Abstract
Establishing secret command and control (C&C) channels from attackers is important in malware design. This paper presents design and analysis of malware architecture exploiting push notification services as C&C channels. The key feature of the push notification-based malware design is remote triggering, which allows attackers to trigger and execute their malware by push notifications. The use of push notification services as covert channels makes it difficult to distinguish this type of malware from other normal applications also using the same services. We implemented a backdoor prototype on Android devices as a proof-of-concept of the push notification-based malware and evaluated its stealthiness and feasibility. Our malware implementation effectively evaded the existing malware analysis tools such as 55 antimalware scanners from VirusTotal and SandDroid. In addition, our backdoor implementation successfully cracked about 98% of all the tested unlock secrets (either PINs or unlock patterns) in 5 seconds with only a fraction (less than 0.01%) of the total power consumption of the device. Finally, we proposed several defense strategies to mitigate push notification-based malware by carefully analyzing its attack process. Our defense strategies include filtering subscription requests for push notifications from suspicious applications, providing centralized management and access control of registration tokens of applications, detecting malicious push messages by analyzing message contents and characteristic patterns demonstrated by malicious push messages, and detecting malware by analyzing the behaviors of applications after receiving push messages.
Highlights
Stealthiness is a key requirement of malware for the persistence of attack
We extend the backdoor implementation presented in the preliminary work [4] to develop a more generic and flexible push-based backdoor design that can be applied to any type of malware for the purpose of setting up a command and control (C&C) channel from the attacker via push notifications
In our preliminary work [4], we presented a design of Android backdoor exploiting push notification services
Summary
Stealthiness is a key requirement of malware for the persistence of attack. Remote triggering can enhance the stealthiness of malware by allowing attackers to periodically trigger and execute their malware only whenever they want, while normally hiding the presence of malware from victims. It is desirable for attackers to send attack commands to their malware for the flexible control of the malware’s behaviors. Some examples of attack commands include the following: “perform a DDoS attack against foo.com at a certain transmission rate during a certain period of time”; “collect the screen lock password of the device”; and “gather pictures taken or SMS messages received on a certain date.”. Such features as remote triggering and delivering attack commands essentially require communication channels between attackers and their malware on victims’. A secret C&C channel of malware should be established to avoid detection by scanners using the network traffic analysis
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
