Skip to main content
SpringerLink
Log in

Mobile botnets meet social networks: design and analysis of a new type of botnet

  • Regular Contribution
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

The ubiquitous nature of smartphone services and the popularity of online social networking can be a lethal combination that spreads malware and computer viruses in a quick and efficient manner to a large number of Internet users. In this article, we propose a new cellular botnet named SoCellBot that exploits online social networks (OSNs) to recruit bots and uses OSN messaging systems as communication channels between bots. Our proposed botnet is the first that uses the OSN platform as a means to recruit and control mobile cellular bots. The structure and characteristics of OSNs make this botnet harder to detect, more resilient to bot failures and more cost-effective to cellular bots. We present a comprehensive study of this new type of botnet in this article. We first analyze the characteristics of the botnet via simulations. We then present an analytical model to estimate the number of infected users (smart phones) over time. We also provide a real-life implementation of the botnet on a small-scale social network as proof of concept. Finally, we study and recommend effective mechanisms to detect recruitment malware spread by such a botnet in its early stages of propagation. The objective of this work is to raise awareness of new mobile botnets that exploit OSNs to recruit and control bots so that preventive measures can be implemented to deter this kind of attack in the future.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14

Similar content being viewed by others

References

  1. F. Inc., Facebook reports third quarter 2012 results. http://investor.fb.com/

  2. Mulliner, C., Seifert, J.-P.: Rise of the iBots: owning a telco network. In: Proceedings of 5th International Conference on Malicious and Unwanted Software (MALWARE), pp. 71–80 (2010)

  3. Traynor, P., Lin, M., Ongtang, M., Rao, V., Jaeger, T., McDaniel, P., La Porta, T.: On cellular botnets: measuring the impact of malicious devices on a cellular network core. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, CCS’09. ACM, New York, NY, USA, pp. 223–234 (2009)

  4. Singh, K., Sangal, S., Jain, N., Traynor, P., Lee, W.: “Evaluating Bluetooth as a medium for botnet command and control. In: Detection of Intrusions and Malware, and Vulnerability Assessment. Springer, pp. 61–80 (2010)

  5. Zeng, Y., Shin, K.G., Hu, X.: Design of SMS commanded-and-controlled and P2P-structured mobile botnets. In: Proceedings of the fifth ACM conference on Security and Privacy in Wireless and Mobile Networks. ACM, pp. 137–148 (2012)

  6. Xiang, C., Binxing, F., Lihua, Y., Xiaoyi, L., Tianning, Z.: Andbot: towards advanced mobile botnets. In: Proceedings of the 4th USENIX Conference on Large-scale Exploits and Emergent Threats, LEET’11. USENIX Association, Berkeley, CA, USA, pp. 11–11 (2011)

  7. Faghani, M., Saidi, H.: Malware propagation in online social networks. In: Proceedings of International Conference on Malicious and Unwanted Software (MALWARE), pp. 8–14 (2009)

  8. Kortjan, N., von Solms, R.: Cyber security education in developing countries: a South African perspective. In: Jonas, K., Rai, I.A., Tchuente, M. (eds.) e-Infrastructure and e-Services for Developing Countries, pp. 289–297. Springer Berlin Heidelberg, Berlin (2013)

    Chapter  Google Scholar 

  9. Thomas, K., Nicol, D.: The Koobface botnet and the rise of social malware. In: Proceedings of 5th International Conference on Malicious and Unwanted Software (MALWARE), pp. 63–70 (2010)

