Title: Defending Against Android Malware that Uses Tor as Their Covert Communications Medium

Issue Number: Vol. 4, No. 4
Year of Publication: May - 2015
Page Numbers: 469-481
Authors: Fragkiskos – Emmanouil Kioupakis , Emmanouil Serrelis
Journal Name: International Journal of Cyber-Security and Digital Forensics (IJCSDF)
- Hong Kong
DOI:  http://dx.doi.org/10.17781/P001705


The introduction of any new technology can pose various threats to the users of its applications. More specifically, the usage of the Tor network, has introduced a new malware paradigm that could also threaten mobile security and privacy. In the recent past months there have been two cases of Android malware spotted in the wild that use the Tor network to conduct their malicious activities. In both cases, the malware used Tor for secondary operations and was not built around Tor from the ground up, limiting the potential impact. A new malware using Tor as a communication channel at is core would have an increased its potential impact along with hardening its detection from antimalware mechanisms. This increased sophistication could also increase the period that the malware would be performing its illegal operations. The lack of commercially available mechanisms that are embedded in any anti-malware software that can detect Tor connection initiation at its source identifies this specific type of malware as a significant threat in both personal and business environments. This paper aims to set the principles and provide a proof of concept at design level of a new Tor-based Android malware, along with a related detection mechanism. This effort can prove that the risk can be significant and that such malware can be an actual threat, aiming to drive researchers and anti-malware vendors to include this type of malware in their research for antimalware techniques.