Mobile Malware Propagation and Defense
- Author(s): Zyba, Gjergji
- et al.
Over recent years, mobile devices, such as smartphones and tablets, have become feature-rich computing devices with networking opportunities that often surpass those of traditional PCs. Moreover, the smartphone market alone is now bigger than the PC market and, consequently, we see an exponential growth in the amount of mobile malware developed. Compared to traditional malware, mobile malware exhibits unique properties which require extensive studies to effectively protect the user. This dissertation identifies propagation vectors of mobile malware and examines characteristics of its propagation along with the effectiveness of various defense strategies. I focus on the propagation of mobile malware when spread through direct pairwise communication mechanisms (e.g., Bluetooth). I evaluate, both theoretically and by simulation, the effect of user mobility on propagation, and find that malware can infect the entire susceptible population in days for a campus size area. Proximity malware propagation is "invisible" to the network operator and defending against it is particularly challenging. I explore three defense strategies that span the spectrum from simple local detection to a globally coordinated defense. I find that local proximity-based dissemination of signatures can limit malware propagation, while the globally coordinated strategies that rely upon infrastructure within the mobile operator network can be even more effective. Furthermore, I study the effect of user social behavior on malware propagation. In a particular area I identify frequent and transient visitors and compare propagation using either set or all devices. My analysis indicates that transient visitors, previously considered unimportant, play an important role in propagation. Because direct pair-wise device encounters significantly impact proximity malware propagation, I study the strengths and limitations of deploying static scanners for inferring such encounters that are difficult to observe. By comparing direct and "virtual"-scanner- inferred encounters, I indicate significant statistical differences between the two categories, and find that malware propagation appears slower using inferred compared to actual encounters. The results from our analyses give us a better understanding of the effect of different parameters in mobile malware propagation and defense against it. Our results also pinpoint limitations of using encounters inferred from static scanners for malware and, generally, any data dissemination