Mobile Malware Analysis: Rootkit Behavior and Hiding Methods

Verified

Added on 2022/09/16

AI Summary

This report provides a comprehensive analysis of mobile malware, with a specific focus on rootkits. It begins with an introduction to mobile malware, defining the term and highlighting its prevalence in the modern digital landscape. The report then delves into the behavior of rootkits, exploring their ability to compromise mobile devices by infecting the operating system. It details various attack techniques employed by rootkits, including how they are delivered to devices through malicious websites, Bluetooth connections, and email attachments. The report also examines the hiding techniques used by rootkits to evade detection, such as modifying kernel data structures. Furthermore, it discusses the resources utilized by rootkits to carry out their attacks, including obtaining root privileges and replacing system binaries. The report concludes by emphasizing the stealthy nature of rootkits and the challenges they pose to mobile device security, referencing examples like Godless and HummingBad.

Running head: MOBILE MALWARE ANALYSIS
Mobile malware Analysis
Name of the Student
Name of the University
Authors note

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

1MOBILE MALWARE ANALYSIS
Executive Summary
In the last two decades the number of the mobile device users has grown exponentially
throughout the world and almost 3.5 billion smart phones used. Most of these devices contains
sensitive user data and in order to steal that data or compromise the security of the user’s privacy
there are numerous malware are used by the attackers to compromise the devices.

2MOBILE MALWARE ANALYSIS
Table of Contents
Introduction......................................................................................................................................3
Mobile malwares.............................................................................................................................3
Behavior of the mobile malware......................................................................................................3
Attack techniques used by the malware...........................................................................................3
Hiding technique..............................................................................................................4
Resources used by the malware.......................................................................................................5
Conclusion.......................................................................................................................................6

3MOBILE MALWARE ANALYSIS
Introduction
With the ever-increasing number of the mobile device users there are numerous
malware that are used in order to carry out the attacks on mobile devices such as Rootkits,
Adware, Backdoor, RiskTool and so on (Téllez and Zeadally, 2017). For this report the Rootkit
is considered and different aspects such as its attack technique, behavior of Rootkit, attack
technique and finally the resources used by this malware in order to carry out the attack.
Mobile malware and its definition
A Malware can be defined as the umbrella term that can be used for the numerous
malicious software components and variants which including viruses, spywares and
ransomwares. The malwares typically contain altered code that is developed by the attackers
which ultimately leads to extensive damage to the stored data in the mobile devices or in order to
gain unauthorized access to the different databases or application on the device.
Behavior of the mobile malware
Among all the malwares the Rootkit is one of the most successful malwares that affects
the mobile devices at a large scale. Rootkits are able to achieve the attacker’s malicious goal
through infecting the operating system of the concerned device. Such as the rootkits are capable
of hiding the malicious disk space files and the concerned process in order to make them
undetected (Téllez and Zeadally, 2017). Furthermore, they can help the attacker in order to
disable the active firewall as well as virus scanners while installing different trojan horses. The
rootkits can complete their goals stealthily as they affect operating system of the device which is
usually considered as trusted computing base.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

4MOBILE MALWARE ANALYSIS
Attack techniques used by the malware
Delivering root kits in the mobile devices
The attackers can deliver rootkits to the targeted smart phones through the use of the
similar techniques that are used in order to deliver malware desktop computers. One of the
major sources of delivering and infecting the smart phones are the content downloaded from
numerous malicious websites available on the internet (Téllez and Zeadally, 2017). Other
sources include Bluetooth connections and file transactions as well as text messages with the
intention of malware delivery on smart phones (Danisevskis, 2016). Furthermore, the rootkits
can be delivered through attachments in an email, illegal content that are mainly available and
downloaded from peer-to-peer applications. Following are the some of the attacks and their
attack techniques on the mobile or smart phones.
In different scenarios it is possible to track location and compromise a user’s location
privacy. This is achieved by enabling the rootkit-infected mobile or smart phone in order to send
location details of the victim to the remote attacker by delivering a text message about the
current location collected from GPS.
The expanding complex nature of smart mobile devices which contains a huge number of
codes, makes them as defenseless against rootkits as the desktop computers by increasing the
surface of attack. For mobile devices, its remarkable interfaces, for example, Voice, GPS,
Bluetooth and Batteries, has become another course to be attacked by the attackers and complete
their malicious goals.

5MOBILE MALWARE ANALYSIS
Hiding technique
In Mobile devices the rootkits are considered as very difficult to detect even if the
device is infected by it. As the kernel of any operating system is responsible for managing
thousands of heterogeneous data structures for the different processes an most of these data
structures are considered as critical in order to operate perfectly (norton.com, 2020). Due to this
reason attack surface for the attacker is bigger when compared to any other kind of attacks on the
kernel. Different researches and their results have demonstrated that different rootkits are
capable of modifying the multiple kernel data structures that are responsible for storing non-
control data in order to disrupt kernel.
After the rootkit is installed in the operating system of the mobile it tries to maintain long
term control over different parts of the compromised device. In order to do so, the rootkits
install them as the trusted kernel modules (Spisak, 2018). The modules are loaded every time the
device is booted with the operating system.
Furthermore, once a device is infected by a rootkit, then the root kit can be used by the
attacker in order to open doors for multiple future attacks without detection. Such as rootkits are
usually utilized in order to deliver the keyloggers on the devices (Cui et al., 2018). In this way
the attacker will be able to steal sensitive user data from the device which may include
passwords, credit card details through logging the information about the keystrokes.
Furthermore, the attackers will be able to install different backdoor programs that will allow in
gaining unauthorized access into system in future.

