An OpenBTS GSM Replication Jail for Mobile Malware

There is one golden rule in the Anti-Virus industry all AV analysts are very cautious about: making sure they do not spread samples which are under study. On PCs, vendors commonly use replication hosts in a very restricted environment (Virtual Machines, firewalls, limited network connection etc). The task is unfortunately more complicated on mobile phones, because less tools are available and because nearly all viruses assume they have either GSM or Internet connection to operate correctly. We have consequently built a fake GSM operator using the Open Source OpenBTS project to help us analyze mobile malware live while being sure they are not inadvertently propagated on the network of a real operator. This paper explains how we set up our GSM network and then how to use it for analysis of mobile malware. Using recent mobile malware samples, we show how to trace calls or sniff SMS messages. We also enhance this GSM network with a firewalled wifi and explain how to deal with more advanced mobile malware which communicate with remote hosts on Internet. Finally, we conclude with current limitations and future work concerning this replication architecture.


There is one golden rule in the Anti-Virus industry all AV analysts are very cautious about: making sure they do not spread samples which are under study. On PCs, vendors commonly use replication hosts in a very restricted environment (Virtual Machines, firewalls, limited network connection etc). The task is unfortunately more complicated on mobile phones, because less tools are available and because nearly all viruses assume they have either GSM or Internet connection to operate correctly. We have consequently built a fake GSM operator using the Open Source OpenBTS project to help us analyze mobile malware live while being sure they are not inadvertently propagated on the network of a real operator. This paper explains how we set up our GSM network and then how to use it for analysis of mobile malware. Using recent mobile malware samples, we show how to trace calls or sniff SMS messages. We also enhance this GSM network with a firewalled wifi and explain how to deal with more advanced mobile malware which communicate with remote hosts on Internet. Finally, we conclude with current limitations and future work concerning this replication architecture.

References

Virus Bulletin 2011