Skip to main content
Publications

Conference Paper

PDF Slides

The Core of the Matter: Analyzing Malicious Traffic in Cellular Carriers

Charles Lever, Manos Antonakakis, Brad Reaves, Patrick Traynor, and Wenke Lee

Proceedings of the Network and Distributed System Security Symposium, 2013

Carrier DNS traffic reveals that mobile malware is rare — fewer than 0.0009% of devices contact known malicious infrastructure.

Abstract

Much of the attention surrounding mobile malware has focused on the in-depth analysis of malicious applications. While bringing the community valuable information about the methods used and data targeted by malware writers, such work has not yet been able to quantify the prevalence with which mobile devices are actually infected. In this paper, we present the first such attempt through a study of the hosting infrastructure used by mobile applications. Using DNS traffic collected over the course of three months from a major US cellular provider as well as a major US noncellular Internet service provider, we identify the DNS domains looked up by mobile applications, and analyze information related to the Internet hosts pointed to by these domains. We make several important observations. The mobile malware found by the research community thus far appears in a minuscule number of devices in the network: 3,492 out of over 380 million (less than 0.0009%) observed during the course of our analysis. This result lends credence to the argument that, while not perfect, mobile application markets are currently providing adequate security for the majority of mobile device users. Second, we find that users of iOS devices are virtually identically as likely to communicate with known low reputation domains as the owners of other mobile platforms, calling into question the conventional wisdom of one platform demonstrably providing greater security than another. Finally, we observe two malware campaigns from the upper levels of the DNS hierarchy and analyze the lifetimes and network properties of these threats. We also note that one of these campaigns ceases to operate long before the malware associated with it is discovered suggesting that network-based countermeasures may be useful in the identification and mitigation of future threats. Brad Reaves Georgia Institute of Technology brad.reaves@gatech.edu Wenke Lee Georgia Institute of Technology wenke@cc.gatech.edu

Citation (IEEE)

C. Lever, M. Antonakakis, B. Reaves, P. Traynor, and W. Lee, “The Core of the Matter: Analyzing Malicious Traffic in Cellular Carriers,” in Proceedings of the Network and Distributed System Security Symposium, 2013.

BibTeX 
@inproceedings{lar+13,
  author = {Lever, Charles and Antonakakis, Manos and {Brad Reaves} and Traynor, Patrick and Lee, Wenke},
  booktitle = {Proceedings of the Network and Distributed System Security Symposium},
  date = {2013-02},
  title = {The Core of the Matter: Analyzing Malicious Traffic in Cellular Carriers},
}