  10. Kaspersky Labs: Facebook malware poses as Flash update, infects 110k users (2015)

  11. FireEye: HAMMERTOSS: Stealthy tactics define a russian cyber threat group. https://goo.gl/LGCfqa

  12. ESET: First Twitter-controlled Android botnet discovered. https://goo.gl/oAa1gn

  13. Cisco: Introducing ROKRAT. https://goo.gl/vnVwfX

  14. MalwareBytes: Telecrypt—the ransomware abusing telegram API - defeated!. https://goo.gl/CG2YFN

  15. Kaspersky: Skygofree: Following in the footsteps of HackingTeam. https://goo.gl/U9Xz87

  16. Wojciech: Command and control server in social media (Twitter, Instagram, Youtube + Telegram). https://goo.gl/pMFzWW

  17. Kartaltepe, E.J., Morales, J.A., Xu, S., Sandhu, R.: Social Network-Based Botnet Command-and-Control: Emerging Threats and Countermeasures, pp. 511–528. Springer Berlin Heidelberg, Berlin (2010)

    Google Scholar 

  18. Nagaraja, S., Houmansadr, A., Piyawongwisal, P., Singh, V., Agarwal, P., Borisov, N.: Stegobot: a covert social network botnet. In: Proceedings of the 13th International Conference on Information Hiding, IH’11. Springer, Berlin, Heidelberg, pp. 299–313 (2011)

  19. Boshmaf, Y., Muslukhov, I., Beznosov, K., Ripeanu, M.: The socialbot network: when bots socialize for fame and money. In: Proceedings of the 27th Annual Computer Security Applications Conference, ACSAC’11. ACM, New York, NY, USA, pp. 93–102 (2011)

  20. Stein, T., Chen, E.,Mangla, K.: Facebook immune system. In: Proceedings of the 4th Workshop on Social Network Systems, SNS’11. ACM, New York, NY, USA, pp. 8:1–8:8 (2011)

  21. Zhang, J., Zhang, R., Zhang, Y., Yan, G.: On the impact of social botnets for spam distribution and digital-influence manipulation. In: 2013 IEEE Conference on Communications and Network Security (CNS), pp. 46–54 (2013)

  22. Compagno, A., Conti, M., Lain, D., Lovisotto, G., Mancini, L.V.: Boten ELISA: A novel approach for botnet C&C in online social networks. In: 2015 IEEE Conference on Communications and Network Security (CNS), pp. 74–82 (2015)

  23. Xu, W., Zhang, F., Zhu, S.: Toward worm detection in online social networks. In: Proceedings of the 26th Annual Computer Security Applications Conference, ACSAC’10. ACM, New York, NY, USA, pp. 11–20 (2010)

  24. Tubi, M., Puzis, R., Elovici, Y.: Deployment of DNIDS in social networks. In: Proceedings of IEEE Intelligence and Security Informatics, pp. 59–65 (2007)

  25. Yan, G., Chen, G., Eidenbenz, S., Li, N.: Malware propagation in online social networks: nature, dynamics, and defense implications. In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, ASIACCS’11. ACM, New York, NY, USA, pp. 196–206 (2011)

  26. Boshmaf, Y., Muslukhov, I., Beznosov, K., Ripeanu, M.: Key challenges in defending against malicious socialbots. In: Presented as part of the 5th USENIX Workshop on Large-Scale Exploits and Emergent Threats (2012)

  27. Cao, Q., Yang, X., Yu, J., Palow, C.: Uncovering large groups of active malicious accounts in online social networks. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, CCS’14. ACM, New York, NY, USA, pp. 477–488 (2014)

  28. Egele, M., Stringhini, G., Kruegel, C., Vigna, G.: Towards detecting compromised accounts on social networks (2015)

  29. Stringhini, G., Mourlanne, P., Jacob, G., Egele, M., Kruegel, C., Vigna, G.: Evilcohort: detecting communities of malicious accounts on online services. In: Proceedings of the 24th USENIX Conference on Security Symposium, SEC’15. USENIX Association, Berkeley, CA, USA, pp. 563–578 (2015)

  30. Facebook: ESET and Facebook partner to combat malware. https://goo.gl/rWDIUw

  31. Facebook: Protecting millions from malware with cleanup tools. https://goo.gl/sJwnrY

  32. Facebook: Working together to keep you secure. https://goo.gl/XFkom4

  33. Facebook: Better security through software. https://goo.gl/4XoYL3

  34. Nguyen, N.P., Yan, G., Thai, M.T., Eidenbenz, S.: Containment of misinformation spread in online social networks. In: Proceedings of the 4th Annual ACM Web Science Conference, WebSci’12. ACM, New York, NY, USA, pp. 213–222 (2012)

