Content area
Smartphones continue to excel in the 21st century due to the constant improvements of mobile technology. Advances in smartphones, such as increased computing power, improved device-to-device communication and the option of installing additional third-party applications, have led to a sharp rise in their popularity. This popularity, combined with the extensive adoption of smartphones by the general public, has now drawn the attention of mobile malware developers. On popular platforms, such as Android, malware have grown exponentially since the detection of the first mobile Trojan horse in 2010. Android malware families detected during 2013 displayed capabilities that revealed the transition from traditional computer-based botnets to the Android platform. To effectively mitigate or defend against Android botnets, an insightful understanding of them is required. This paper aims to characterise existing Android malware families that display botnet functionality, allowing for the development of proper mitigation and anti-botnet solutions. The contributions of this paper are two-fold. Firstly, the Android malware collection presented in this paper includes 20 families, which covers the majority of malware families displaying botnet behaviour, ranging from their debut in December 2010 to the recent ones discovered in December 2013. These families are thoroughly characterised based on their detailed behaviour breakdown, including propagation methods, command and control channels, and attack strategies. Secondly, an evolution-based study of representative Android botnet families is performed, revealing the rapid growth of Android botnets and the pressing need for anti-botnet solutions. The characterisation of the Android malware families and the subsequent evolution-based study reveal the sophistication of Android botnets. These identifiable characteristics can, however, be incorporated into new and existing mitigation solutions to defend and protect against Android botnet infections. The outcome of this study show that Android botnets are real and a current threat to smartphone users and that there is a need for proper anti-botnet solutions on mobile platforms.
Abstract: Smartphones continue to excel in the 21st century due to the constant improvements of mobile technology. Advances in smartphones, such as increased computing power, improved device-to-device communication and the option of installing additional third-party applications, have led to a sharp rise in their popularity. This popularity, combined with the extensive adoption of smartphones by the general public, has now drawn the attention of mobile malware developers. On popular platforms, such as Android, malware have grown exponentially since the detection of the first mobile Trojan horse in 2010. Android malware families detected during 2013 displayed capabilities that revealed the transition from traditional computer-based botnets to the Android platform. To effectively mitigate or defend against Android botnets, an insightful understanding of them is required. This paper aims to characterise existing Android malware families that display botnet functionality, allowing for the development of proper mitigation and anti-botnet solutions. The contributions of this paper are two-fold. Firstly, the Android malware collection presented in this paper includes 20 families, which covers the majority of malware families displaying botnet behaviour, ranging from their debut in December 2010 to the recent ones discovered in December 2013. These families are thoroughly characterised based on their detailed behaviour breakdown, including propagation methods, command and control channels, and attack strategies. Secondly, an evolution-based study of representative Android botnet families is performed, revealing the rapid growth of Android botnets and the pressing need for anti-botnet solutions. The characterisation of the Android malware families and the subsequent evolution-based study reveal the sophistication of Android botnets. These identifiable characteristics can, however, be incorporated into new and existing mitigation solutions to defend and protect against Android botnet infections. The outcome of this study show that Android botnets are real and a current threat to smartphone users and that there is a need for proper anti-botnet solutions on mobile platforms.
Keywords: android, android botnets, mobile botnets, smartphones, mobile malware
1. Introduction
On April 3rd, 1973 Dr. Martin Cooper placed the first phone call on the DynaTAC prototype (Murphy 2013), a portable mobile phone. As of today, four decades after the first public telephone call, mobile phones have become a daily companion for most people. There is a class of mobile phones, called smartphones, which offer advanced computing power and device-to-device communication. The popularity of smartphones continues to grow and for the first time surpassed the sales of feature phones in 2013 (Rivera and Van der Meulen 2014). The improved capabilities and popularity of smartphones continue to draw the attention of mobile malware developers.
