Detection of Traffic Initiated by Mobile Malware Targeting Android Devices in 3GPP Networks

  • Erkennung von durch mobile Schadsoftware erzeugtem Datenverkehr von Android Geräten in 3GPP Netzwerken

Kühnel, Marián; Meyer, Ulrike (Thesis advisor); Freiling, Felix C. (Thesis advisor)

Aachen (2017)
Dissertation / PhD Thesis

Dissertation, RWTH Aachen University, 2017


Android devices have become the most popular of mobile devices; omnipresent in both business and private use. They are virtually always on and offer functionalities exceeding those of desktop computers. These properties, as well as sensitive information stored on Android devices, render them an attractive target for mobile malware authors. As the volume of mobile malware increases, analysis is becoming challenging and, sometimes, infeasible. Additionally, current network-based intrusion detection systems are very efficient at detecting malicious IP-based traffic, but often lack functionalities for detecting circuit-switched traffic often (mis)used by mobile malware.Recognizing the increasing difficulty of analyzing mobile malware, we sought to understand trends and relationships between mobile malware samples. We conducted various analyses of large volumes of Android malware samples. Among other outcomes, we provide a chronological quantitative analysis of Android malware samples depicting the usage of obfuscation techniques and map relationships among samples known to initiate short messages. The latter analysis helped us to understand the typical traffic pattern in short messages and even the number of authors responsible for mobile malware initiating short messages.This thesis introduces three innovations in the detection of mobile malware. A new architecture, called 3GPP Mobile malware Protection (3GPPMOP), is designed to reside in the core network of any currently operated 3GPP network such as 2G, 3G and 4G network and to detect mobile malware targeting any mobile device in near real-time. The second innovation, the highly space efficient blacklist (HSEB), optimizes the space needed to store entries in the blacklist, rather than optimizing processing time, which is of critical value for managing the volume of filtered traffic processed in mobile networks. Finally, we employ supervised machine learning to successfully detect yet unknown short messages initiated by Android malware.