  35. FireEye: Information and insight on today’s advanced threats from the leader in advanced threat prevention. https://www.fireeye.com/blog.html

  36. Kaspersky: SecureList. https://securelist.com/

  37. SC Media: The Cyber-Security source. https://goo.gl/bZc85W

  38. Faghani, M.R., Nguyen, U.T.: Socellbot: a new botnet design to infect smartphones via online social networking. In: Proceedings of 25th IEEE Canadian Conference on Electrical Computer Engineering (CCECE), pp. 1–5 (2012)

  39. Holme, P., Kim, B.J.: Growing scale-free networks with tunable clustering. Phys. Rev. E 65(2), 026107 (2002)

    Article  Google Scholar 

  40. Felt, A.P., Finifter, M., Chin, E., Hanna, S., Wagner, D.: A survey of mobile malware in the wild. In: Proceedings of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, SPSM’11. ACM, New York, NY, USA, pp. 3–14 (2011)

  41. Zhou, Y., Jiang, X.: Dissecting Android malware: characterization and evolution. In: Proceedings of the Security and Privacy (SP), pp. 95–109 (2012)

  42. D. of Homeland Security: Threats to mobile devices using the Android operating system. https://goo.gl/XPtVOY

  43. Lange, M., Liebergeld, S., Lackorzynski, A., Warg, A., Peter, M.: L4Android: a generic operating system framework for secure smartphones. In: Proceedings of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, SPSM’11. ACM, New York, NY, USA, pp. 39–50 (2011)

  44. Bergman, N.: Abusing webview javascript bridges. http://bit.ly/1rB6DEO

  45. Hua, J., Sakurai, K.: A SMS-based mobile botnet using flooding algorithm. In: Proceedings of the 5th IFIP WG 11.2 International Conference on Information Security Theory and Practice: Security and Privacy of Mobile Devices in Wireless Communication, WISTP’11. Springer, Berlin, Heidelberg, pp. 264–279 (2011)

  46. Dekker, A.H.: Realistic social networks for simulation using network rewiring (extended abstract) (2007)

  47. Ahn, Y.-Y., Han, S., Kwak, H., Moon, S., Jeong, H.: Analysis of topological characteristics of huge online social networking services. In: Proceedings of the 16th International Conference on World Wide Web, WWW’07. ACM, New York, NY, USA, pp. 835–844 (2007)

  48. Bellm, E.: Visualizing social Facebook network. http://goo.gl/x7QRS1

  49. Mcauley, J., Leskovec, J.: Discovering social circles in ego networks. ACM Trans. Knowl. Discov. Data 8, 4:1–4:28 (2014)

  50. Newman, M.: Power laws, Pareto distributions and Zipf’s law. Contemp. Phys. 46(5), 323–351 (2005)

    Article  Google Scholar 

  51. Viger, F., Latapy, M.: Efficient and simple generation of random simple connected graphs with prescribed degree sequence. In: Proceedings of the 11th Annual International Conference on Computing and Combinatorics, COCOON’05. Springer, Berlin, Heidelberg, pp. 440–449 (2005)

  52. Ihaka, R., Gentleman, R.: R: A language for data analysis and graphics. J. Comput. Graph. Stat. 5(3), 299–314 (1996)

    Google Scholar 

  53. Pajek: Pajek: analysis and visualization of large networks. http://goo.gl/v5ZvBO

  54. Kleinfeld, J.: Could it be a big world after all? the six degrees of separation myth. Society, April 12, 5–2 (2002)

  55. Sysomos: Six degrees of separation. http://goo.gl/IXLO

  56. Newman, M.E.J.: Mixing patterns in networks. Phys. Rev. E 67, 026126 (2003)

    Article  MathSciNet  Google Scholar 

  57. Lee, W., Wu, X.: Cross-platform mobile malware, write once, run everywhere. In: Proceedings of International Virus Bulletin Conference (2015)