Kindsight Security Labs reported that mobile malware increased by 20%, with an infection rate of 0.55%, by the end of 2013 (Alcatel-Lucent 2014). As the most popular mobile platform currently, Android smartphones continue to be the most targeted, accounting for 60% of all malware infections. The Android operating system remains the target of choice due to the large market share, ability to install applications from third-party markets and the simplicity of injecting malicious code into legitimate applications (Alcatel-Lucent 2014). Although the rise of malware does not have an obvious impact on the popularity of Android, it is creating possibilities for the development of sophisticated threats. One such threat is Android botnets.
An Android botnet is a collection of compromised Android smartphones, controlled by a botmaster, through a command and control (C&C) network. The botmaster is the attacker responsible for creating, controlling, and maintaining the Android botnet. Android botnets are, however, not a new threat to the users of Android smartphones. Since the discovery of Geinimi at the end of 2010, the first Android malware to display botnet functionality (Strazzere and Wyatt 2011), countless more Android malware families have shown similar functionality.
Without knowledge of Android botnets and their potential capabilities, it will become difficult to protect against their attacks. To effectively mitigate or defend against Android botnets, a detailed understanding of their internal functionality is required. Such understanding can be obtained by carefully studying existing Android botnet families. This paper, therefore, aims to characterise existing Android botnet families that display botnet functionality. The Android botnet collection presented in this paper includes 20 families, ranging from December 2010 to December 2013. These families are thoroughly characterised according to their behaviour, concentrating on the propagation vectors, C&C channels, and attack strategies. In addition, an evolution-based study of representative Android botnet families is presented, revealing the rapid growth of Android botnets and the pressing need for anti-botnet solutions.
The remainder of the paper is structured as follows. The collection of Android botnet families is introduced in Section 2 and the characteristics of these families are further explored in Section 3. The evolution of Android botnets is discussed in Section 4 and the paper concludes in Section 5.
2. Timeline of android botnet families
The Android botnet collection presented in this paper includes 20 families, ranging from their debut in December 2010 to the recent ones discovered in 2013. The collection of Android botnet families were obtained by carefully examining existing security announcements, threat reports and blog contents from mobile researchers and antivirus companies. For each Android botnet family, the month of discovery and the location of origin, which are either application markets (official or third-party) or forged websites, are identified (see Table 1).
3. Android botnet characteristics
Two important components of any Android botnet are the propagation vectors and C&C channels. These components are responsible for building and sustaining the ever-growing Android botnet, with the propagation vectors responsible for recruiting new bots and the C&C channels providing a communication mechanism. Each Android botnet is, however, developed to achieve one or more goals in its lifetime. These goals can be categorised into the following attack strategies: information reaping, information dispersal, monetary gain and service interruption (Pieterse 2014). This section provides a systematic characterisation of the Android botnet families, focusing on their propagation vectors, C&C channels, and attack strategies. A characterisation of the propagation vectors and the C&C channels for the Android botnet families, presented in the collection, is shown in Table 2.
3.1 Propagation vector
A propagation vector refers to the mechanism that allows for the dissemination of the malicious applications to Android smartphones. Common propagation vectors, used to propagate the malicious applications, comprise of vulnerability exploitation and social engineering (Zeng 2012). The propagation vectors, as used by the Android botnet families presented in Section 2, are generalised into the following categories: repackaging, masquerading, update, e-mail attachments, spam Short Message Service (SMS) messages, and drive-by download.
3.1.1 Repackaging
The most popular propagation vector for Android botnets is by means of a repackage application (Zhou and Jiang 2012). For this propagation vector to succeed, the botmaster selects a popular application, reverse engineers the application, encloses the malicious payload, and then return the repackaged application to the application market. To attempt to hide the malicious payload, botmasters tend to use class-file names that look legitimate and benign (Zhou and Jiang 2012). For example, DroidKungFu uses com.google.ssearch to the disguise the malicious payload as a Google search module (Zhou and Jiang 2012) and BaseBridge installs the malicious application with the name com.android.battery (Wong 2011). Despite the simplicity of this particular propagation vector, repackaging remains a popular choice and is used by 65% of the Android botnet families presented in the collection. Newer Android botnet families have, however, applied different propagation techniques, such as masquerading as legitimate applications.