6MOBILE MALWARE ANALYSIS
Resources used by the malware
In case of a root kit attack at first the attacker tries to obtain the root privileges by the
compromised setuid application (related to network) by utilizing the buffer overflow attack. In
the next step, the attacker replaces the different available system binaries through the utilization
of the trojan horses (Danisevskis, 2016). One of the most popular examples of such kind of user
level rootkits is t0rn rootkit. This root kit is capable of supplanted the framework paired of the
Linux ps utility. After this the root kit is able to conceal the different rootkit-based procedures
from the user. User level rootkits stayed stealthy in light of the fact that they try to infect and
contaminate existing system binary files instead of the downloading new files or binaries on the
infected systems.
As the rootkits that are affecting the user level records are effectively identified, the
present rootkits have developed to adjusting the code and information structures of the base
operating system. Among the most widely recognized focuses of such kernel level rootkits are
the operating systems data structure that are responsible for storing control information, for
example, system call table, interrupt descriptor tables, different function pointers and so on
(Danisevskis, 2016). example, those in the virtual file system layer, which is responsible for
deciding the control stream in the system kernel.
Rootkits changes these data structures through utilizing a method called hooking to
mediate upon the control way and hide different suspicious/malicious functions and related
objects. For instance, the Adore rootkit is capable of modifying the entries in the system call
table of any compromised operating system (Firdaus et al., 2018). Every one of these modified
entries in the system call table redirects the function pointers or control flow to the pernicious
code that is embedded into the operating system as the loadable and trusted kernel module.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

7MOBILE MALWARE ANALYSIS
Therefore, for an antivirus application it becomes very difficult in order to detect the Rootkit
infection at the kernel level.
Conclusion
In case of the Rootkits malware they are mainly used in order to increase remote access
and controls on the device. Rootkit increase root level access to run different pernicious
applications to take the data, do the malicious activity and alter the framework setup. Rootkit
shroud itself into the framework, it stays into the framework for significant stretch of time with
assistance of muddling. Most well-known case of Rootkit in mobile devices ate Godless,
HummingBad and others. Kernel level rootkits are stealthy and hard to identify. In order To start
with, bit level rootkits work by changing the working framework. Thus, they can without much
of a stretch conceal themselves from client level antivirus instruments, which ordinarily depend
on data provided by the working framework to identify malignant programming. For instance, a
tainted working framework can alter the perspective on the record framework noticeable to an
antivirus, in this way successfully forestalling the antivirus from checking affected files.

8MOBILE MALWARE ANALYSIS
References
Cui, J., Zhang, Y., Cai, Z., Liu, A., & Li, Y. (2018). Securing display path for security-sensitive
applications on mobile devices. Computers, Materials and Continua, 55(1), 17.
Available at URL: https://ink.library.smu.edu.sg/sis_research/4114/
Danisevskis, J. (2016, March). Uncloaking Rootkits on Mobile Devices with a Hypervisor-Based
Detector. In Information Security and Cryptology-ICISC 2015: 18th International
Conference, Seoul, South Korea, November 25-27, 2015, Revised Selected Papers (Vol.
9558, p. 262). Springer.
Available at URL: https://link.springer.com/chapter/10.1007/978-3-319-30840-1_17
Firdaus, A., Anuar, N. B., Ab Razak, M. F., Hashem, I. A. T., Bachok, S., & Sangaiah, A. K.
(2018). Root exploit detection and features optimization: mobile device and blockchain
based medical data management. Journal of medical systems, 42(6), 112.
Available at URL: https://link.springer.com/article/10.1007/s10916-018-0966-x
Spisak, M. (2016). Hardware-Assisted Rootkits: Abusing Performance Counters on the {ARM}
and x86 Architectures. In 10th {USENIX} Workshop on Offensive Technologies
({WOOT} 16).
Available at URL : https://www.usenix.org/conference/woot16/workshop-program/presentation/
spisak
Téllez, J., & Zeadally, S. (2017). Mobile Device Security. In Mobile Payment Systems (pp. 19-
33). Springer, Cham.

9MOBILE MALWARE ANALYSIS
Available at URL: https://link.springer.com/chapter/10.1007/978-3-319-23033-7_2
What is a rootkit, and how to stop them. (2020). Retrieved 12 April 2020, from
https://us.norton.com/internetsecurity-malware-what-is-a-rootkit-and-how-to-stop-
them.html
Available at URL: https://us.norton.com/internetsecurity-malware-what-is-a-rootkit-and-how-to-
stop-them.html