MobSec: Malware and Security in the Mobile Age

With more than 1 billion of activations reported on Sep 2013, Android mobile devices have become ubiquitous with trends showing that such a pace is unlikely slowing down. Android devices are extremely appealing: powerful, with a functional and easy-to-use user interface to access sensitive user and enterprise data, they can easily replace traditional computing devices, especially when information is consumed rather than produced. Application marketplaces, such as Google Play, drive the entire economy of mobile applications. For instance, with more than 1 million installed apps and a share of 35%, Google Play has generated revenues exceeding 9 billion USD. Such a wealthy and quite unique ecosystem with high turnovers and access to sensitive data has unfortunately also attracted the interests of cybercriminals, with malware now hit- ting Android devices at an alarmingly rising pace. Privacy breaches (e.g., access to address book and GPS coordinates), monetization through premium SMS and calls, and colluding malware to bypass 2-factor authentication schemes have become real threats. Recent studies report how mobile marketplaces have been abused to host malware or seemingly legitimate applications embedding malicious components. This clearly reflects the shift from an environment in which malware was developed for fun, to the current situation, where malware is spread for financial profit.

Given the limitations of the state-of-the-art just outlined and according to the security roadmap provided by the European Network of Excellence SysSec, it is clear that "[...] more research focused on the development of defensive tools and techniques that can be deployed to the current smartphone systems to detect and prevent attacks against the device and its applications is needed". MobSec wants to fill this gap with a well-rounded practical research proposal.

The goal of MobSec is to improve the security of mobile devices by reducing the risk from installing and using third party applications.

Our research objectives build on each other to achieve this goal: First, we will develop dynamic analyses to automatically, faithfully and comprehensively construct models of application behavior. We will address the problem of incompleteness in dynamic analysis by replaying human interaction traces and complementing them with systematic exploration using symbolic execution. Once we are able to build models containing the interesting behavioral traits of mobile malware, we focus on detecting and containing malicious behavior. We initially target information leakage by investigating evasion-resistant information leakage detection techniques and later generalize to distinguish malicious from benign apps. To handle cases in which detection is not possible, we contain potential threats by decomposing apps in logical components: this enables the enforcement of security policies and characterization of per-component behaviors, which, being more specific, allow us to detect behavior of malicious components embedded in seemingly legitimate apps. Finally, MobSec aims at exploring virtualization extensions of CPUs to open up the possibility of in-device implementation of the aforementioned analyses.

The goal of MobSec is to improve the security of mobile devices by
reducing the risk from installing and using third party applications.

We aim at publishing the results of MobSec in top or well-known venues
and to organize a two-day workshop on the subject of mobile security.
The workshop aims at bringing together all the project collaborators,
academic researchers and industry practitioners with interest MobSec's
topic and research objectives. The goal of the workshop is to narrow
the gap that nowadays exists between security research carried out in
academia and industry to face common threats.

We likewise expect MobSec project to generate technologies and tools
that we would deploy in the industry (e.g., at McAfee, MobSec project
partner), and raise the quality of app analysis resulting in the
improved protection for the users---growth of the true positives and
reduction of false positives. The results of the project should also
assist in building better defenses in the future operating systems
(see the statement of support for more details). Moreover, MobSec
results will also be beneficial to a number of institutions and
professional networks interested in research outcomes in the field,
such as Imperial College London, Ruhr University Bochum, FORTH-ICS,
Politecnico di Milano, and National University Singapore, the
EPSRC-funded Network in Internet and Mobile Malicious Software
(NIMBUS), the EU FP7 NoE SysSec, and the EU FP7 CSA CyberROAD aimed at
the development of a cybercrime and cyber-terrorism research roadmap,
with whom we have strong professional and collaborative links.

We plan likewise to open MobSec analyses framework, results, and data
[*] not only to industry and academia, but to the society at large,
offering the opportunity to submit and analyze mobile apps for which a
deeper understanding or behavioral detection model is wanted,
according to the research objectives of MobSec.

In short, we hope that the above outlined links will foster impact in
three ways: it will enable us to promote the results MobSec to
industry, academia, and the society at large; it will provide
real-world valuable data of great importance to evaluate the
effectiveness of MobSec in real-world settings; and it will strengthen
the research collaborative efforts between academia and industry
furthermore to address challenging current and upcoming problems.

[*] for all the non-NDA data.