3.1.2 Masquerading
Botmasters often take advantage of new and exciting applications, capitalising on their recent release by creating fake versions injected with malicious payloads. Masquerading requires the botmaster to disguise the malicious code in a new application, which acts similar to a legitimate application. NotCompatible masquerades as an Android system update named com.Security.Update (Seltzer 2012) and Ssucl poses as a rogue system tool, which was available for download at the Google Play Store as Superclean or Droidcleaner (Samson 2013). The arrival of MisoSMS, which masquerades as an Android settings application (Pidathala et al. 2013), shows that newer Android botnet families are moving away from the traditional propagation vectors.
3.1.3 Update
Propagation via updates still requires a repackaged application but instead of enclosing the malicious payload in the repackaged application, an additional update component is added that will fetch the malicious payload at a later point in time (Zhou and Jiang 2012). Smartphone users thus have sufficient time to familiarise with the application and when the update becomes available, enough trust has been established. The user will thus feel comfortable to install the new update. In the collection presented in this paper, two Android botnet families use the update propagation technique, namely BaseBridge and Plankton. Applications infected with the BaseBridge malware will display an update dialogue sometime after initial installation, explaining a new version is now available. Should the user accept the update version, the malicious payload will be uploaded to the smartphone and installed (Zhou and Jiang 2012). This propagation vector is stealthier than a repackaged application but may not always succeed due to the time delay required before the malicious payload is activated (the smartphone user can uninstall the application before receiving the update). It is therefore only used by 10% of the Android botnet families presented in the collection.
3.1.4 Others
The remaining propagation vectors are still relatively new dissemination techniques and therefore are currently utilised by only a few Android botnet families. The first technique, propagation via e-mail attachments, is used by the Chuli botnet family. The e-mail account of a high-profile Tibetan activist was hacked on March 24th, 2013 and was used to send spear phishing e-mails (Rogers 2013). Attached to the e-mails is an Android application named WUC's Conference.apk and is installed on the smartphone as an application called Conference (Baumgartner et al. 2013). The second propagation vector disseminates the malicious application by using spam SMS messages and is used by the Obad botnet family (Tinaztepe et al. 2013). The spam SMS messages contain a link, which will lead to the download of the application containing the Obad malware. The final propagation vector, drive-by download, entice users to download 'interesting' or 'feature-rich' applications (Zhou and Jiang 2012). The developers of NotCompatible took this propagation technique a step further by including a hidden iframe, which points to the malicious NotCompatible application, into vulnerable websites. The NotCompatible application is then downloaded to the smartphone without the user's consent when the user visits the infected website (Ruiz 2012).
3.2 Command and control channels
The C&C channels are the most important component of the Android botnet and are responsible for disseminating the commands from the botmaster to all the bots (Zeng 2012). The C&C channel is required to provide fast and secure communication and is therefore generally established as a direct connection. For protection, certain Android botnet families encrypt the Uniform Resource Locators (URLs) of the remote control servers. In some cases the Android botnets also add a layer of encryption to the communication occurring between the C&C servers and the bots (Zhou and Jiang 2012). Geinimi uses the Data Encryption Standard (DES) to encrypt the C&C communication while the Pjapps family uses their own encoding scheme to encrypt the C&C server addresses (Zhou and Jiang 2012). Updated versions of the MisoSMS botnet family use a variant of the Extended Tiny Encryption Algorithm (XTEA) scheme to communication with the C&C servers (Dharmdasani and Pidathala 2014).
The most popular C&C functionality for Android botnets continues to be control via the network, which entails the bots to use Hypertext Transfer Protocol (HTTP)-based web traffic to receive the commands from the control server. HTTP-based web traffic is often selected as a C&C channel because most smartphones are continuously connected to the Internet. Even though a specific permission, called the uses.permission.INTERNET, is required to allow the application to gain network access, this is a common permission and therefore cannot alone be used to determine if the application is malicious or not. Relying on the mobile traffic to identify the bot activities are also impractical since mobile traffic remains relatively inexpensive and the chances are slim the smartphone user will discover the additional activities (Pieterse 2014).
