An OpenBTS GSM replication jail for mobile malware

Axelle Apvrille Fortinet

  download slides (PDF)

There is one golden rule in the anti-virus industry that all AV analysts are very cautious about: making sure they do not spread samples which are under study. On PCs, vendors commonly use replication hosts in a very restricted environment (virtual machines, firewalls, limited network connection etc).

Unfortunately the task is more complicated on mobile phones, because fewer tools are available and because nearly all viruses assume they have either GSM or Internet connection to operate correctly.

We have consequently built a fake GSM operator using the open source OpenBTS project to help us analyse mobile malware live while being sure the malicious programs are not inadvertently propagated on the network of a real operator.

This paper explains how we set up our GSM network and then how to use it for the analysis of mobile malware. Using recent mobile malware samples, we show how to trace calls or sniff SMS messages. We also enhance this GSM network with a firewalled wifi and explain how to deal with more advanced mobile malware which communicate with remote hosts on the Internet. Finally, we conclude with the current limitations and future work concerning this replication architecture.


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.