  58. Ross, S.M.: Introduction to Probability Models, Eleventh edn. Academic Press, Orlando (2014)

    MATH  Google Scholar 

  59. Devroye, L.: Generating the maximum of independent identically distributed random variables. Comput. Math. Appl. 6(3), 305–315 (1980)

    Article  MathSciNet  MATH  Google Scholar 

  60. National Vulnerability Database: CVE-2012-6636. https://goo.gl/Q6xdfK

  61. Luo, T., Hao, H., Du, W., Wang, Y., Yin, H.: Attacks on webview in the android system. In: Proceedings of the 27th Annual Computer Security Applications Conference, ACSAC’11. ACM, New York, NY, USA, pp. 343–352 (2011)

  62. HumHub: A flexible open source social network kit. https://goo.gl/Ehp5G5

  63. Android: Android emulator. http://goo.gl/1jSbT

  64. Rapid7: Metasploit framework. http://goo.gl/6mAi89

  65. Thomas, D.R., Beresford, A.R., Coudray, T., Sutcliffe, T., Taylor, A.: The Lifetime of Android API Vulnerabilities: Case Study on the JavaScript-to-Java Interface, pp. 126–138. Springer, Cham (2015)

    Google Scholar 

  66. Attar, A.E., Khatoun, R., Birregah, B., Lemercier, M.: Robust clustering methods for detecting smartphone’s abnormal behavior. In: 2014 IEEE Wireless Communications and Networking Conference (WCNC), pp. 2552–2557 (2014)

  67. Jang, W.-J., Cho, S.-W., Lee, H.-W., ill Ju, H., Kim, J.-N.: Rooting attack detection method on the Android-based smart phone. In: 2011 International Conference on Computer Science and Network Technology (ICCSNT), vol. 1, pp. 477–481 (2011)

  68. Pieterse, H., Olivier, M.: Android botnets on the rise: trends and characteristics. In: Proceedings of Information Security for South Africa (ISSA), vol. 2012, pp. 1–5 (2012)

  69. Hubbard, J., Weimer, K., Chen, Y.: A study of SSL Proxy attacks on Android and iOS mobile applications. In: 2014 IEEE 11th Consumer Communications and Networking Conference (CCNC), pp. 86–91 (2014)

  70. Dredge, D.: Don’t click on that porn video shared by a Facebook friend: it may be malware. http://goo.gl/y15gQt

  71. Gu, Y., McCallum, A., Towsley, D.: Detecting anomalies in network traffic using maximum entropy estimation. In: Proceedings of the 5th ACM SIGCOMM Conference on Internet Measurement, IMC’05. USENIX Association, Berkeley, CA, USA, pp. 32–32 (2005)

  72. Newman, M.: Networks: An Introduction. Oxford University Press, New York (2010)

    Book  MATH  Google Scholar 

  73. Tang, J., Mascolo, C., Musolesi, M., Latora, V.: Exploiting temporal complex network metrics in mobile malware containment. In: Proceedings of the 2011 IEEE International Symposium on a World of Wireless, Mobile and Multimedia Networks, WOWMOM’11. IEEE Computer Society, Washington, DC, USA, pp. 1–9 (2011)

  74. Page, L., Brin, S., Motwani, R., Winograd, T.: The PageRank citation ranking: bringing order to the web. In: Proceedings of the 7th International World Wide Web Conference, Brisbane, Australia, pp. 161–172 (1998)

  75. Heidemann, J., Klier, M., Probst, F.: Identifying key users in online social networks: a PageRank based approach. In: Proceeding of 31st of International Information System Conference (2010)

  76. Arasu, A., Novak, J., Tomkins, A., Tomlin, J.: PageRank computation and the structure of the Web: experiments and algorithms. In: Proceedings of the Eleventh International World Wide (2002)