Despite the obvious success of network-based C&C channels, Android botnet families are moving away from this traditional C&C channel towards newer methods. The motivation to change is mostly due to the problem often associated with network-based C&C, which is the control server becoming a single point of failure. Removal of the control server renders the Android botnet into an unusable state and thus botmasters explored with new C&C techniques to overcome this problem, such as SMS messages. In order to receive a command via a SMS message, Android botnet families register a broadcast receiver with a high priority that listens for the specific intent with the android.provider.Telephony.SMS_RECEIVED action. This intent allows the Android botnet to intercept all incoming SMS messages and prevent particular messages, such as messages contain commands, from being seen by the smartphones users. The received commands can then be executed accordingly.
In the presented collection, only Nickispy, TigerBot, and Chuli use SMS messages for C&C. TigerBot family listens for specially crafted SMS messages, allowing the botmaster to perform a wide variety of attacks (Kumar 2012). Nickispy structure their command SMS messages according to the following format: # <command> # <password> # <option> (Grunzweig 2011). Although only a few Android botnet families utilise SMS messages for C&C (15%), this C&C channel has been impeded by the release of Android version 4.4.2, which no longer permits the interception of SMS messages. Despite this limitation, SMS C&C still remains a viable option for C&C since many smartphones still run older Android versions.
The only Android botnet family, within our sample set, to use e-mail for C&C is MisoSMS. Although MisoSMS do not explicitly receive commands from e-mail messages, they are the only visible method of communication between the bots and the C&C server (Pidathala et al. 2013). The successful construction of the C&C channels provides the botmaster with the necessary access required to execute the attacks.
3.3 Attack strategies
A botmaster develops any Android botnet with a specific purpose in mind. This purpose is to achieve one or more goals. The Android botnet will utilise the propagation vectors and the C&C channels, as described in the previous sections, to gain access to the smartphones and achieve the goals. These various goals can be summarised into the following attack strategies: information reaping, information dispersal, monetary gain, and service interruption (see Table 3). Each attack strategy is defined according to a generic structure, which consists of the following elements:
^ Goal: the purpose of the attack strategy.
^ Option(s): the possibilities to achieve the goal.
^ Outcome: the result of executing the attack strategy.
3.3.1 Information reaping
The information reaping attack strategy refers strictly to the collection of information, either directly from the smartphone or by exploiting built-in functionality. The options to achieve this goal include the following:
^ Device information : refers, but are not limited to, to the retrieval of the International Mobile Station Equipment Identity (IMEI) number, International Mobile Subscriber Identity (IMSI) number, Android version, and device model. This information is often used to uniquely identify a smartphone within an Android botnet and is therefore pursued by 90% of the families presented in the collection.
^ Personal information: includes the collection of information relating to the smartphone user, such as the phone number, contacts, and SMS messages.
^ Spying: allows the Android botnet to collect dynamic information, such as pinpointing the geographical location of the smartphone, monitoring incoming/outgoing messages and recording telephone conversations.
In terms of information reaping, Geinimi is responsible for the collection of the IMEI and IMSI numbers as well as the location coordinates, which is then transmitted to the control server (Strazzere and Wyatt 2011). Nickispy is the first Android botnet family with the ability to record phone calls and store the recordings on the device's SD card (Grunzweig 2011). The goal of MisoSMS is only to steal personal SMS messages and transmit these messages to botmasters in China (Pidathala et al. 2013). Information reaping can lead to fraud, identity theft or possibly the cloning of smartphones.
3.3.2 Information dispersal
Information dispersal is an attack strategy focusing on the spreading information or malicious content. The options to achieve this goal are:
^ Spam: refers to the act of sending large quantities of unwanted SMS messages, which often contains links to websites from where malicious application are silently downloaded onto the smartphone.
^ File transferral: allows for the sending of files, such as applications, via a specific medium to other smartphones.
