Observing the Presence of Mobile Malwares using
Low-Interaction Honeypot
Wira Zanoramy A. Zakaria, Faiszatulnasro Mohd Maksom, Kilausuria Abdullah
MyCERT, Cybersecurity Malaysia
Level 7, SAPURA@MINES, Jalan Tasik, The Mines Resort City
43300 Seri Kembangan, Selangor, Malaysia
{wira, faiszatulnasro, suria}@cybersecurity.my
AbstractThe large user base of mobile devices, such as
smartphones and tablets equipped with high-speed Internet
connectivity and abundance of apps, this portable yet powerful
computing devices has become an interesting target for
cyberattackers. Based from incident reports received by
MyCERT, there is a rising trend of malware attacks on mobile
platforms. The ubiquitous, fast response and lack of protection
nature of these devices more or less has helped the spreading of
cyberthreats on mobile devices. This paper review and
investigates the utilization of low-interaction honeypots in
detecting and learning about mobile malwares.
I. INTRODUCTION
In the age of mobile computing, smartphones, tablets, smart
devices and smart applications (or contemporarily abbreviated
as apps), users and businesses communicate seamlessly.
From day to day, these mobile gadgets are getting more
capable of doing the stuff that we normally do on a PC or
notebook. Such as online banking, cloud based spreadsheets,
word processor and online shopping. This is of course
supported by the existence of the Internet, which promotes the
migration of many types of businesses to move into the
Internet realm. Fast interaction, availability, time and cost
effective are some of the contribution factors for this scenario.
We can see many types of services offered on the Internet, this
includes banking, government, education, retails,
entertainment, news, job-matching, cloud storage, to name a
few.
Almost fifteen years back, we interacted with the online
banking website for instance, by using a web browser on a PC
or notebook. But nowadays, after the introduction of
smartphone and tablets, there is an expanding trend of
development of mobile applications or mobile apps that
represents a new way of interacting with web applications. A
smartphone or tablets preinstalled with a mobile banking app
made personal banking even more easily. Any users that have
access to Google Play Store or Apple Store, can install the app
on their devices in order to assist them in their banking
activities.
Malware, is a term coined from the word malicious and
software. It is a piece of software that is built by the
malware authors with the intention to do harm to the user, data,
network and computing resources [1]-[5]. Mobile malware is
978-1-5090-1543-6/16/$31.00 2016 IEEE 117
not a newly created threat. It has been around since the
Symbian age. In history, it is reported that a proof-of-concept
malware named, Cabir, were released in 2004 [6]. Table I
below shows malware related cyber incident cases as reported
by Internet community and security organizations worldwide
to MyCERT from 2013 to 2015. The highest variant of
malware reported is Eggdrop bot/psybnc. This is a popular
IRC bot that was originally intended to help, manage and
protect channels from takeover attempts and other forms of
IRC war. The criminal controlling the botnets usually target
servers are running such as CPanel/WHM, WordPress
Akismet, Joomla, Open Flash Chart library
(ofc_upload_image.php), and ccmail installations.
While, Mumblehard' is a malware for Linux/BSD
operating systems that installs a backdoor providing the
malicious actors with full access to the infected system and
allows for execution of arbitrary code. This is followed by
HEUR:Trojan.Script.Generic, Zeus and Ebury malware.
HEUR:Trojan.Script.Generic capabilities such as could
spreads through the Internet and attack the vulnerability in
Script. Besides that, the affecting server could affect all
computers covered for once. Zeus variant is a Trojan horse
malware package that runs on versions of Microsoft Windows.
It functions such as to carry out many malicious and criminal
tasks, used to steal banking information by man-in-the-
browser keystroke logging and form grabbing. Ebury is a SSH
rootkit/backdoor trojan for Linux and Unix-style operating
systems (like FreeBSD or Solaris).
The highest ransomware variant reported is Cryptowall 3.0
compared to other variant namely Crytplocker 3.0 and CTB
Locker. Various variants of bot have been reported which
possibly to perform DDOS and cyber attacks against financial
institution. Those reports have come up with compromised
websites, fraudulent signup and botnet controller. GameOver
Zeus (GOZ), Dridex and Dyre have been reported to use the
compromised infrastructure mainly to steal banking
credentials. Even though, this statistics is relatively small
compared to other country with a larger population, still the
impact of infection towards an infected server or a computer is
significant.