  77. Okamoto, K., Chen, W., Li, X.-Y.: Ranking of closeness centrality for large-scale social networks. In: Proceedings of the 2Nd Annual International Workshop on Frontiers in Algorithmics, FAW’08. Springer, Berlin, Heidelberg, pp. 186–195 (2008)

  78. Brandes, U.: A faster algorithm for betweenness centrality. J. Math. Sociol. 25(2), 163–177 (2001)

    Article  MATH  Google Scholar 

  79. National Vulnerability Database, “CVE-2015-3864”. https://goo.gl/Vl0ZBO

  80. National Vulnerability Database, “CVE-2016-5195”. https://goo.gl/XyOzcc

  81. Facebook, “Facebook terms of service”. https://goo.gl/uHywjH

  82. Twitter, “Twitter terms of service”. https://goo.gl/3PfjgO

  83. Immorlica, N., Jain, K., Mahdian, M., Talwar, K.: Click Fraud Resistant Methods for Learning Click-Through Rates, pp. 34–45. Springer Berlin Heidelberg, Berlin (2005)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science and Engineering, York University, Toronto, ON, M3J 1P3, Canada

    Mohammad R. Faghani & Uyen T. Nguyen

Authors
  1. Mohammad R. Faghani
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Uyen T. Nguyen
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Mohammad R. Faghani.

Appendices

Appendix A: Extension to the proposed model: multiple attackers

In a more sophisticated attack, there may be multiple fake profiles (attacker nodes) infiltrating into a social network at the same time, for example, to avoid a single point of failure. The case of multiple attackers can be implemented in several ways, as follows:

  • A bot can hold a list of multiple botmasters. When a bot receives a command from any of the listed botmasters, it can execute the provided command and return the results to the botmaster(s).

  • A bot can also retrieve a new list of botmasters by periodically visiting one or more web pages maintained by the attacker. This way, if many of the attackers’ accounts are blocked, a new set of botmaster accounts can be created and linked to the web page(s). To avoid single points of failure on those web pages themselves, the attacker can use domain generation algorithms (DGA) to hinder the detection of such web pages by network administrators.

  • A new botmaster can be chosen among the bots if another is blocked. This would require an “update” command from the attacker and a signature validation scheme. The “update” message must be signed by the attacker and validated by the bots, in order to avoid command and control channel hijacking by other adversaries or even by the network administrators.

To model the propagation of a recruitment malware in a scenario with multiple infiltrating nodes, we propose the following algorithm to estimate the number of new infections \(N_w\) in each wave. If we assume a highly pervasive malware, then each user v will be infected after \(d_v\) hops from one of the attackers, where \(d_v\) is the shortest distance from v to any of the attackers. In this case, the wave number w ranges from 1 to d, the network diameter.

We create a vector of d elements \(\{k_1, k_2, \dots , k_d\}\) and initialize all elements to zero. Assume that there are m attackers \(a_1, a_2, \dots , a_m\). For each user v in the network, we calculate the shortest path from v to each attacker \(a_i\), \(i = 1, 2, \dots , m\). Let \(d_{v,a_i}\) denote the length of this shortest path. We find the minimum of all the \(d_{v,a_i}\) values; that is, \(j = \min \limits _{i = 1 \dots m}\{d_{v,a_i}\}\). We then increment variable \(k_j\) by one.

After the algorithm terminates (i.e., all nodes have been processed as described above), we have \(N_w = k_w\), where \(w = 1, 2, \dots , d\). Note that \(\sum _{j = 1}^d k_j = V - m\).

To validate the above algorithm, which estimates the value \(N_w\) when there are multiple attackers, we performed simulations using the same setup and parameters as described in Sect. 4. The only difference is that in this experiment we randomly selected five nodes to be the attackers infiltrating into the network (\(m = 5\)). We plotted the graphs of \(N_w\) as the waves progress for \(q = 0.95\) (see Fig. 15). The graphs show that the model closely follows the simulation results. For example, when \(w = 2\), the \(N_w\) values are 2153 and 2259 from the model and the simulation, respectively, a difference of 372 or \(372/4039 \approx 2\%\) of the population (Fig. 15).

