Honeypot is used for botnet analysis, traffic capturing and revealing C&C hostnames. It’s also used for detecting subscribers with infected devices and monitoring malware activities like funds withdrawal and remote control.

1. Countering mobile malware in CSP’s network
Android honeypot as anti-fraud solution
Denis Gorchakov, Nikolay Goncharov

2. Lies, damned lies, and statistics
Annual AV reports say that Android malware has 95% share among all malicious mobile apps.
Russian subscribers are at the top of the list of mobile malware’s potential victims.
More than 50% of all mobile malware (worldwide) targets Russian subscribers.
At the end of 2013 there were 1321 banking viruses out in the wild, and at the end of Q1 2014 this
number increased to 2503.
On May 1, the Russian Government legally forced implementing Advice of Charge (AoC) for all VAS
content services, so cybercriminals shifted their focus to mobile e-commerce & payment services and SMS
banking services.
Mobile malware is slowly maturing, leveling with modern PC viruses like WinLocker, CryptoLocker,
rootkits and RATs.

3. What’s going on? Typical malware
Bypasses common anti-fraud filter rules: randomizes times, amounts and periods of subscribers’ funds withdrawal.
Provides VAS mobile content subscription with AoC bypass (“monetization” offers for webmasters).
Shows unwanted ads in notification drawer. Opens different promoted websites (black SEO).
Steals call history, SMS logs, phone’s address book.
Sends SMS spam to address book contacts or randomly (viral distribution, bypassing SMS antispam services).
Automates all SMS activity via built-in parsers for popular payment systems and banks.
Combines phishing with clickjacking using interface tricks (like card input overlays in Google Play, launching rogue app above
original, etc.)
Marketing APT-stories and spy movies scenarios:
Remotely controls your smartphone using microphone, camera and sensors on demand.
Uses smartphones for DDoS (data or voice).
Smart anti-reversing features:
Interface tricks. Uses device location (not only GPS, but cell data too). Checks for dummy/test number or device if no subscriber
activity is present (checks SMS history, validates blank IMEI/IMSI, blacklists test SIM cards).
Includes antivirus-specific bypass code (like “kavf#cker” class). Checks for root privileges or tries root exploits.

4. Bad Android!111
Unlike other mobile OSs, Android allows easy app installation from any untrusted source (just one tick in device
settings). All it takes is just a little bit of social engineering and common addiction to piracy among risk groups.
Criminals are even desperate to distribute malware through Google Play using moderation and sandbox deficiencies.
Until Google made recent changes to its Android vendor certification requirements, its firmware update policy was
real hell. Cheap as well as one year old devices didn’t receive any updates with vulnerability fixes, hardly speaking of
major Android version upgrades.

5. Lies, damned lies, and statistics #2. The real deal
Only Android 4.2+ has the “More
control of Premium SMS” feature that
intercepts any premium SMS activity
with confirmation dialogue.
SMS activity was redesigned only in
Android 4.4, so every SMS sent from
any app would be logged system-
wide.
Most of these devices won’t receive a
major upgrade.

6. Numbers and interesting facts
Every day we receive about 80 000 links that lead to malicious mobile apps. Most of them aren’t unique and many are dynamically
generated, but it’s still enough to begin the automation process.
We work at InfoSec Division, we’re not developers, we’re few, we can’t afford researching and developing machine learning
algorithms like app stores do.
But we have our benefits – access to CSP’s network and specific tools.
«Reich» botnet
Targeted large banks. Even a few days of one C&C activity led to 5 500 subscribers being infected; moreover more than 850 of them
got their money stolen from bank accounts.
SIP virus
Created a SIPNet account after installation and transferred some amount of subscriber’s funds to it. Could be used for voice DDoS,
but something went wrong.
Script kiddies again?
Stupid mistypes and code errors. Hardcoding plaintext decryption key in malware’s body. Extending account subscription on WoW
freeshards, seriously?
Guys, come on, surprise us with dynamic hostnames?!

7. Mobile Security (malware-C&C hostname)

8. Honeypot architecture
Honeypot is used for botnet analysis, traffic capturing and revealing C&C hostnames. It’s also used for detecting subscribers with
infected devices and monitoring malware activities like funds withdrawal and remote control.
It also automates detection to help with internal business processes.
Honeypot
Server
PostgreSQL WEB interface
Android
agent PC
Operator
Femtocell
WiFi
WWW
SMSC
SMPP
client
Service emulation
DPI/DNS analysis/AV solution/etc.
Infected/compromised
subscriber devices stats.
Report
CSP’s network

9. Network diagram and service integration
antivirus platform
Monitoring
SGSN
SORM
Exte rior gate way
Traffic mirroring
Gate way - loop
traffic processing
GGSN
Control channel
(VPN)
Wo rkstation
control channe l
(Se le ction of
suspicious
se ssions)
Proce ssing
data
Database se rve r
Control
channe l (VPN)

10. Description
Android application (agent):
•Gets C&C botnet hostnames and IPs
•Gets traffic dumps, network and any other communication activity from malicious apps
•Gets C&C MSISDNs and fund collectors’ MSISDNs
•Reveals sensitive data leaks to remote servers
•Stores its monitoring stats server-side
Server:
•DPI-like Traffic analysis
•Records traffic signatures, provides stats on C&C hostnames and MSISDNs, infected subscribers
•Whitelisting/blacklisting
•Dynamic routing, i.e. to antivirus platform or landing page with custom warning.

11. Android app
Android Phone
APPS
VK
Opera
Bot
Sniffer
WWW
Server

12. Web interface

13. Web interface

14. Web interface

15. Features
• No root is required, no device-specific requirements
• Doesn’t affect device performance and data transfer speed on device
• Requires Android 4.0.3+ (API level 14+)
• Capturing all data transferred from the device
• Analyses incoming and outcoming SMS- and USSD-messages.
• Stores every app’s activity separately
• Has white/blacklist for apps
• Shows apps that require SMS and Internet permissions
• Client-server architecture

16. Roadmap
• SSL/TLS MitM attack
• Expanding predefined white/blacklists
• Implementing behavioral metrics
• Optimizing auto-detection logic
• Improving sensitive data leak detection
• Intercepting and modifying C&C server’s commands
• Implementing a traffic analysis solution inside telecom network

17. Nikolay: goncharovkolya@list.ru
Denis: gorchakov.denis@gmail.com