Twins Born In Different Years With Even Different Faces? PC-AV-in-cloud And Mobile-AV-in-cloud

It is rare for twins to have different birthdays. But thanks to the increasing mobile malware, a set of twins have shown up with birth year 2007 and 2013 respectively. Their names are PC-AV-in-cloud and Mobile-AV-in-cloud. It seems that current mobile threat landscape is very like the PC one of years ago.

To effectively handle the scale and magnitude of new malware variants, AV functionality was being moved from the user desktop into the cloud. In 2007, the first baby, PC-AV-in-cloud, was born with arguments. Does the paper “why in-the-cloud scanning is not a solution” at VB 2009 ring a bell to you?

Not finished yet! The mobile platform becomes a new target for hackers. Traditional virus mass-production tricks are cloning into mobile threat landscape. More and more hackers are using encrypted strings, code obfuscations to deal with manual reverse engineering. Malware writers leverage technique tricks (rootkit, botnet, and even mobile packer?) which they created for PC years ago, directly at mobile devices. As a result, android mobile malware are adopting traditional malware techniques at a fast pace (such as apkfuscator). Security vendors are busying with extending cloud-based security infrastructure with mobile-scanning cloned from PC counterpart.  It looks like we are going to have a new baby, Mobile-AV-in-cloud in 2013. Are you ready for this?

Unfortunately, anti-virus for PC desktops is not working well on mobile platform due to battery power constrain, internet bandwidth, limited computation capability, and constant pattern update. Recent research works showed mobile AV engines can be easily fooled by simple code obfuscation with detection rates dropped sharply. To make things worse, solution challenges exist when implementing in-the-cloud scanning on mobile devices. When the client software cannot determine if a suspicious application is malicious or not, it will send the application or its related information to the cloud. In the case of server-side polymorphism, which causes each downloaded file to be a unique version, will force the client to send files constantly. The battery constrains will be a serious issue.

Security vendors are facing various challenges regarding the architectural design, implementation, and validation on mobile anti-malware. New techniques need to be designed to handle with the constraints of the mobile platform. Zscaler's ZAP (Zscaler Application Profiler) is web based tool designed to streamline the capture and analysis of HTTP(S) traffic from mobile applications. ZAP is capable of analyzing traffic from both iOS and Android applications and includes the following functionality.

For additional details on how to use ZAP and view a video walkthrough, please see the ThreatLabZ blog.