Fig. 15
figure 15

The case of multiple attackers (5 attackers, \(q = 0.95\)). a\(N_w\) over 8 waves

Full size image

Appendix B: An implementation using Facebook Messenger

In order to demonstrate the feasibility of using OSN messaging systems to propagate and deliver command and control messages, we implemented a botnet whose recruitment is done via a self-propagating benign malware that leverages Facebook Messenger to deliver command and control messages. Similar to the approach discussed in Sect. 7, the malware exploits an existing vulnerability in a series of Android devices (CVE-2012-6636) [60].

In order to use an OSN messaging system to send and receive bot commands, the botmaster needs to escalate his/her privilege to the root level. Bergman [44] discusses several methods of privilege escalation to gain root access after exploiting CVE-2012-6636.

It is common for an Android malware to escalate its privilege after gaining access to a mobile phone. Zhou and Jiang [41] stated that around one third of their 1260 collected malware sample (36.7%) leverage kernel-level exploit to gain root-level access after infection. RootSmart and DroidDream are two of the high-profile mobile botnets that escalate their privilege after infecting mobile phones to gain root-level access [66,67,68].

Fig. 16
figure 16

A contained Facebook community to test the propagation of malware

Full size image

1.1 B.1 Propagation Mechanism

We did not deploy out bots via exploiting CVE-2012-6636 on Facebook (or Twitter) as we may accidentally impose security threats to real-life users otherwise. Furthermore, Facebook and Twitter do not allow users to propagate malicious codes on their platforms, as stated in their terms of service [81, 82]. In order to contain the experiment and to ensure that no real-life user would be affected by our benign malware, we created 10 Facebook accounts and hosted the malicious page on our local laboratory server, only accessible via our emulated Android systems while developing this proof of concept (PoC). Our implementation involves the following components:

  • A: OSN We created a tiny social network with 10 Facebook users, including the botmaster. The users are connected to each other using the algorithm defined by [39] with an average degree of 4.2. The users are logged into 10 different Facebook Messenger accounts, installed on Android emulators. Figure 16 shows the OSN network using the created profiles.

  • B: Exploit Page The botmaster hosts a page on an address (in our case, a local address) that exploits CVE-2012-6636 vulnerability which pushes (“drops”) the malware payload into the mobile phone.

  • C: Mobile Sets The mobiles sets are emulated Nexus S using Android Emulator [63] running Android version 4.1.2. Each user is associated with an emulated mobile set. The users use the native Android browser. Each user has a Facebook Messenger application installed on his/her Android device.

  • D: The Command and Control (C&C) Channel The botmaster communicates with bots via Facebook Messenger using the “dropped” malware.

Prior to launching the attack, the botmaster creates a web page that contains the CVE-2012-6636 exploit code. In the first step, using an infiltrated profile, the botmaster posts the URL of the exploit page to her friends via a group OSN messenger chat. In the second step, a friend of the infiltrating profile sees the URL and will click on the link. In the third step, the friend’s Android browser runs the exploit code which would drop the payload into the infected Android. Finally in the fourth step, the bot would wait to receive commands from botmaster through Facebook Messenger.

1.2 B.2 C&C Implementation

In our implementation, a bot uses Facebook Messenger to receive commands and control messages. In order to receive commands, the bot monitors one of the locally stored databases on the infected Android phone, created by Facebook Messenger to cache the existing Messenger’s conversations (“chat”). This database is called threads_db2 and is located at data/data/com.facebook.orca/databases. This database is not encrypted and does not requires credentials to get access to.

In particular, the bot monitors the threads table where column thread_key equals to

figure b

The BMasterID and VictimID represent the unique Facebook ID of the botmaster and the infected Android user, respectively. The bot monitors this table and extracts the commands that are sent to execute them.