Obad botnet family use both spam SMS messages and file transferral to infect other smartphones with the Obad malware. The spam SMS messages are sent to all the contacts and contain a link, which will download the Obad malware should the recipient follow the link. In addition, a file, which can be a copy of the Obad malware, is propagated via Bluetooth to other smartphones (Tinaztepe et al. 2013). The outcome of the information dispersal attack strategy allows the Android botnet to grow since the options provide the possibility to recruit new bots.
3.3.3 Monetary gain
The attack strategy of monetary gain allows the Android botnet to financially impact the users of smartphones. The goal is thus to perform activities on the infected smartphones for monetary purposes. The attack options to achieve this goal include:
^ Premium calls/SMS messages: botmasters can register a premium-rate number, which is billed at a rate above the normal cost of a SMS or phone call (Chien 2011). Calling or sending SMS messages to these numbers at regular intervals will generate revenue for the botmaster.
^ Pay-per-click: a variety of services, such as advertising networks, pay each time an affiliate refers a user to a website. Using bots, the botmaster can generate artificial visits to these websites and receive revenue per click (Chien 2011).
The motivation behind Bmaster is financial and the botnet is capable of generating revenue anywhere between $1600 and $9000 per day (Mullaney 2012) by calling and sending SMS messages to premium-rate numbers. ADRD (Katsuki 2011) and BgServ (Chien 2011) botnet families utilise the pay-per-click monetization scheme. The outcome of this attack strategy is the generation of revenue for the botmaster and the creation of high bills for the users of the infected smartphones.
3.3.4 Service interruption
The service interruption attack strategy refers to the disruption of services on a single smartphone. The options to achieve disruptions include:
^ Block calls/SMS messages: refers to the blocking of incoming calls or SMS messages that meets certain criteria.
^ Block/uninstall applications: refers to the blocking or removal of applications that can potentially detect the presence of the Android botnets or impact their behaviour.
^ Kill processes: stop certain processes or services.
Pjapps listens for incoming SMS messages (Ballano 2011) and will drop the inbound messages if certain conditions are met. Skullkey disables certain security applications by using any available root commands and so avoid potential detection (Lennon 2013). Although the outcome of this attack strategy does not directly impact the smartphone user, it can cause increasing levels of inconvenience.
4. Android botnet evolution
Android botnets have grown rapidly since the discovery of Geinimi, the first Android botnet family to display botnet characteristics. In this section, an evolution-based study of representative Android botnet families is performed, showing the growth in sophistication of Android botnets. Specifically, the Geinimi, Bmaster, and MisoSMS families are chosen as they reflect the growth and current trend of Android botnets.
Geinimi is the first Android malware to display functionalities closely relating to those of traditional botnets. At the time of Geinimi's discovery, it was described as the most sophisticated Android malware to date and had the built-in capacity to execute 20 distinct commands (Castillo 2011). Besides the basic botnet functionality, Geinimi raised the complexity of Android malware significantly. The communication between the C&C server and the bots is encrypted using the DES encryption scheme and is disguised as legitimate HTTP POST requests. In addition, the domain names of the C&C servers are obfuscated using also the DES encryption scheme (Strazzere and Wyatt 2011). However, security companies could not detect a fully operational C&C server, which limited the ability to forward commands to the infected smartphones (Castillo 2011). Despite the limitations of Geinimi, the increasing sophistication provided by the malware paved the way for future developments of Android botnets.
The Bmaster malware was first highlighted by Xuxian Jiang, during February 2012 as a new Android botnet (Jiang 2012). As mentioned earlier, the motivation behind the design of Bmaster is purely financial. Revenue generation occurred primarily through premium SMS messages, telephone calls, and video services, which was limited to networks of China's two largest mobile carriers. This revealed that the botnet mostly targeted users in China and was thus only available for download from third-party Chinese markets. Analysis of the C&C servers of Bmaster exposed hundreds of thousands smartphones that have been infected during the life span of the botnet. Bmaster is capable of generating income up to $9000 per day, allowing the botmaster to obtain massive revenue from the botnet activities (Mullaney 2012).
