Mobile platforms provide botnet creators with new threats and challenges. There is a significant need for academic papers that analyse, predict, or mitigate the production of mobile botnets. Even designing a new botnet as a warning and proof of concept can be beneficial to security researchers. This article describes the state of research in mobile botnets and suggests open problems for academics to solve.
Traditional botnets consist of a network of compromised personal computers. Each infected device is referred to as a bot, and can be controlled by an attacker through a series of predefined commands. These malicious networks can grow to include millions of infected devices and often distribute spam, spy on their users, or contribute to distributed denial of service (ddos) attacks. These services are often bought, sold, and rented by criminals.
Botnets are created by distributing malware to new devices. Many botnets use currently controlled devices to expand their territory by leading users to browser exploits, hosting phishing sites, sending corrupt emails, and more. Detection and analysis of this malware is a significant part of combating botnets, but the there is no need for botnets to use only one type of malware. There could be any number of unique malicious executables that simply add any devices they infect to the same malicious network.
A critical part of any botnet is the command and control system. This allows centralized control of all infected devices. There are several means of communicating with the infected network, but commands are usually encrypted to evade detection and prevent others from sending false commands. This system is also the most vulnerable aspect of botnets. If one can take over the command center of a botnet they can steal the entire network. Researchers have successfully shut down botnets by cutting communications between the command centers and bots.
Mobile Threats and Challenges
A mobile botnet consists of a command and control center that governs a network of compromised mobile devices such as smartphones and tablets. There is a significant difference between mobile botnets and their stationary predecessors. A comparison of the two is illustrated by Figure 1.
Figure 1: Venn Diagram Comparing Traditional and Mobile Botnets
Networks of infected mobile devices must be conservative to avoid detection. Each bot must minimize use of limited resources the user might monitor. A sudden decrease in battery life or a spike in mobile data usage could be noticed by the user. An excessive amount of SMS messages sent by the bot could also be cause for alarm. Many bots address this issue by minimizing communication with the command and control center and executing at opportune times. The malware infecting each device and listening for commands could run only when the device is connected to a wifi connection or when charging. Methods for detecting such stealthy behavior are essential in combating the spread of mobile botnets.
The new attack vectors presented by mobile botnets correspond to the unique services offered by smartphones. The collection of sensors on most smartphones make them excellent devices for information gathering. Imagine having access to the microphone, camera, and GPS data for a network of smartphones owned by political figures. Mobile botnets can also harvest data from SMS messages which often contain security tokens and private information. Even when restrained to evade detection, mobile botnets can produce a significant amount of SMS spam or use SMS messages to promote malicious websites and applications.
The multitude of communication channels available to smartphones offer new means of delivering commands to bots. Commands can be sent via SMS message and Bluetooth. According to Xiang et al. (Xiang, Binxing, Lihua, Xiaoyi, Tianning, 2011) these methods are impractical, but they are still available to hackers that may utilize them someday. The lack of public IP addresses is a significant factor in determining how commands will be distributed to mobile bots.
Access to cellular networks allow mobile botnets to saturate cellular network cores. Traynor et al. (Traynor, Lin, Ongtang, Rao, Jaeger, McDaniel, La Porta, 2009) demonstrated such attacks with remarkable thoroughness and efficacy. Such attacks could disrupt cellular communications throughout an entire area code. Their paper emphasizes that a well planned attack targeting key infrastructure could cause significant disruption with a feasible amount of infected devices.
Husted et al. (Husted, Myers, 2010) discuss the potential for a mobile botnet to track movements of uninfected mobile devices. This is achieved by using infected devices to listen for smartphones broadcasting their unique WiFi radio identifiers. Once an individual has been matched to a WiFi radio identifier, the botnet owner could be notified when this signal is detected by any of the compromised devices.
A terrifying method of creating mobile botnets utilizes epidemic mobile malware. Szongott et al. (Szongott, Henne, Smith, 2012) present a proof of concept malware that spreads from smartphone to smartphone at a rapid pace. Their malware is designed for an older version of iOS, but epidemic mobile malware is still a significant threat.
Andbot is a proof of concept, advanced mobile botnet created by Xiang et al. (Xiang, Binxing, Lihua, Xiaoyi, Tianning, 2011). This botnet utilizes microblogs to send commands. Each bot is able to query several microblogs such as Twitter with usernames it has been programmed to follow. These users will occasionally post images that have encrypted commands hidden inside of them. A network diagram to illustrate this is presented by Figure 2. Andbot incorporates several other techniques to make it stealthy and efficient. Xiang et al. also provide an excellent discussion on the state of mobile botnets.
As a relatively new topic mobile botnets present an array of problems to solve. This new threat must be analysed, predicted, and mitigated.
One could address the threats researchers are already drawing attention to. Defences against cellular network dos attacks or methods to stop epidemic malware spread will be crucial in the future. Detecting botnet commands being distributed on cloud services would make command and control more difficult for mobile devices. User education can also reduce the number of infected phones when users are able to detect suspicious activity.
An alternative contribution to the field is proof of concept predictions. Developers can create new botnets that help security researchers implement preventative defences. All of the related works are examples of excellent predictive papers on mobile botnets.