For the purpose of this PoC, we designed five commands for bots to receive. In our future work, we will expand the botnet capabilities to perform other tasks as well, based on different Android models.

Following are high-level descriptions of the five commands:

  1. 1.

    Forward Forward a malicious URL to all the friends

  2. 2.

    Capture Take a photo with the smartphone’s camera and send it back to the botmaster

  3. 3.

    SMS Send a particular text to a number using SMS (e.g., for fraud or advertisement purposes)

  4. 4.

    Browse Force the smartphone to visit a page

  5. 5.

    Delete Delete the commands sent by the botmaster to avoid detection

Following are the detailed description of each command and its implementation on a Nexus S running Android 4.1.

1. Forward: This command is used to forward a (malicious) URL (MaliciousURL) inside a message (SampleBody) to all of the infected user’s friends. The syntax of the command is as follows:

To implement the command, the bot needs to pull out the list of infected user’s friends from a locally stored database on the infected Android device. This database called contacts_db2 is created by Facebook Messenger app to cache Messenger contact information. This database is located in data/data/com.facebook.orca/databases folder and stores information in plain text. Within this database, there is a table called “contacts” where the contact information of each friend is stored. The bot then composes a group message and enters the first name and last name of each friend (retrieved from the “contact” table) in the TO section of the composed message. At the end, the bot puts the

figure c

along with the

figure d

link (retrieved from the bot command) into the body of the message and sends it to the infected user’s friends. The following script shows the implementation of this method on our Android model:

figure e

2. Capture: This commands forces the smartphone to take a picture and send it back to the botmaster with the following syntax:

$$\begin{aligned} {\small {{\varvec{BComm\, CPTR}}}} \end{aligned}$$

To implement the command, the bot opens up a chat message with the botmaster, activates the camera button via a simulated tap action on the screen, takes a picture and sends it to the botmaster. The following script shows the implementation of this command, where BMasterID represents the unique Facebook ID of the botmaster:

figure f

3. SMS This command forces the smartphone to send a text message to a number via SMS (e.g., for fraud or advertisement purposes). This command uses the following syntax:

The following script shows the implementation of this command, where PhoneNo and TextBody represent the phone number and the message to be sent, respectively.

figure g

4. Browse This command forces the smartphone browser to visit a page. This command could be used to launch denial-of-service attacks against a particular website, or to make money through advertisement fraud [83]. The botmaster sends the following command to the bot, in order to force them to visit a web page:

The bot implements the following method to force the browser to visit a page:

figure h

5. Delete This command forces the Facebook Messenger to delete the conversation between the bot and the botmaster in order to avoid detection in the future.. Although this method should always be called after each command, there are cases where the botmaster may want to make sure that all past commands and responses are deleted. The syntax to invoke this command is as follows:

$$\begin{aligned} {\small {{\varvec{BComm\, DEL}}}} \end{aligned}$$

The following method implements the removal of the conversation from all the Facebook views, including Facebook Web Messenger.

figure i

We conducted our experiment using the social network shown in Fig. 16. In the first step, the infiltrating node controlled by the botmaster posted the malicious link via a composed message. An Android phone user received the message, clicked on the malicious link and became infected by the “dropped” malware. The same cycle continued until all the Android phones became infected. Our experimental results show that within two steps of the infiltrating node (the red node in Fig. 16), more than 60% of the population were infected, which is consistent with the result we observed in Sect. 7.

In our future work, we will enhance our bot features to include more commands along with more stealthy methods of communication. We will create custom payloads for different Android phones and will use more exploitation techniques to target different smartphone families.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Faghani, M.R., Nguyen, U.T. Mobile botnets meet social networks: design and analysis of a new type of botnet. Int. J. Inf. Secur. 18, 423–449 (2019). https://doi.org/10.1007/s10207-018-0412-6

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-018-0412-6

Keywords

Search

Navigation