App kill-switch: the last line of defence

An article about recent malware attacks on smartphone platforms and how the app-stores' defence mechanisms are performing.

Recent smartphone malware attacks

Malware is a growing threat for smartphones. Three recent examples of malware attacks stand out in particular:

  1. By the end of 2010, a trojan called Gemini infected smartphone users in China, disguised as popular games on unofficial appstores. Gemini is reputed to have botnet-capabilities (a command-and-control center, for example) but its precise purpose is unknown.
  2. Zitmo (Zeus in the Mobile) is a trojan designed to capture SMS messages and in this way attack online banking systems relying on transaction codes sent via SMS. Reports from February 2010 show that there are now versions of Zitmo for different types of smartphones including Windows mobile, Symbian OS, and Blackberry). Criminals spread Zitmo by infecting first a user's Windows PC (with standard Zeus), and then asking the user to type in their phone number. The phone number is then used to send an SMS with a link to download Zitmo, disguising it as a 'certificate update' for the smartphone. It solves the problem (for criminals) of linking a specific infected mobile device with a specific PC.
  3. This month, a smartphone trojan called DroidDream was discovered in the Android Market. DroidDream is hidden in look-alike versions of popular apps on the marketplace (piggybacking onto their reputation). In a matter of days, there were around 200.000 downloads.

    Following the attack, Google released an "Android Market security update" to "prevent the attacker(s) from accessing any more information from affected devices". In an ironic twist, immediately after this, researchers have found that malware versions of the Android security update (with a virus called Android.Bgserv), were found several days later in third-party Android markets.

How did the defences work?

Looking more closely at the recent case: DroidDream was placed on the official app-store, disguised as a popular app. This case illustrates the importance of securing appstores. Typically appstores have three lines of defence:

  • Apps are 'vetted' before they are admitted to the appstore. SmartphonesApp vetting means that the appstore checks, among other things, if the app is exhibiting malicious behavior. App vetting can be done by using an automated procedure, a human review, or a combination of both.
  • Apps build up a reputation in the appstore, in the form of customer reviews, customer votes, and download statistics.
  • Apps can be removed (uninstalled) from smartphones remotely. This feature is sometimes referred to as a 'remote kill-switch'.

How did these lines of defence work in the case of DroidDream? The vetting procedure failed to detect DroidDream. The appstore's reputation mechanism also failed, as DroidDream was downloaded by a large number of users. It came down to the last line of defence: The Android team removed DroidDream from the infected smartphones, by using the remote kill-switch mechanism. The kill-switch had only been used once before, in an artificial case back in June 2010.

Conclusion

DroidDream could only do its (malicious) work for a matter of days. But will the kill-switch be equally successful in future cases of malware? Will it remove all the malicious code from the smartphone? On PC's, for example, it is notoriously difficult to remove malware, such as rootkits. In this light, should vetting procedures and reputation mechanisms of appstores be improved?

App stores will play an important role in keeping smartphones secure. We are currently working on a threat analysis for app stores, in collaboration with Distrinet KU Leuven.

Mobile malware is not the only risk for smartphone users. More risks can be found in our top ten security risks for smartphone users and a more in depth version, published as an ENISA report.