular network.
<br />In this paper, we show that smart phones are just as vulnerable as
<br />desktop operating systems to kernel -level rootkits (or simply, rootk-
<br />its). Rootkits are malware that achieve their malicious goals by in-
<br />fecting the operating system. For example, rootkits may be used to
<br />hide malicious user space files and processes, install Trojan horses,
<br />and disable firewalls and virus scanners. Rootkits can achieve their
<br />malicious goals stealthily because they affect the operating system,
<br />which is typically considered the trusted computing base. Conse-
<br />quently, they can retain longer term control over infected machines.
<br />Stealth techniques adopted by rootkits have become popular among
<br />malware writers, with a study by MacAfee reporting a nearly 600%
<br />increase in rootkits in the three-year period from 2004-2006 [9].
<br />The fact that smart phones are vulnerable to rootkits should not
<br />be particularly surprising. However, smart phone rootldts can ac-
<br />cess a number of unique interfaces and information that are not
<br />normally available on desktop computers. These include GPS, the
<br />battery, and voice and messaging. As we demonstrate via three
<br />attacks (in Section 3), such interfaces provide rootkits with new
<br />attack vectors to compromise privacy and security of end users.
<br />Moreover, phones are personal devices and contain numerous ap-
<br />plications that store sensitive information about their users. For
<br />example, smart phones contain contact information and SMS con-
<br />versations for people that a user normally converses with. Such
<br />information is potentially of value to attackers, and is often not
<br />available on desktop machines. Similarly, employees with com-
<br />pany phones could potentially store confidential commercial infor-
<br />mation in emails located on their smart phones.
<br />With 3G and 4G access becoming increasingly ubiquitous, smart
<br />phone users have easy access to the Internet and email. As a result,
<br />there is a sharp increase in the number of services and applications
<br />available for smart phones. In 2008, Bank of America reported
<br />that they service over four million mobile banking sessions every
<br />month. They also reported that there are over one million unique
<br />users using their mobile banking services[20]. Online retailers such
<br />as Amazon.com provide mobile websites and mobile applications,
<br />so that users can purchase items from their smart phones. Smart
<br />phone rootkits can therefore compromise privacy and security in
<br />novel ways, while also being extremely difficult to detect.
<br />Detecting and recovering from rootkits is challenging, even on
<br />desktop systems. Because rootkits affect the operating system, any
<br />1
<br />
|