An OpenBTS GSM replication jail for mobile malware
Axelle Apvrille Fortinet
download slides (PDF)
There is one golden rule in the anti-virus industry that all AV analysts
are very cautious about: making sure they do not spread
samples which are under study. On PCs, vendors commonly use
replication hosts in a very restricted environment (virtual machines, firewalls, limited network connection etc).
Unfortunately the task is more complicated on mobile phones,
because fewer tools are available and because nearly all viruses
assume they have either GSM or Internet connection to operate correctly.
We have consequently built a fake GSM operator using the
open source OpenBTS project to help us analyse mobile malware live
while being sure the malicious programs are not inadvertently propagated
on the network of a real operator.
This paper explains how we set up our GSM network and then
how to use it for the analysis of mobile malware.
Using recent mobile malware samples, we show how
to trace calls or sniff SMS messages.
We also enhance this GSM network with a firewalled wifi and
explain how to deal with more advanced mobile malware
which communicate with remote hosts on the Internet.
Finally, we conclude with the current limitations and future
work concerning this replication architecture.