Hunting Mobile Threats in Memory
New software aims to expose mobile malware by monitoring a device’s memory usage.
Yesterday at the RSA Conference in San Francisco, a researcher presented a new way to detect malware on mobile devices. He says it can catch even unknown pests and can protect a device without draining its battery or taking up too much processing power.
Experts agree that malware is coming to smart phones, and researchers have begun to identify ways to protect devices from malicious software. But traditional ways of protecting desktops against threats don’t translate well to smart phones, says Markus Jakobsson, a principal scientist at Xerox PARC and the person behind the new malware detection technology. He is also the founder of FatSkunk, which will market malware-detection software based on the research.
Most antivirus software works behind the scenes, comparing new files to an enormous library of virus signatures. Mobile devices lack the processing power to scan for large numbers of signatures, Jakobsson says. Continual scanning also drains batteries. His approach relies on having a central server monitor a device’s memory for signs that it’s been infected, rather than looking for specific software.
Devices have two types of memory–random-access memory (RAM), used by active programs, and secondary storage, which takes longer to access and generally holds data not currently in use. Jakobsson’s system would check a device by first shutting off nonvital applications, such as an e-mail app or a browser. At that point, nothing should be running except the detection software and the operating system itself. He demonstrated the software using a device running the Android mobile operating system at the RSA conference.
If malware is present and active, it will need to use some RAM to execute instructions on the device. So the central server contacts the detection software to check to see if malware is using RAM by measuring how much memory is available. It does this by completely filling the remaining memory space with random data and checking the amount of data needed against a fingerprint of the memory that was created when the device was known to be malware-free.
At this point, any malware running in the open would be revealed. The malware could try to hide its presence by allowing the random data to overwrite it in RAM, Jakobsson says, but this would prevent it from taking any further action. And if it tries to hide by accessing data in the device’s secondary storage, this would slow the device’s response to the central server, revealing the presence of malware.
Once a device passes this check, Jakobsson says, the system can be certain that no malware programs are actively running. It can then safely scan secondary storage in search of dormant malware. Jakobsson explains that the system isn’t designed to prevent malware from getting onto the device–just finding it when it’s there. In contrast to the constant scanning that antivirus software typically performs, with his system the scanning could occur before a device performed a sensitive transaction or at predetermined intervals. It could also function as a backup security system for traditional antivirus.
“This technique is certainly designed by well-recognized researchers of the community and it is clear that it’s the result of a lot of work,” says Aurélien Francillon, a researcher in the system security group at the Swiss Federal Institute of Technology in Zurich, who studies malware detection schemes. But careful analysis will need to be done to thoroughly evaluate the method, he says.
Francillon questions the proposed detection system’s reliance on timing. For example, environmental factors such as network congestion could introduce legitimate delays to a device’s response to a challenge, he says. Francillon also suspects that it might be possible to attack the code that is responsible for detecting the malware. As with any new security technology, more analysis is needed to fully evaluate it, he says.
For now the threat remains academic, says Mikko Hyppönen, chief research officer for F-Secure Corporation, a security company based in Helsinki, Finland. There are only a few hundred known pieces of mobile malware, compared to millions for PCs. So far, he says, mobile malware has been rudimentary, and has not employed the sophisticated evasion schemes commonly used on desktop computers.
Hyppönen says that for now, it’s more important to protect stolen devices than it is to protect against mobile malware. However, he believes that mobile malware will become more sophisticated in the future. At that point, he says, we’ll need clever detection schemes such as Jakobsson’s.
Jakobsson plans to market his detection scheme to handset manufacturers through FatSkunk. He hopes to convince them to include his code with their software. If another company, such as a maker of antivirus software or a bank, wanted to make use of the system’s protection, they would pay a licensing fee to the handset manufacturer and to FatSkunk.