The Modern Mobile Malware Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

The modernization of mobile phone appliances/services has paced up owing to the main control of internet on telecommunication for preceding two decades. The use of internet has increased on the mobile phones so the threat has also increased against the mobile phone and its services. On the other hand, these services are being attacked by different malicious software, or attackers. The enlargement of wireless applications comprises option for clients to exploit their mobile phones additionally than a voice communicator extended to an increase in the functionality and features of the mobile phones and the mass of the devices are small and able to fit in the pocket. As to the advancement of the technology now a day's mobile phones sold today include not only a camera, but also the wide online access, key boards and the other distinctive computer functions.

Now a day's mobiles are more compatible same like computers and the laptops coming with all features with the advancement of technology there is also a development of the cyber-criminal fraud operations and the spread of the mobile malware. In this paper I discuss mainly with the security aspects of the mobile and the mobile malware and the solutions to minimize the risks against the emerging mobile threats and the vectors for spreading the mobile malware and the mitigation to different types of attacks on mobiles.



Contents 2


1.1 Mobile Devices and Malware 3

1.2. Objective 5

1.3 Basic Assumptions/Limitations 6


2.1 Literature Review 7


3.1 Analysis of Mobile Viruses: 10

3.2 Attacker Tools 13

3.3 Effect of viruses on mobile devices: 15

CHAPTER 4 Conclusions and Future Work 17

Next-Generation Technology is needed 17

Bibliography 18


1.1 Mobile Devices and Malware

Now a day, mobile devices are more often used to authenticate services like video/music distribution, messaging, and e-commerce dealings which are accessible widely on PCs and servers. Due to the new features and services offered by the mobile devices, various improved dangers and revelations to malicious activities like mobile viruses, spyware, and worms etc, came into existence. This made to co-operate data confidentiality, integrity and availability of handsets services.

Malware targeting mobile devices use conventional communal production methods like email and P2P file-sharing, as well as vectors exclusive to mobile devices such as SMS (Short Messaging Service) and Bluetooth messages which are illustrated below. The past three years alone have witnessed an exponential rise in the figure of different mobile malware relations to over 30, and their alternatives which are above a figure of 170. The some of the activities through which the malware can be able to widen via Bluetooth and SMS/MMS messages, facilitates isolated access of a device, modify critical system files, dam-age existing applications including anti-virus programs, and block MMC memory cards, to name a few.

The key intention of this research is to study the various viruses and their potentials, virus forms and vulnerabilities which they are usually utilize. The present well known and outdated mobile viruses which are discovered caused diminutive harm because they require the open user interface for installation and establishment. On the other hand, the expectations of this malicious agents having a chance to give out their potentials in the outline of handset downtime, service disturbances, physical smash up to hardware devices and pilfering of responsive data on the device.

Compare to the e-mail viruses, these malicious agents also have a possibility to target SMS/MMS services for dispensing spam and phishing messages. There are various issues that intimate the vulnerable factors for the upcoming mobile devices. Keeping in mind the customers demand for the hi-infrastructure cellular services, the companies are developing and providing the 3G (third generation cellular) system at quick point. As per the current available information, more than 130 3G networks (WCDMA and CDMA2000 1X EV-DO) are the network around the world at a speed of 1.4Mbps and 128 Kbps for download and upload. There is a possibility of increase in this download from 7.3 Mbps to 10.2 Mbps in future which make the mobile clients to run a lot of quality-rich applications on mobile devices which normally have need of high speed enterprise network.

Some of the mostly used and hi infrastructure OS are also came into the field like Symbian, Windows Mobile and Palm OS, which helps the mobile device users to download extensive mixture of applications which also sustains features like email, SMS/MMS, and application development in C++ and Java.

While there are a number of approaches to containing Internet worms and viruses, there are only a handful of solutions developed for mobile devices. These are limited to performing lightweight signature-based scanning of handset file system not in favor of a limited group of attack signatures. Although such an approach is acceptable today due to the maximum number of mobile viruses discovered to date, signature-based solutions are clearly not memory efficient and do not scale well when dealing with a large number of malware signatures and their variations.

Another serious problem to scalability is that a mobile device may receive malware with payloads targeting both wired and wireless devices, e.g., the "crossover". This means that messages or data on handsets must be scanned for both mobile as well as regular malware this will require searching against a very large database of known signatures. Due to limited CPU power, storage and memory, installing large signature databases is not an option for mobile devices. Therefore, there is a tremendous need for detecting malicious agents on handsets using alternative means.

