An OpenBTS GSM replication jail for mobile malware

Axelle Apvrille Fortinet

There is one golden rule in the anti-virus industry that all AV analysts are very cautious about: making sure they do not spread samples which are under study. On PCs, vendors commonly use replication hosts in a very restricted environment (virtual machines, firewalls, limited network connection etc).

Unfortunately the task is more complicated on mobile phones, because fewer tools are available and because nearly all viruses assume they have either GSM or Internet connection to operate correctly.

We have consequently built a fake GSM operator using the open source OpenBTS project to help us analyse mobile malware live while being sure the malicious programs are not inadvertently propagated on the network of a real operator.

This paper explains how we set up our GSM network and then how to use it for the analysis of mobile malware. Using recent mobile malware samples, we show how to trace calls or sniff SMS messages. We also enhance this GSM network with a firewalled wifi and explain how to deal with more advanced mobile malware which communicate with remote hosts on the Internet. Finally, we conclude with the current limitations and future work concerning this replication architecture.

 del.icio.us  digg this! digg this

Quick Links

Poll
Should software vendors extend support for their products on Windows XP beyond the end-of-life of the operating system?
Yes - it keeps their users secure
No - it encourages users to continue to use a less secure OS
I don't know
Leave a comment
View 23 comments

Jobs Recruit Sidebar

VB2014
VB2014 VB2014 will take place 24 - 26 September 2014 at the Westin Seattle hotel, Seattle, WA, USA.

Virus Bulletin currently has 231,300 registered users.