 TABLE I damages and data leakage. In addition to this, some of mobile
MALWARE CASES REPORTED TO MYCERT FROM 2013 - 2015
devices are not even equipped with updated anti-malware
software that at least could give a preliminary protection to the
Type Total case
device and the data it contains.
Eggdrop bot/psybnc 96
Mumblehard 40 TABLE II
REPORTED MALWARE SOURCES OF ATTACK FOR 2013 - 2015
Trojan.Script.Generic 36
Reports Year
ZeuS 26
2013 2014 2015
Ebury SSH rootkit 24 Email 3 9 32
Network 69 158 131
Cryptowall 3.0 17 PC/Server/Notebook 71 43 116
TurkBot 14 Social network site - - 4
Smartphone 1 8 11
Brobot botnet 14 Website 44 90 74
Cryptolocker 3.0 6
CTB locker 5 TABLE III
MOBILE MALWARE INCIDENTS CLASSIFIED BY MOBILE PLATFORM
Worm/Downadup 4
Platform Year
GameOver Zeus 3 2013 2014 2015
Android 1 4 4
Dridex 3
iOS - - 1
Dyre malware 3 Windows Phone - - 1

Tofsee botnet 3
Spambot 3 A. How Mobile Platform Got Infected?
Downloader.Generic10.AGXJ 2 As we can see in Table II, Android based devices are the
Trojan- most targeted platform. Fig. 1 shows one of possible approach
Banker.Win32.ChePro.ink 2 used by attackers in order to launch attack towards mobile
Trojan.DNSChanger 2 devices. In this scenario, the victim is initially deceived on his
Trojan- PC web browser. Later, the victim is lured into installing the
Ransom.Win32.Blocker.haod 1 malicious mobile app on his mobile device.
Nuclear & Angler EK Infection 1 First, users PC is infected with malware, and then
malwares showed the message requesting that user to
Backdoor.Win32.Androm.hirq 1
download the mobile app, which actually it is a malicious app.
The request is usually coming to the users mobile device in
Nowadays, with the increasing number of mobile devices
the form of text message containing a URL that links to an
consumers, mobile platform is becoming an interesting target
unknown and untrusted sources. The user clicks the link and
for this kind of threat [6][7]. This is one of the reasons on why
the app is downloaded and installed.
there is a rapid increase in the number of reported malware
cases. Malware poses one of the serious threats on the Internet
[8]. Viruses, trojan horses, worms, ransomware, backdoors,
rootkits, spyware, adware and botnet are some examples of
malware. Users and computer systems affected by malware
would become the launch pad for the cyber criminal to do
more harm such as stealing user credentials, financial
information, spamming, executing distributed denial of
service (DDoS) attack and so on [8][9].
Mobile malware targets mobile platforms and it usually
sneaked in the form of trojan mobile apps or malicious APK.
This apps impersonates like a valid app such as banking and
games but actually it is an app that have malicious intention
Fig. 1. An example flow of how a mobile device got infected with a malware
towards the user, the device and the data within the device.
Due to lack of security and technical awareness, nave users
would be easily fall into victim for this kind of app. Besides Once the malicious mobile app successfully installed on the
that, it is also quite hard to identify which one are the true and device, the attacker can control both the users PC and mobile
clean app from a pool of apps in the repository. On daily basis, phone. The malicious mobile app will communicate with
users of mobile devices and the devices itself are exposed to C&C server and malware on the users PC for further action
any kinds of malicious apps that has the probability to trigger such as send an activation code for user to type in the web

118
browser, receives transaction approval SMS from the
legitimate server and sends approval SMS to the victims
device.
B. Threats of Mobile Malwares
Malicious mobile apps or mobile malware when it is
installed and executed on a device, can gain administrators
access and completely take over the smartphones
functionalities. Later, the malware can proceed with
unauthorize credit transfers and sending SMSes to the list of
contacts available on the device, with some of the cases are
able to send premium SMS messages. The impact of this, the
user is charged with expensive bill. Some of the malware are
capable of turning the device into a zombie to form part of a
large bot network. For example, it is reported that 93% of
mobile malware samples found are related to botnet [10].
