Smartphones have recently become increasingly popular because they provide “all-in-one ” convenience by integrating traditional mobile phones with handheld computing devices. However, the flexibility of running third-party softwares also leaves the smartphones open to malicious viruses. In fact, hundreds of smartphone viruses have emerged in the past two years, which can quickly spread through various means such as SMS/MMS, Bluetooth and traditional IP-based applications. Our own implementations of two proof-of-concept viruses on Windows Mobile have confirmed the vulnerability of this popular smartphone platform. In this paper, we present SmartSiren, a collaborative virus detection and alert system for smartphones. In order to detect viruses, SmartSiren collects the communication activity information from the smartphones, and performs joint analysis to detect both single-device and system-wide abnormal behaviors. We use a proxy-based architecture to offload the processing burden from resource-constrained smartphones and simplify the collaboration among smartphones. When a potential virus is detected, the proxy quarantines the outbreak by sending targeted alerts to those immediately threatened smartphones. We have demonstrated the feasibility of SmartSiren through implementations on a Dopod 577w smartphone, and evaluated its effectiveness using simulations driven by 3-week SMS traces from a national cellular carrier. Our results show that SmartSiren can effectively prevent wide-area virus outbreaks with affordable overhead.

Mobile users of computation and communication services have been rapidly adopting battery-powered mobile handhelds, such as PocketPCs and SmartPhones, for their work. However, the limited battery-lifetime of these devices restricts their portability and applicability, and this weakness can be exacerbated by mobile malware targeting depletion of battery energy. Such malware are usually difficult to detect and prevent, and frequent outbreaks of new malware variants also reduce the effectiveness of commonlyseen signature-based detection. To alleviate these problems, we propose a power-aware malware-detection framework that monitors, detects, and analyzes previously unknown energy-depletion threats. The framework is composed of (1) a power monitor which collects power samples and builds a power consumption history from the collected samples, and (2) a data analyzer which generates a power signature from the constructed history. To generate a power signature, simple and effective noise-filtering and data-compression are applied, thus reducing the detection overhead. Similarities between power signatures are measured by the χ 2-distance, reducing both false-positive and false-negative detection rates. According to our experimental results on an HP iPAQ running a Windows Mobile OS, the proposed framework achieves significant (up to 95%) storage-savings without losing the detection accuracy, and a 99 % true-positive rate in classifying mobile malware.

In this paper we evaluate the effects of malware propagating using communication services in mobile phone networks. Although self-propagating malware is well understood in the Internet, mobile phone networks have very different characteristics in terms of topologies, services, provisioning and capacity, devices, and communication patterns. To investigate malware in this new environment, we have developed an event-driver simulator that captures the characteristics and constraints of mobile phone networks. In particular, the simulator models realistic topologies and provisioned capacities of the network infrastructure, as well as the contact graphs determined by cell phone address books. We evaluate the speed and severity of random contact worms in mobile phone networks, characterize the denial-of-service effects such worms could have on the network, investigate approaches to accelerate malware propagation, and discuss the implications of defending networks against such attacks.

The vast expansion of interconnectivity with the Internet and the rapid evolution of highly-capable but largely insecure mobile devices threatens cellular networks. In this paper, we characterize the impact of the large scale compromise and coordination of mobile phones in attacks against the core of these networks. Through a combination of measurement, simulation and analysis, we demonstrate the ability of a botnet composed of as few as 11,750 compromised mobile phones to degrade service to area-code sized regions by 93%. As such attacks are accomplished through the execution of network service requests and not a constant stream of phone calls, users are unlikely to be aware of their occurrence. We then investigate a number of significant network bottlenecks, their impact on the density of compromised nodes per base station and how they can be avoided. We conclude by discussing a number of countermeasures that may help to partially mitigate the threats posed by such attacks. 1.

Abstract—As mobile phones increasingly become the target of propagating malware, their use of direct pair-wise communication mechanisms, such as Bluetooth and WiFi, pose considerable challenges to malware detection and mitigation. Unlike malware that propagates using the network, where the provider can employ centralized defenses, proximity malware can propagate in an entirely distributed fashion. In this paper we consider the dynamics of mobile phone malware that propagates by proximity contact, and we evaluate potential defenses against it. Defending against proximity malware is particularly challenging since it is difficult to piece together global dynamics from just pair-wise device interactions. Whereas traditional network defenses depend upon observing aggregated network activity to detect correlated or anomalous behavior, proximity malware detection must begin at the device. As a result, we explore three strategies for detecting and mitigating proximity malware that span the spectrum from simple local detection to a globally coordinated defense. Using insight from a combination of real-world traces, analytic epidemic models, and synthetic mobility models, we simulate proximity malware propagation and defense at the scale of a university campus. We find that local proximity-based dissemination of signatures can limit malware propagation. Globally coordinated strategies with broadcast dissemination are substantially more effective, but rely upon more demanding infrastructure within the provider. I.

Abstract—SMS has been arguably the most popular wireless data service for cellular networks. Due to its ubiquitous availability and universal support by mobile handsets and cellular carriers, it is also being considered for emergency notification and other mission-critical applications. Despite its increased popularity, the reliability of SMS service in real-world operational networks has received little study so far. In this work, we investigate the reliability of SMS by analyzing traces collected from a nationwide cellular network over a period of three weeks. Although the SMS service incorporates a number of reliability mechanisms such as delivery acknowledgement and multiple retries, our study shows that its reliability is not as good as we expected. For example the message delivery failure ratio is as high as 5.1 % during normal operation conditions. We also analyze the performance of the service under stressful conditions, and in particular during a “flash-crowd ” event that occurred in New Year’s Eve of 2005. Two important factors that adversely affect reliability of SMS are also examined: bulk message delivery that may induce network-wide congestion, and the topological structure of the social network formed by SMS users, which may facilitate quick propagation of viruses or other malware. I.

Mobile phones running open operating systems such as Google Android will soon be the norm in cellular networks. These systems expose previously unavailable phone and network resources to application developers. However, with increased exposure comes increased risk. Poorly or maliciously designed applications can compromise the phone and network. While Android defines a base set of permissions to protect phone resources and core applications, it does not define what a secure phone is, relying on the applications to act together securely. In this paper, we develop the Kirin security framework to enforce policy that transcends applications, called policy invariants, and provides an “at installation ” self-certification process to ensure only policy compliant applications will be installed. We begin by describing the Google Android security model and formally model its existing policy. Using relatively simple policy invariants describing realistic security requirements, Kirin identified insecure policy configurations within Android leading to vulnerabilities in core phone services, thereby motivating additional security framework defining system-wide policy.

Abstract- The growing popularity of mobile devices (smart phones, handsets, PDAs) along with 3G technology brings the mobile internet services on these devices. The wireless devices with messaging capabilities attracted the malware writers to target the hand held devices. Even though the mobile device have numerous benefits like mobility, compact size and ease of their connectivity, the open nature increases the threats and risks being posed. The mobile viruses so far discovered exploited vulnerabilities in Bluetooth by infecting nearby devices and then propagate through SMS to other devices in the mobile network. The problem becomes worse with the growth of MMS (Multimedia Messaging Service), mobile game, and mobile commerce in near future. This paper investigates the propagation of mobile worms and viruses that spread primarily via SMS/MMS messages and short range radio interfaces – Bluetooth.