MisoSMS is one of the newest Android botnets and is quickly becoming the largest Android botnet to date. MisoSMS moved away from the traditional mobile botnet methods and leverages modern techniques and infrastructure. The C&C infrastructure of MisoSMS is the first to use e-mail as a C&C channel and comprised of more than 450 unique malicious e-mail accounts. The prime purpose of MisoSMS is to steal personal SMS messages from the infected smartphones and transmit these messages, via the e-mail accounts, to attackers located in China. At the time of writing this paper, all of the identified malicious e-mail accounts have been deactivated and security companies are continuing to monitor this threat (Pidathala et al. 2013).
The arrival of the Geinimi botnet family transformed the Android malware landscape, creating new opportunities to develop innovative mobile botnets. The first innovation was the Bmaster botnet family, which remained undiscovered for approximately 5 months while generating massive revenue for the botmaster. The evolution of Android botnets has now led to MisoSMS, a highly sophisticated Android botnet that moved away from traditional botnet techniques and followed a directed approach to target the Korean public.
The evolution-based study emphasise the importance for improved mobile security and illustrated the rapid changing threat landscape of Android botnets.
5. Conclusion
The popularity of the Android operating system, combined with the advances in smartphone technology, allowed Android malware to grow exponentially over the past five years. Leading this growth burst is Android botnets, which pose significant challenges to security companies attempting to detect their presence. To effectively mitigate and defend against the rapid growth of Android botnets, an insightful understanding of their functionality is required. The characterisation of existing Android botnet families and a subsequent evolutionbased study of representative ones provide the necessary intelligence required for the development of antibotnet solutions. Firstly, the characterisation shows that most of the existing Android botnet families (65%) use repackaging for propagation but recent families are moving away from this traditional method and instead use masquerading, e-mails or spam SMS messages. Secondly, the characterisation also indicates that the preferred attack strategies for Android botnets are information reaping and monetary gain. Finally, the evolution analysis of representative Android botnet families shows the rapid development and increased complexity, which will continue to pose challenges for adequate detection. Future work will continue to focus on the identification of new Android botnet families and development of detection techniques.
References
Alcatel-Lucent. (2014) "Kindsight Security Labs malware report - Q4 2013", [online], Alcatel-Lucent, http://www.tmcnet.com/tmc/whitepapers/documents/whitepapers/2014/9861-kindsight-security-labs-malwarereport-q4-2013.pdf.
Ballano, M. (2011) "Android Threats Getting Steamy", [online], Symantec Security Response, http://www.symantec.com/connect/blogs/android-threats-getting-steamy.
Baumgartner, K., Raiu, C. and Maslennikov, D. (2013) "Android Trojan Found in Targeted Attack", [online], Securelist, http://securelist.com/blog/incidents/35552/android-trojan-found-in-targeted-attack-58/.
Castillo, C.A. (2011) "Android Malware Past, Present, and Future", [online], McAfee White Paper, http://www.mcafee.com/us/resources/white-papers/wp-Android-malware-past-present-future.pdf.
Chien, E. (2011) "Motivations of Recent Android Malware", [online], Symantec, http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/motivations_of_recent _android_malware.pdf.
Dharmdasani, H. and Pidathala, V. (2014) "Android.MisoSMS: Its Back! Now with XTEA", [online], FireEye, http://www.fireeye.com/blog/technical/malware-research/2014/03/android-misosms-its-back-now-with-xtea.html.
Grunzweig, J. (2011) "NickiSpy.C - Android Malware Analysis & Demo", [online], http://blog.spiderlabs.com/2011/10/nickispyc-an-analysis.html.
Jiang, X. (2012) "Security Alert: New Rootsmart Android Malware Utilizes the GingerBreak Root Exploit", [online], NC State University, http://www.csc.ncsu.edu/faculty/jiang/RootSmart/.
Katsuki, T. (2011) "Android.Adrd Versus Android.Geinimi", [online], Symantec Security Response, http://www.symantec.com/connect/blogs/androidadrd-versus-androidgeinimi.