Nowadays, phishing attacks got more advanced technique in
which the phishers or the attackers make use of a malicious
mobile app to assist in their phishing campaign. In this type of
attack, a user has visited a fake banking website. The website
requires the user to install the fake banking app on their
device by providing them a URL to the fake apps hosted
online. By using the fake banking app for their banking needs,
the user is lured into giving away his account credentials to
the phishers. This kind of attack has been discovered by some
CERTs around the world as early as 2011.
Trojan apps are malicious app that was packaged together
with a valid application. It usually has the ability to gain
administrator access, steals users personal information and
communicates to the malicious apps author. This is part of
the effort to harvest users information and accounts
credentials. Meanwhile, a banking trojan apps has the
capability to steal users online banking credentials.
Once it is inside the device, mobile ransomwares will
encrypt the data on memory card associated with the mobile
device and shared the information with the command and
control (C&C) server. Ransomwares are a type of malware
that were created with the intention to encrypt users data with
a secret key and later extorts money from the user in order to
regain back access on the data.
This paper is further organized as follows. Section II
described about the background of honeypot, its capabilities,
categories and deployment approaches. Section III discusses
on the related works in the domain of utilizing honeypot to
identify, detect and learn about mobile malwares. Sections IV
provide the discussion on why low-interaction honeypot is a
great solution for realizing mobile honeypot. Finally, this
paper concluded in Section V where we discuss about the
possible future work for this research.
II. HONEYPOT OVERVIEW
Due to security attacks getting more robust and
sophisticated from time to time, a different approach of
trapping and learn about the attack is indeed an important
complement. Deception is one of the latest approaches in
119
studying about the cyberthreats trends. Honeypot is an
information system resource or a trap that is deployed inside
network and purposely to be probed and exploited
[6][11][12][13]. This is done with the understandings that
every attack can be studied through a compromised host.
Furthermore, the investigation done on the compromised host
could also be used as a proof. Honeypot is another great tool
to learn about latest attack patterns, tactics and tools used by
the attackers.
Honeypots are resources that are purposely being setup in
the network in order to attract the attackers and at the same
time capture their tools and techniques without the attacker's
consent. It is deployed with the objective to capture the
attackers tools and tactics without their consent [11]. After
deployment, honeypots are meant to have no production
activities on it. The reason behind this is to make a clear
assumption that any interactions captured by the honeypot are
considered malicious. Any detected activities on the
honeypots are assumed to be a probe, scan, or attack. The
value of a honeypot comes from their ability to capture these
activities.
This technology plays an important role as it provides
descriptive information about the attackers tactics and
techniques when they were compromising computer systems
and networks. This information is essential in giving us deep
understanding about the motives of the attackers, their skills
and tools being used to intrude and compromise networks. By
identifying the capabilities and tactics of the attackers,
network administrators could also discover vulnerabilities of
their network. Certain precautions and improvements can be
taken to increase the security of the network environment in
order to prevent the same attacks from happening again in the
future.
A. Deployment Approaches
Honeypots are setup to blend inside the network closely
with other production hosts. The main objective is to attract
the attackers to probe and compromise the honeypots.
Honeypots can be built in many forms: physical machine or
virtual machine (VM).
A physical honeypot is a real computing platform assigned
with an IP address. For example, a mail server installed with
Ubuntu Linux with a running mail services.
Virtual machines based honeypots can be built by using
virtualization software such as VMWare Workstation and
Virtualbox. With virtual machine, honeypots can be created
with any type of operating system.
B. Categories of Honeypot
Honeypots are classified based on its level of interactions.
The word interaction here means - the degree of
communications that are being allowed for the attacker to
exploit the honeypot. The more an attacker can do towards a
honeypot, the more information can be collected by the
honeypot from the attacker, however the more risk the
honeypot will most likely has. There are two types of
honeypot: low-interaction and high-interaction.
Low-interaction honeypot has the lowest interaction
capability with an attacker and it is also the simplest honeypot
to setup. This type of honeypot only provides minimal
services and usually it is in the form of virtual host with
emulated services. Examples of low-interaction honeypots are
Honeyd, Nepenthes, Dionaea, Glastopf, Conpot and Thug [14].