1.2. Objective

The chief intention of this paper is to conquer disputes on the operating atmosphere of mobile devices, that is to create a list of malevolent performing potentials by observing the performance of present-invention mobile worms, viruses, and Trojans which came in to the existence. There are number of malicious attacks and viruses since 2004 which is the birth year of these mobile malwares. By investigating all the malwares we can predict the future of this mobile malwares. (Chen., 2005; S. Forrest, 1996)

1.3 Basic Assumptions/Limitations

This paper is not to future forecasts or a reference because the futures can no means being fully predicted. This an alternative which purpose is to converse the probable future trends came into existence by little assumption and also to discuss some of the present occurred taking them as a base for the future developments. Malware instigators and antivirus producers will not have ant limit to stop the process of playing cat and mouse. In this paper I gave my superlative to envelop the most considerable ones stating entirely my point of view as an self-governing person.


Mobile handsets have almost reached to the equal functionalities that of devices like PCs and are flattering additionally intellectual and compound in functionality. The first mobile malware was come into view in June 2004 and it is called cabir which is the first mobile malware founded out. The cabir has targeted the Symbian OS and after that lot of evolution occurred in both the mobile devices and malwares. The mobile malwares also started to appear in the windows also. The antivirus industry get allotted after the appearance of some the attack like windows CE virus, WinCE.duts, which are the initial file injectors on mobile handsets which are proficient of attacking on the entire internal devices of a mobile (F-secure, 2010)

In the three years the mobile malware are increased a lot that is by 2006 year ending. In this year ending the mobile malwares and their families have been enlarged from 59% to 75% compare to the year 2005. This is an implication that shows how the malware strategies are increasing day by day. Even though, the mobile malware have not caused much loss to the mobile users but it intends to the future increment of these mobile malwares (F-secure, 2010).

Signature based detection which is mainly uses to eradicate these malware attacks. The major techniques to avoid this signature are easy obfuscation, polymorphism and packing which helps in requirement of a latest signature intended for approximately every single malware alternatives. (F-secure, 2010; M.Christodorescu, 2005)

W.Enck proposed that 'the substitute on the way to the signature-based approach, actions detection has appeared like a capable way of stopping the interruption of spyware, viruses and worms. In this concept, the runtime activity of an application (e.g., file accesses, API calls) is observed and evaluated next to malicious and usual performance profiles. The malicious performance profiles are able to be particular as worldwide rules so as to concern to each and every application, as well as fine-grained application-specific rules. Behavioral detection is extra flexible to polymorphic worms and code confusion, since it assesses the special effects of an application foundation resting on other than particular payload signatures'. (W. Enck, 2005)

2.1 Literature Review

Forest proposed that 'numerous behavior-based malware studies and identification methods comprised in the open atmosphere on the way to conquer the margins of customary signature-based results. We initially evaluate and distinguish our approach with related work in the area of behavior-based malware detection. Besides the difference in the marked environment (mobile vs. desktop environments), some significant features moreover differentiate the effort commencing preceding research. (S. Forrest, 1996)

But as per the Shawe -Taylor and R. Sekar 'these activities examine the actions of the application within the outline of system call sequences and generate a database of the entire uninterrupted system calls commencing normal applications. Feasible interference is exposed through appearing on behalf of call sequences with the purpose not come into view in the database. In a while work recovers the activity summary by putting in to action the sophisticated pulling out methods on the call sequences. The entire part contributes to the equivalent model of symbolizing a program's usual performance by means of system calls and detecting anomalies by calculating the difference from usual summaries. Though, for the reason that these activities pay no attention to the semantics of the call sequences, with a limitation that they may possibly be eluded by effortless obfuscation or mimicry attacks'. (Shawe-Taylor., 2000; R. Sekar, 2001)

Christodorescu et al. proposed 'static semantics attentive of malware detection that effort to notice code confusion through recognizing semantically- correspondent series in the malware alternatives. They submit an application of similar algorithm on the unorganized binaries in the direction of finding the guiding series so as to be equivalent with the predefined pattern of malicious actions, e.g., decryption loop. (E.Kirda, 2006)

E.Krida projected that as 'it necessitates accurate identities among the pattern and application instructions, assaults by means of the equal instruction substitution and reorganizing are still feasible. The approach as well employs static study of application performance to conclude a spyware element in a browser. It statically extracts a set of Windows API calls invoked in response to browser events, and recognizes the communications involving the component and the OS via dynamic analysis. A spyware-like performance is identified but the element observes abuser activities and reveals this information via several API calls'. (E.Kirda, 2006)

Mody said that there also exist many works which influence the analysis of run time in order to enhance the detection of accuracy. Many application events had been collected in the form of run time. This resulted in the building of a not very transparent object so as to highlight the behavior of the syntax that is rich. The work is actually similar. This is because it involves the application of a machine learning algorithms on a greater level of representations of the behavior. This may however lay emphasis on putting together Malware into diverse strata utilizing the closest neighbor algorithms which ae based on the distance of edit , between the samples and this is all while we lay stress on differentiating the normal from the programs that are malicious in nature.' (J.J.Mody, 2006)

