Detection of Suspicious Connections on Android Mobile Devices

Abstract

Mobile devices are vulnerable to becoming part of botnet operations just as any other computing device. Attackers use domain generation algorithms to increase their chance of controlling a mobile device. In order to harden a user's defense against such an attack, this paper proposes a method for inspecting outgoing connections. By inspecting DNS packets that are transferred between the mobile device and the Internet, domain names are extracted and classified as legit or suspicious based on specific lexical features inspired from existing literature. Packet inspection is done without superuser privilege and with minimal user interaction. The solution displays the connections established by a mobile devices with and without the user's consent. Performance analysis on the packet inspection process was done to understand and visualize the CPU and memory usage together with the impact on user experience.