All of these tools were released as open source and freely can
be used and modified for specific purposes. In the context of
this research work, this kind of honeypot is easier to be
implemented in mobile devices due to its simplicity and
requires minimal resources. This fits with the nature of mobile
devices that runs on smaller version of OSes and limited
hardware capability.
High-interaction honeypot offers a real operating system
with a list of running services to attackers. High-interaction
here means, the attacker can execute many possible malicious
activities on the honeypot. This feature enables security
practitioners to collect extensive amount of information from
the attacker's malicious activities. This information can be
used to study clearly the attackers behavior, tools, motives
and even their identity. The ability to gather huge amount of
data is the main advantage of high-interaction honeypots.
Security practitioners need to have a certain level of expertise
and experience in order to run this type of honeypot.
Honeynet is an example of high-interaction honeypot.
network operator. Using Fiasco.OC microkernel and virtual
machines materializes the separation of the partitions [10].
Another paper produced by the same group of researchers
developed HoneyDroid. It is a smartphone honeypot built for
the Android operating system [10][12]. In their approach, the
mobile honeypot is built using real piece of hardware instead
of using emulated environment. In their poster paper, they
listed four major challenges of deploying a mobile honeypot:
monitoring, audit logging, containment and visibility [12].
HoneyDroid is designed to run on real hardware with full
suites of mobile communication capability such as voice call,
GPRS, SMS and MMS. The justification of offering this much
of services on the honeypot is to increase the possibility of it
being targetted for attack, compromised and exploited.
Honeypot-To-Go is a generic and portable low-interaction
honeypot created for mobile devices with the objective to
detect the activity of malware in wireless network
environments [13]. Since it is already known that malware
propagates throughout the network via certain protocols, the
made full use of this behavior as the concept behind
Honeypot-To-Go.

III. RELATED WORKS ON MOBILE HONEYPOTS

With the aim to learn more about the threats of mobile
malwares and how they infects mobile devices, security
researchers started to deploy deceptive-based approach such
as honeypots. The honeypots were deployed in mobile devices
specifically designed to lure this kind of threats. In the history
of honeypot research, it has been proven that honeypots did a
great job in detecting, tracking and capturing malwares
[15][16].
A group of researchers proposed the idea of scattering or
nomadic honeypots [10]. Due to the popularity of
smartphones, it has become an interesting target for cyber
criminals. In order to detect and learn about this kind of threat,
the researcher figured out a way to deploy honeypots on
mobile devices such as smartphone. This mobile honeypots
will act as a cyber intelligence infrastructure for mobile Fig. 2. The deployment of mobile honeypot and data collection server
networks operators to harvest threats information. It works
like intelligence in gathering all the information on threats.
IV. DISCUSSION
The users that got their smartphone configured for nomadic
honeypot will move the devices to interesting venues, scans In the context of this research work, low-interaction
malicious Quick Response (QR) codes and installs malicious honeypot is easier to be implemented in mobile devices due to
applications. Technically, the mobile device involved is its simplicity, manageable and requires minimal resources.
logically devided into two separate partitions. The first This fits with the nature of mobile devices that usually runs on
partition contains the mobile OS with minimal changes. smaller version of OSes and limited hardware capability. As
Meanwhile, the other partition on the device contains the far as this research is concerned, high-interaction honeypot is
setup for the nomadic honeypot. Within this partition is the a very complex and high resource consuming solution, which
location for the data collection (sensors), snapshots and is not suitable to be deployed on mobile platforms. Fig. 2
logging functions, equipped with a secure backchannel for the shows a structure for mobile honeypot deployment.

120
 The data collection by the scattered mobile honeypot is
stored within a centralized database. A larger set of mobile
deployments might be needed in order to get a better chance
of being exploited and to get larger set of collected data.
The usage of virtualization segregates the mobile OS and
the honeypot module in the form of VM(s). A compromised
mobile honeypot VM can easily be replaced without affecting
the real mobile OS that runs the device.
V. CONCLUSION
Due to the steep growth of mobile devices and mobile apps
available in the market, it is predicted that the threats on this
device will keep on increasing in the future. MyCERT is
aware of the existence of multiple variants of mobile
malwares and the advancing level of sophisticated attack
especially towards mobile users. For future work, we will
realize this deployment of mobile honeypot to capture and to
learn about the malware that is targetting mobile devices.
