Cross-platform Mobile Malware: Write Once, Run Everywhere

Every day, thousands of new mobile apps are published on mobile app stores including Google Play and iOS App Store. While many of them are native apps, others are cross-platform mobile apps or HTML-based hybrid apps developed using various cross-platform mobile development tools. Native apps for Android and iOS are usually written using Android SDK and XCode tools respectively, but malware authors have plenty of choices when it comes to writing or repacking mobile malware that targets multiple platforms. At SophosLabs, we have seen an increase in the number of malicious apps written with cross-platform development tools such as PhoneGap. These pieces of malware hide their malicious code in HTML fi les or specifi c containers loaded by cross-platform frameworks instead of the platform’s native binaries. Considering the platform-independent characteristics, it is possible to foresee that more mobile malware and PUA families will be released across different mobile platforms including Android, iOS and Windows Mobile. Many game apps have been developed with cross-platform tools such as Unity and Cocos2d. Each tool generates its own executable format that can be used to package hidden malicious payloads. As a result, security researchers will face greater challenges to analyse and detect these pieces of mobile malware. This paper will research the feasibility of new cross-platform mobile malware. We will also analyse the package structures of such malware, discuss the technical issues and fi nally suggest a solution to the problem.