According to Ekllis a novel way exists for automatically detecting of Internet bugs via certain signatures that are behavioral in nature. Such signatures were a result of the behavior of worms which existed in the network traffic. For example tree-like propagation or a server being changed into a client. There is another one called Net Spy which performs on the same lines and this helps create signatures on the Network level for Spy ware' (D. R. Ellis, 2004)

Morales et al. test the detectors of Virus for handsets against viruses of Windows Mobile bring to light that the present solutions for antivirus perform at a very low level when it comes to identifying the variants of the Virus. Studies have been conducted recently to ape propagation of such malware in cellular and ad-hoc (e.g., in Bluetooth pioneers) network s'. (J. A.Morales, 2006; G. Yan, 2006)

Cheng et al. put forth 'Smart Siren'. It is a comprehensive system which detects viruses. It's also an alert system smart phone. It gives as well as performs a statistical analysis on the information collected to detect the existence of abnormal patterns in communication such as humongous utilization of MMS/SMS messages'. (J. Cheng, 2007)


In order to develop robust general-purpose detection and containment methodologies, one must analyze current-generation malware to mine group of their general behavior vectors. Several researches have been going on the mobile malwares which gave a better result that helped in decreasing the attacks and threats up to a little extent. The several recent research activities gave rise to some results over the malwares that are acting closely to affect the mobile devices. Numerous studies on malware are done and certain results came into existences which are playing a major role in this section.

3.1 Analysis of Mobile Viruses:

There is a rise of malicious agents which only aim mobile phones and handheld services, some of these earliest versions are in such a way that they are specifically measured to be harmless since they are mentioned to be harmless. The recent mobile viruses gave a siren to increase the level of security in mobile devices. The below are the some of the general propagating methods, aimed proposals and user susceptibilities for mobile viruses. (Symantec. , 2000)

One of the virus that affected the mobile is (Palm PDAs), the Palm OS liberty. This is the virus that has been installed manually and is performed to become dynamic which remove all the functioning and file folders on a palm OS- compatible device. These are not readily to spread easily because of the physical infection process which represents low threats. (Symantec. , 2000)

Another virus called Phage has occurred on Palm OS, which can be propagated from one PDA to another while the transfer of the file, data, or information via infrared which is an improvement from manual infection. (Symantec. , 2000)

NTT Do-CoMo i-mode phone became an advantage to the Japanese 110 worm which is having a similarity of "mailto" accessible in html. Through this a user can be able to connect or can direct dial automatically to the number present in an email or web page due to which the individual phone numbers present in the phonebook becomes sufferers of Dos attacks (RAV, 2000)

When compare to viruses in e-mail, the mobile viruses use social engineering methods to attract innocent clients to click on contaminated audio, video or picture attachments. several examples are: (K. Lab. , 2006)

Mabir(2004): mabir is a worm that mainly spreads when choosing or accessing a newly received MMS messages and the main source for it to spared is through MMS messages (K. Lab. , 2006)

Cabir (2004-2005): Cabir and its alternatives consider majors source as Bluetooth connections in order to spread. This worm comes into existence while installing the Symbian System Installation (SSI) file and after that the worm is spread in such way that the devices will search for the Bluetooth devices which are nearby. This report of this worm is mentioned in the 2005 world athletics championship in Finland, which affected Nokia cell phones. (K. Lab. , 2006)

Lasco (2005): this worm is propagated while transferring its payload from one device to another device making source as SSI files attaching itself with the compromised device (K. Lab. , 2006).

Commwarrior (2005) is a worm which transfer or spreads by making source as message that is while transferring the messages to a device which having a feature of MMS which is chosen from the address book and the device is infected. This is same like Lasco such that after affecting one device, it searches for the other Bluetooth devices near to it. . (K. Lab. , 2006)

Skull (2005) comes under Trojan which is propagated by sending SMS and MMS messages and with this skull the phone applications are overwritten as default. The applications like address book, email viewer and to-do lists are the main targets of this skull and this is mainly observed in the wild (K. Lab. , 2006)

Drever (2005) spreads by giving intimation to the abuser to set up a renew for Symbian OS. The major harm with this Trojan is immobilizing Symbian antivirus programs (Sim-Works) taking place in the device. (K. Lab. , 2006)

Locknut (2005) is a type of Trojan which is quite comparable to Lasco. The main affect of this Trojan is on the ROM binaries and OS. Some of the alternatives of the Cabir are also dropped on the contaminated device. (K. Lab. , 2006)

Cardblock (2005) is the initial type of attack that affected Multi-Media Cards (MMC) flash memory of mobile phones. When the trojanized version is used, it contaminates the memory cards and memory card is blocked by a payload with an indiscriminate password. Due to this the significant system and mail directories are removed. (K. Lab. , 2006)