REFERENCES
[1] Vasilomanolakis, E., Karuppayah, S., Fischer, M., Mhlhuser, M.,
Plasoianu, M., Pandikow, L., & Pfeiffer, W. (2013). This network is
infected: HosTaGe - a Low-Interaction Honeypot for Mobile Devices.
ACM Workshop on Security and Privacy in Smartphones and Mobile
Devices, 4348. doi:10.1145/2516760.2516763
[2] Whlisch, M., Trapp, S., Keil, C., Schnfelder, J., Schmidt, T. C., &
Schiller, J. (2012). First insights from a mobile honeypot. Proceedings
of the ACM SIGCOMM 2012 Conference on Applications,
Technologies, Architectures, and Protocols for Computer
Communication - SIGCOMM 12, 305. doi:10.1145/2342356.2342422
[3] Gelenbe, E., Gorbil, G., Tzovaras, D., Liebergeld, S., Garcia, D.,
Baltatu, M., & Lyberopoulos, G. (2013). Security for smart mobile
networks: The NEMESYS approach. 2013 IEEE Global High Tech
Congress on Electronics, GHTCE 2013, 6369.
doi:10.1109/GHTCE.2013.6767242
[4] Liebergeld, S., Lange, M., & Mulliner, C. (2013). Nomadic Honeypots:
A Novel Concept for Smartphone Honeypots. Workshop on Mobile
121
Security Technologies (MoST 13), in conjunction with the 34th IEEE
Symp. on Security and Privacy.
[5] Kramer, S., & Bradfield, J. C. (2010). A general definition of malware.
Journal in Computer Virology, 6(2), 105114. doi:10.1007/s11416-
009-0137-1
[6] Oliveira, V., Abdelouahab, Z., Lopes, D., Santos, M. & Fernandes, V.
(2013). HONEYPOTLABSAC: A Virtual Honeypot Framework for
Android. International Journal of Computer Networks &
Communications, 5(4), 159172.
[7] Dimjasevic, M., Atzeni, S., Ugrina, I., & Rakamaric, Z. (2015).
Android Malware Detection Based on System Calls. Uucs.
[8] Uppal, D., Sinha, R., Mehra, V., & Jain, V. (2014). Exploring
Behavioral Aspects of API Calls for Malware Identification and
Categorization. 2014 International Conference on Computational
Intelligence and Communication Networks, 824828.
doi:10.1109/CICN.2014.176
[9] Chang, J., Venkatasubramanian, K. K., West, A. G., & Lee, I. (2013).
Analyzing and defending against web-based malware. ACM
Computing Surveys, 45(4), 135.
[10] Liebergeld, S., Lange, M., & Mulliner, C. (2013). Nomadic Honeypots:
A Novel Concept for Smartphone Honeypots. Workshop on Mobile
Security Technologies (MoST 13), in Conjunction with the 34th IEEE
Symp. on Security and Privacy.
[11] Whlisch, M., Trapp, S., Keil, C., Schnfelder, J., Schmidt, T. C., &
Schiller, J. (2012). First insights from a mobile honeypot. Proceedings
of the ACM SIGCOMM 2012 Conference on Applications,
Technologies, Architectures, and Protocols for Computer
Communication - SIGCOMM 12, 305.
[12] Mulliner, C., Liebergeld, S., & Lange, M. (2011). Poster: Honeydroid-
creating a smartphone honeypot. IEEE Symposium on Security and
Privacy.
[13] Vasilomanolakis, E., Karuppayah, S., Fischer, M., Mhlhuser, M.,
Plasoianu, M., Pandikow, L., & Pfeiffer, W. (2013). This network is
infected: HosTaGe - a Low-Interaction Honeypot for Mobile Devices.
ACM Workshop on Security and Privacy in Smartphones and Mobile
Devices, 4348.
[14] Watson, D. (2015). Low Interaction Honeypots Revisited,
https://www.honeynet.org/node/1267
[15] Zhuge, J., Holz, T., Han, X., Song, C., & Zou, W. (2007). Collecting
autonomous spreading malware using high-interaction honeypots.
Information and Communications, 438451.
[16] Baecher, P., Koetter, M., Holz, T., Dornseif, M., & Freling, F. (2006).
The nepenthes platform: An efficient approach to collect malware.
Recent Advances in Intrusion Detection, 165184.