On Using Mobility to Propagate Malware

Mobility can be exploited to spread malware among wireless nodes. In this paper, we present an analytical model for estimating the evolution of infections spanning multiple network domains that host mobile nodes. We validate the accuracy of the proposed model by comparing its predictions to simulations driven by realistic mobility patterns. Our results show that such a mobile infection requires less than a day to infect the majority of a mobile population with thousands of wireless nodes spanning hundreds of network domains. Moreover, if mobile nodes are allowed to infect nodes within the same domain that are connected to the wired network, then an even smaller number of mobile nodes can inflict comparable damage in similar time frames. Unfortunately, these infections generate negligible activity at global malware monitoring stations (e.g., network telescopes and honeypots), which contributes to their stealthiness. By observing the infection's spatial evolution we show that popular domains are infected during the early stages of the infection. This observation is likely to be useful in designing countermeasures against mobile infections. By placing monitors in approximately 10% of the most visited domains, we can detect the mobile worm before it reaches a majority of the population. Finally, we elucidate why simply placing telescopes in just the popular domains is not sufficient for early detection.