Redbrowser Trojan (2006) is the primary malware which main contrast appeared on the J2ME (java 2 Mobile Edition) phones and corresponds to a foremost progress in mobile viruses. This mainly efforts on the many low-end phones with the hold up of J2ME rather than spotlighting on the phones that have been installed with Symbian or Pocket PC. This malware mainly act as if a WAP browser which make user a fool while sending the SMS messages and free WAP browsing. (K. Lab. , 2006)

3.2 Attacker Tools

The below mentioned are the some of the tools that are used by the attackers to connect to a unauthorized access or to instigate extra attacks. Some of the highly classified and popular attacker tools are mentioned below

Backdoors: 'A backdoor is a malevolent series that pay attention for instructions on a definite TCP or UDP port. Majority of the backdoors permit an assailant to act upon a particular group of activities on a system, like attaining passwords or performing random instructions. kinds of backdoors comprised of zombies (also known as bots), which are mounted on a classification to origin it to assault supplementary systems, and isolated administration tools, which are allotted on a system to facilitate a isolated assailant to get way in to the systems utilities and information as needed'. (K. Lab. , 2006; G. Yan, 2006)

Keystroke Loggers: 'A keystroke logger observes and records the usage of keyboard. Several necessitate the assailant to recover the information commencing the classification, while extra loggers dynamically relocate the information on the way to an extra system through e-mail, file transfer, or other means'. (K. Lab. , 2006; G. Yan, 2006)

Root-kits: 'A root-kit is an assortment of files that is established on a classification to change its customary efficiently in a malevolent and cautious way. A root-kit characteristically makes a lot of modifications to a system to put out of sight the root-kits being, creating it a extremely complicated to establish so as to the root-kit is at hand and to recognize the modifications in the root-kit'. (K. Lab. , 2006; G. Yan, 2006)

Web Browser Plug-Ins: 'A Web browser plug-in endow with a method designed for definite variety of content to be exhibited or carried out in the course of a Web browser. Assailants frequently generate malevolent Web browser plug-ins that operate as spyware and supervise all use of the browser'. (K. Lab. , 2006; G. Yan, 2006)

E-Mail Generators: 'An e-mail generating program is employed to produce and launch huge extent of e-mail, such as malware, spyware, and spam, to further systems devoid of the user's consent or knowledge'. (K. Lab. , 2006; G. Yan, 2006)

Attacker Toolkits: Many attackers use toolkits containing a number of unusual types of utilities and scripts which are employed to check out and assault systems, such as packet sniffers, port scanners, vulnerability scanners, password crackers, remote login programs, and attack programs and scripts. (K. Lab. , 2006; G. Yan, 2006)

The below figure depicts the comparison of mobile activities and the percentage of the malware activities which are playing a vital role.

(F-secure, 2010)

3.3 Effect of viruses on mobile devices:

Bluetooth and MMS broaden themselves

SMS and MMS are sent without your interface

Files are infected

Infected file are sent to the other user behalf of other name (via email, WiFi, Bluetooth, etc.).

Deletes the individual information (e.g. address book, file, etc.)

Loss of personal information or confidential information is captured.

The function of the mobile are put out of action like (SMS, games, cameras, etc.) or the complete phone is halted

Helps in permitting the external access to smart phones.

Some of the file logos and system applications are swapped

The internal fonts are altered and the additional applications are installed

Other destructive programs are installed

Malicious codes are relocated from smart phone to pc

Memory cards will be locked

Steal of information. (J. Cheng, 2007)

CHAPTER 4 Conclusions and Future Work

Mobile malware is grave threat of the mobile information and creates damage to the device. This is becoming day by day a worst case. User where spending lot of money on may anti-viruses, anti-spyware to get rid of this malwares, even they are not enough effective to find out and eradicate these viruses. It is necessary to provide high detection and practical security the past, present and future malwares with an incorporated to come within reach of accessibility by means of these viruses, spyware, root kits and also various threats from malware.

Mobile malware is new field for the cybercriminals which is having a rising confirmations with many techniques. Since the new operating came into existence, yet the loopholes of this system a re studied and observed clearly by the intruders to attack. The usage of these mobile devices has been increased and the attacks on mobile devices also increased. We have learnt the conventional mobile malware that occurred in the past and it is necessary to take necessary actions to evade these viruses, worms, Trojan that are creating a poisonous environment in the mobile device users.

Next-Generation Technology is needed

In order to exempt from these malware, a new technology based anti-virus and anti-spyware products should be developed. However, some products cannot able to provide necessary action on these malwares.

An updated and newly developed anti-malware system should be developed in such a means that it is supposed to be able to provide:

A high detective system for a variety of malware, either it may be a threat or virus, Trojan, keystroke logger, adware, etc.

Threat detection in a high speed way.

Minimum imposition on system resources.