Title: Preparing for Malware that Uses Covert Communication Channels: The Case of Tor-based Android Malware

Year of Publication: Dec - 2014
Page Numbers: 85-96
Authors: Fragkiskos – Emmanouil Kioupakis , Emmanouil Serrelis
Conference Name: The International Conference in Information Security and Digital Forensics (ISDF2014)
- Greece


The usage of the Tor network, has introduced a new malware paradigm that could also threaten mobile security and privacy. In the recent past months there have been only two cases of Tor-enabled malware spotted in the wild. In both cases, the malware used Tor for secondary operations and was not built around Tor from the ground up, limiting the potential impact. A more sophisticated malware that could use Tor as its core communication channel would have increased its impact and potentially the period of its illegal operations while making its detection significantly harder. At the same time, no commercially available mechanism has been found embedded in any anti-malware software that can detect Tor connection initiation at its source. This fact has identified this specific type of malware as a significant threat in both personal and business environments. This paper aims to set the principles and provide a proof of concept at design level of a new Tor-based Android malware, along with a related detection mechanism. This effort can prove that the risk can be significant and that such malware can be an actual threat, aiming to drive researchers and anti-malware vendors to include this type of malware in their research for anti-malware techniques.