Defense Against the Dark Arts: Weeks 9 and 10

This week’s lectures focus on mobile security and were presented by Fernando Ruiz of McAfee.

Mobile device and network evolution

The first mobile phone to market was the DynaTAC made by Motorola. It debuted in 1984. It employed the first generation (1G) analog mobile network.

Since then, mobile communication has used several generations of mobile network, namely the 2.5G network which made possible data transmission in 2000, the 3G network which integrated internet access, and 4G, which allowed high-speed internet access.

Operating systems

Today, the primary mobile operating systems in terms of market share are Android, maintained by Google, and iOS, maintained by Apple. While these two operating systems are dominate today, the market shares used to be somewhat more evenly distrubted, which Windows Phone and Blackberry maintaining some market share.

Apple and iOS

iOS is maintained by Apple and is closed-source. It only runs on devices made by Apple, namely the iPhone and iPad. It was derived from Mac OS X and is based on the XNU kernel. It debuted on the first iPhone in 2007 and is credited with launching the smartphone revolution.

Google and Android

The Android operating system was developed by Android Inc. in 2005 and acquired by Google in 2007. It has open-source roots, having been based on the Linux kernel, but the development is led by Google rather than an open-source community. Further, many (perhaps most) of the applications that run on top of it are not open source.

Jailbreaks and roots

Both iOS and Android devices can be made to function in ways not explicitly allowed by their manufacturers.


Jailbreaking refers to increasing a user’s privileges on iOS in the interest of running software not explicitly allowed by Apple. This process has been going on since the first iPhone was released in 2007 and continues to this day.

One prominent use of jailbreaking is unlocking phones which have been locked to a particular cell carrier.


On Android, “rooting” refers to following a series of steps which grant the user root (akin to administrative) privileges. Gaining root access is sometimes prohibited by manufacturers. In other cases gaining root access is explicitly supported, though it’s not as straightforward as assuming the role of an administrator on a desktop operating system.

Having root privileges allows a user to modify system files. This makes possible a variety of functionalities, including loading unsupported applications and doing things that the device was not originally intended to do, like overclocking the CPU.


Disk and network encryption help prevent unauthorized interception of user data. Disk encryption is especially important with mobile and other small devices, since they contain a trove of personal data and are more likely to be lost or stolen than desktop machines.

Apple started building encryption into their phones with the 3GS, which was released in 2009. Even so, the feature was criticized for being easy to crack. Apple has improved their encryption since then, especially since revelations about the mass surveillance campaigns carried out by the American and British governments.

Google made possible full-disk encryption in 2011, but this was not enabled by default until 2015 with Android Marshmallow. The feature had originally been slated for the previous version, Android Lollipop, but the feature ran into performance issues on some hardware.

Mobile malware

One of earliest examples of mobile malware was the Yxes worm which targeted Symbian devices made by Nokia. It spread via text messages containing a URL. It had several anti-debugging features, namely encrypted URLS and the ability to kill systems apps to avoid detection.

The first malware for iOS was the Ikee worm, which targeted jailbroken iPhones and held the device hostage until a five dollar ransom was paid.

The earliest Android-based malware were FakePlayer, which pretended to be a media player application. It sent SMS messages to premium-rate numbers. TapSnake, which came out around the same time, was one of the first pieces of malware discovered in Android Market (Google’s official app store, the predecessor to Google Play). It tracked GPS coordinates and sent them to a remote server.

The first Android botnet, Geinimi, was discovered in late 2010. It was designed to leak sensitive information to a remote server. Geinimi employed several sophisticated features, including silent app installs, encryption, and execution of remotely-initiated commands.

DroidDream, another mobile botnet targeting Android, appeared in 2011. It attempted to root the infected device and then download more applications. Google, the developer of Android, employed its “remote kill switch” to control the infection. This allowed Google to remove the malware and install a patch without user intervention.


The labs for these two weeks of the course focused on static and dynamic analysis of Android malware. In static analysis, a piece of malware is studied without actually executing it. In dynamic analysis, the malware is executed (hopefully in some sort isolated or sandboxed environment) and its behavior is observed. There are a variety of tools available for both static and dynamic analysis.

Static analysis of FakePlayer and TapSnake

Using the Apktool and smali, it is possible to decode resources and study source code. And dex2jar allows converting a .dex file into a .jar (Java) file, which can then be decompiled. Once the code is decompiled it’s possible to see how many text messages are being sent (in the case of FakePlayer) and to whom they’re sending.

Dynamic analysis with the Android SDK

The Android SDK (software development kit) provides an emulator in which Android can be loaded and applications run without having a physical Android device. This is akin to virtual machine. I’ve used this emulator in the past to develop and test Android applications.

The malware application that the lab focused on was WALKTXT, which sends spam text messages and leaks device information. Using Wireshark makes it possible to observe this network traffic.