An OpenBTS GSM replication jail for mobile malware

Axelle Apvrille Fortinet

  download slides (PDF)

There is one golden rule in the anti-virus industry that all AV analysts are very cautious about: making sure they do not spread samples which are under study. On PCs, vendors commonly use replication hosts in a very restricted environment (virtual machines, firewalls, limited network connection etc).

Unfortunately the task is more complicated on mobile phones, because fewer tools are available and because nearly all viruses assume they have either GSM or Internet connection to operate correctly.

We have consequently built a fake GSM operator using the open source OpenBTS project to help us analyse mobile malware live while being sure the malicious programs are not inadvertently propagated on the network of a real operator.

This paper explains how we set up our GSM network and then how to use it for the analysis of mobile malware. Using recent mobile malware samples, we show how to trace calls or sniff SMS messages. We also enhance this GSM network with a firewalled wifi and explain how to deal with more advanced mobile malware which communicate with remote hosts on the Internet. Finally, we conclude with the current limitations and future work concerning this replication architecture.