Defending Mobile Phones from Proximity Malware

As mobile phones increasingly become the target of propagating malware, their use of direct pair-wise communication mechanisms, such as Bluetooth and WiFi, pose considerable challenges to malware detection and mitigation. Unlike malware that propagates using the network, where the provider can employ centralized defenses, proximity malware can propagate in an entirely distributed fashion. In this paper we consider the dynamics of mobile phone malware that propagates by proximity contact, and we evaluate potential defenses against it. Defending against proximity malware is particularly challenging since it is difficult to piece together global dynamics from just pair-wise device interactions. Whereas traditional network defenses depend upon observing aggregated network activity to detect correlated or anomalous behavior, proximity malware detection must begin at the device. As a result, we explore three strategies for detecting and mitigating proximity malware that span the spectrum from simple local detection to a globally coordinated defense. Using insight from a combination of real-world traces, analytic epidemic models, and synthetic mobility models, we simulate proximity malware propagation and defense at the scale of a university campus. We find that local proximity-based dissemination of signatures can limit malware propagation. Globally coordinated strategies with broadcast dissemination are substantially more effective, but rely upon more demanding infrastructure within the provider.