Triton: A Carrier-based Approach for Detecting and Mitigating Mobile Malware

Abstract

The ubiquity of mobile devices and their evolution as computing platforms has made them lucrative targets for malware. Malware, such as spyware, trojans, rootkits and botnets that have traditionally plagued PCs are now increasingly targeting mobile devices and are also referred to as mobile malware. Cybercriminal attacks have used mobile malware trojans to steal and transmit users’ personal information, including financial credentials, to bot master servers as well as abuse the capabilities of the device (e.g., send premium SMS messages) to generate fraudulent revenue streams. In this paper, we describe Triton, a new, network-based architecture, and a prototype implementation of it, for detecting and mitigating mobile malware. Our implementation of Triton for both Android and Linux environments was built in our 3G UMTS lab network, and was found to efficiently detect and neutralize mobile malware when tested using real malware samples from the wild. Triton employs a defense-in-depth approach and features: 1) in-the- network malware detectors to identify and prevent the spread of malware and 2) a server-side mitigation engine that sends threat profiles to an on-the-phone trusted software component to neutralize and perform fine-grained remediation of malware on mobile devices. * This work was conducted while Arati Baliga was with the AT&T Security Research Center. Neil Daswani conducted this research while employed at Dasient. Twitter acquired Dasient in January 2012.