In the world of Internet of Thinks (IoT) where devices are intercepted at every level, from wearables to smarthomes/cities to large industries and critical infrastructures, security plays a central role with no margin for errors. The IoT is easily one of the most versatile technologies in existence today which provides a network infrastructure with interoperable communication protocols and software tools to enable the connectivity to the internet for smart devices. The ubiquity of the internet and the growing capacity of network connection make the IoT scalable and adaptable, however the growing reality of IoT means also consequences. According to many studies, the IoT networks are facing several security challenges such as authentication/authorization, information leakage, privacy, tampering, etc. This increase the risk of attacking a device and, when a single device is compromised, the intruders are able to take number of actions in the hacked device and also at network level.

An effective IoT device needs to have sensors, actuators and a radio frequency (RF) or network interface module that allows data exchange via internet. Considering this, smartphones are arguably the most versatile IoT devices and almost everybody has one. Mobile applications running on smartphones can leverage the IoT data connectivity supported by their array of sensors to enable a variety of innovative use cases. The number of smartphone users worldwide today surpasses three billion and is forecast to further grow by several hundred million in the next few years[1]. Android and iOS (apple) are the two main operating systems that can be found in the smartphones with Android numbered more than 70% of the market share. With these numbers, it is not surprising that attackers target the Android ecosystem, as exploiting possible vulnerabilities would lead to a compromise of a large user base.

As of February 2021, there were more than 3 million applications (apps) on the Google Play Store (the main market for Android apps)[2]. As the purpose of these apps is to fulfill the user’s needs that include banking, communication, social networking, gaming etc. and thus, handling of sensitive and non-sensitive user information is a fact. This attracts cybercriminals which target the mobile ecosystem on the basis of the information it handles, and they usually do so by exploiting vulnerabilities in apps developed by other developers or by designing their own apps to steal user information. As a result of this, the number of malicious applications, Android Malware, found in mobile devices increased.

Figure 1 Number of malware samples the last ten years[3]

Figure 1 presents the trend in number of malwares the last ten years. The increasing number of malwares attracted the attention of research community to investigate techniques for the characterization/ classification of malware and early detection of them.

In Cyber-Trust project, the detection of malicious activity at device level is done by the Smart Device Agent which mainly monitor performance, network and other activity of the IoT device (e.g., Android smartphone). It is worth mentioning, that other techniques and third-party solutions can also be integrated and benefit from their detection capacity. However, this is not part of the current focus. While the experimental evaluation is done using malware running on Android OS, the SDA methodology is more generic and can be adapted for other OS (already developed for Linux and Windows) and other embedded (IoT) systems that are hosting an OS.

The main functionality of SDA is to periodically check the monitoring parameters and exchange those with the monitoring service.  For each class of devices, the monitoring metrics/data have been classified in three categories: (a) the metrics related with performance such as CPU and Memory usage, (b) the metrics related with network such as open ports and, (c) the monitoring of binary files to ensure the integrity of the firmware and of the critical OS files.

The experimental evaluation of device level attacks is done at mobile devices and specifically Android OS. The SDA has the form of an Android Mobile APP that can run in background and collect monitoring data. The user (through the app) can enable and disable the monitoring of one or more data families. Figure 4 presents the related section of the SDA App.

Device Monitoring through the Smart Device Agent

The current version of SDA Android App supports the monitoring of four types of metrics/parameters. As we already mentioned, the monitoring data are sent to the monitoring service for detection of variations and abnormalities.

  • Network Monitoring
    • Network Statistics Periodically checks the trend of network traffic RX/TX bytes that is exchanged by the device. Tools: ifconfig, netcfg
    • Opened Ports and Active Connections. The monitoring agent checks for any new opened connections. The activity on network connection is logged for the identification of any abnormalities. Tools: netstat
  • Performance Monitoring
    • Runtime state: Monitoring of the performance of the device. The metrics are mainly focus on CPU, RAM and storage usages. The detection of abnormal activity is mainly based on rules that set the thresholds of values under normal operation. Tools: Java Library for native android development
  • Packages and Active Processes
    • Installed Packages: The installed packages are monitored in order to detect any update done by the user. When a new app is installed or removed it is captured by the monitoring tool. Furthermore, the signature of the package is calculated. Tools: pm, md5
    • Active Processes: Periodically, the SDA is checking for new processes that activated by the user. Tools: lsof
  • Critical OS and Firmware Integrity Check
    • Binary Integrity: Based on a list with critical files, the SDA periodically checks for any updates / changes on the monitored binary. The integrity is based on signatures that are calculated and stored in Cyber-Trust components. Tools: md5