Kumar, M. (2012) "TigerBot - SMS Controlled Android Malware Stealing Information", [online], The Hacker News, http://thehackernews.com/2012/04/tigerbot-sms-controlled-android-malware.html.
Lennon, M. (2013) "First Malicious Apps Targeting Android 'Master Key Vulnerability' Found in the Wild", [online], Security Week Network, http://www.securityweek.com/first-malicious-apps-targeting-android-master-key-vulnerabilityfound-wild.
Mullaney, C. (2012) "Android.Bmaster: A Million-Dollar Mobile Botnet", [online], Symantec Security Response, http://www.symantec.com/connect/blogs/androidbmaster-million-dollar-mobile-botnet.
Murphy, T. (2013) "40 Years After the First Cell Phone Call: Who Is Inventing Tomorrow's Future?", Consumer Electronics Magazine, IEEE, Vol. 2, No. 4, pp 44-46.
Pidathala, V., Dharmdasani, J.Z. and Bu, Z. (2013) "MisoSMS: New Android Malware Disguises Itself as a Settings App, Steals SMS Messages", [online], FireEye, http://www.fireeye.com/blog/technical/botnet-activitiesresearch/2013/12/misosms.html.
Pieterse, H. (2014) "Design of a Hybrid Command and Control Mobile Botnet", MSc Dissertation, University of Pretoria.
Rivera, J. and Van der Meulen, R. (2014) "Gartner Says Annual Smartphone Sales Surpassed Sales of Feature Phones for the First Time in 2013", [online], Gartner Inc., http://www.gartner.com/newsroom/id/2665715.
Rogers, M. (2013) "To Tibet, with Love", [online], The Official Lookout Blog, https://blog.lookout.com/blog/2013/03/28/totibet-with-love/.
Samson, T. (2013) "Update: McAfee: Cyber criminals using Android malware and ransomware the most", [online], InfoWorld Tech Watch, http://www.infoworld.com/article/2614854/security/update-mcafee-cyber-criminals-usingandroid-malware-and-ransomware-the-most.html.
Ruiz, F. (2012) "Android/NotCompatible Looks Like Piece of PC Botnet", [online], McAfee Blog Central, http://blogs.mcafee.com/mcafee-labs/androidnotcompatible-looks-like-piece-of-pc-botnet.
Seltzer, L. (2012) "New Drive-By Android Trojan Attacks Mobile Users", [online], InformationWeek, http://www.informationweek.com/mobile/mobile-devices/new-drive-by-android-trojan-attacks-mobile-users/d/did/1104181.
Strazzere, T. and Wyatt, T. (2011) "Geinimi Trojan Technical Teardown", [online], Lookout Mobile Security, https://blog.lookout.com/_media/Geinimi_Trojan_Teardown.pdf.
Tinaztepe, E. Kurt, D. and Güleç, A. (2013) "Android OBAD - Technical Analysis Paper", [online], Comodo, https://www.comodo.com/resources/Android_OBAD_Tech_Reportv3.pdf.
Wong, G. (2011) "BaseBridge: new Android malware has been busy", [online], übergizmo, http://www.ubergizmo.com/2011/05/basebridge-new-android-malware/.
Zeng, Y. (2012) "On detection of current and next-generation botnets", PhD thesis, University of Michigan.
Zhou, Y. and Jiang, X. (2012) "Dissecting android malware: Characterization and evolution", IEEE Symposium on Security and Privacy (SP), pp 95-109.
Heloise Pieterse and Ivan Burke
Defence, Peace, Safety and Security, Council for Scientific and Industrial Research, Pretoria, South Africa
Ivan Burke is a Msc student in the department of Computer Science at the University of Pretoria, South Africa. He also works full time at the Council of Scientific and Industrial Research South Africa in the department of Defense Peace Safety and Security,where he works within the Command, Control and Information Warfare research group
Heloise Pieterse is currently employed as a researcher within the Command, Control and Information Warfare research group at the Council of Scientific and Industrial Research. She completed her MSc Computer Science degree in 2014 and her interests include information security and mobile devices.
Copyright Academic Conferences International Limited 2015