malware on smartphones and tablets: the inconvenient truth
TRANSCRIPT
© 2016 IBM Corporation
Shaked Vax Trusteer Products Strategist IBM Security
Malware on Smartphones and Tablets - The Inconvenient Truth
2 © 2016 IBM Corporation
Agenda
! Mobile is everywhere – Mobile Threats ! A look at Mobile Malware ! Threat landscape
– iOS – Android
! Safeguard mobile devices with MaaS360 + Trusteer ! View consolidated MaaS360 event reports on QRadar
3 © 2016 IBM Corporation
Mobile banking channel development is the #1 technology priority of N.A. retail banks (2013)
#1 Channel
Of customers won't mobile bank because of security fears
19%
Mobile Access to Everything
All businesses are leveraging mobile these days as a main communication channel with customers, as well as collaboration and productivity tool for employees
! In Banking: – Mobile banking is the most important deciding factor when switching
banks (32%) – More important than fees (24%) or branch location (21%) or
services (21%)… a survey of mobile banking customers in the U.S. 1
! However for many end-users – Security concerns are a main inhibitor to adoption
! And apparently….. For a good reason.
4 © 2016 IBM Corporation
Mobile Malware Threats Scope
Line of Business Threats (Customer Facing)
• Credential stealing via phishing / malware
• In App session fraud (from mobile)
• Account take over (from / using mobile)
• 2nd Factor Authentication circumvention
Enterprise Threats (Employees)
• Employee identity theft by stealing contacts / emails / calendar / SMS / location
• Tempering/Stealing corporate data and IP • Files • Photos of whiteboard drawings • Recordings of phone calls /
meetings • Use stolen data to perform actions
on employee’s behalf: • Send Mail/SMS • Perform phone calls
Threats for individuals
• Monetary losses • Ransomware • Premium rate SMS/calls • Apps purchase
• Privacy loss • Mobile RATs • InfoStealers • Extortionware
• Device abuse • Advertisement hijacking • Illicit use of B/W, CPU
5 © 2016 IBM Corporation
Mobile Malware Threats Scope
Line of Business Threats (Customer Facing)
• Credential stealing via phishing / malware
• In App session fraud (from mobile)
• Account take over (from mobile)
• 2nd Factor Authentication circumvention
Enterprise Threats (Employees)
• Employee identity theft by stealing contacts / emails / calendar / SMS / location
• Tempering/Stealing corporate data and IP • Files • Photos of whiteboard drawings • Recordings of phone calls /
meetings • Use stolen data to perform actions
on behalf of employee: • Send Mail/SMS • Perform phone calls
Threats for individuals
• Monetary losses • Ransomware • Premium rate SMS/calls • Apps purchase
• Privacy loss • Mobile RATs • InfoStealers • Extortionware
• Device abuse • Advertisement hijacking • Illicit use of B/W, CPU
Sensitive Information Stealing
Using the Mobile device/channel to perform Attack/
Fraud Monetary loss to
the user
6 © 2016 IBM Corporation
Anatomy of a Mobile Attack – How to Get In?
Attack Surface: Data Center
WEB SERVER Platform Vulnerabilities Server Misconfiguration Cross-Site Scripting (XSS) Cross Site Request Forgery (CSRF) Weak Input Validation Brute Force Attacks
DATABASE SQL Injection Privilege Escalation Data Dumping OS Command Execution
Attack Surface: Network
Wi-Fi (No/Weak Encryption) Rouge Access Point Packet Sniffing Man-in-the-Middle (MiTM) Session Hijacking
DNS Poisoning SSL Stripping Fake SSL Certificate
Attack Surface: Mobile Device
BROWSER Phishing Pharming Clickjacking Man-in-the-Middle (MitM) Buffer overflow Data Caching
PHONE/SMS
Baseband Attacks SMishing
APPS
Sensitive Data Storage No/Weak Encryption
Improper SSL Validation Dynamic Runtime Injection
Unintended Permissions garneting
OPERATING SYSTEM No/Weak Passcode iOS Jailbreak Android Root OS Data Caching Vendor/Carrier loaded OS/Apps No/Weak Encryption
© 2016 IBM Corporation
Threat Landscape - iOS
8 © 2016 IBM Corporation
Apple’s Walled Garden Security by Design
! Looking at the Apple eco-system “as designed” - legit devices without Jail-Break ! Only Apple controls AppStore
– No “alternative market” support* – Apple reviews all apps – Apple can remove apps and ban developers
! iOS Enforces Integrity – Boot chain is signed – Only signed code can be installed and executed
! iOS Sandbox – Process memory isolation – Filesystem isolation – Some operations require entitlements (e.g., change
passcode, access camera)
9 © 2016 IBM Corporation
Infection Vectors of Non-JB Devices
! Enterprise provisioning (299$/y, valid credit card, D-U-N-S) ! Distributed mostly via link (email/webpage/SMS), or USB ! Legitimate use
– MDM providers and “alternative markets” to some degree – Other “alternative” markets (Emu4iOS, iNoCydia, …)
! Used maliciously in APT/targeted attacks
Pop Quiz: Which of the
below pop-ups is legit?
10 © 2016 IBM Corporation
Infection Vectors of Non-JB Devices
! Enterprise provisioning (299$/y, valid credit card, D-U-N-S) ! Distributed mostly via link (email/webpage/SMS), or USB ! Legitimate use
– MDM providers and “alternative markets” to some degree – Other “alternative” markets (Emu4iOS, iNoCydia, …)
! Used maliciously in APT/targeted attacks
! xCode Ghost (Sept 2015) – – Infecting Apps through rouge App development environment targeted at credentials stealing – 300 (or more…) rouge apps removed by Apple from AppStore
11 © 2016 IBM Corporation
What Can Be Done Inside the Garden (non-JB)?
! Everything legitimately allowed to an app ! Private APIs and vulnerabilities
– Masque attack – replacing legit app with another app • Trojanized versions of social apps found in Hakcing Team’s leak (August 2015)
12 © 2016 IBM Corporation
Example of Trojanized Facebook App behavior
13 © 2016 IBM Corporation
What Can Be Done Inside the Garden (non-JB)?
! Everything legitimately allowed to an app ! Private APIs and vulnerabilities
– Masque attack – replacing legit app with another app • Trojanized versions of social apps found in Hakcing Team’s leak (August 2015)
– Hiding apps – Running in background " background keylogging – Running on boot – Taking screenshots – Simulating screen/button presses – Blocking OCSP (online certificate status protocol) – Privilege escalation / sandbox escape
14 © 2016 IBM Corporation
What Can Be Done Inside the Garden (non-JB)?
! APT/Malware – RCS (2015) – installs alternative keyboard for keylogging + trojanized apps – WireLurker (2014) – installs additional apps (Chinese game, 3rd party AppStore client,
comic reader) – Find and Call (2012) – steal user’s contacts
! Apple usually responds fast – eliminating the Apps from the AppStore
15 © 2016 IBM Corporation
Jailbreak Land
! What is Jailbreak process? – Disables iOS enforcements / sandbox – Introduces 3rd party application stores (e.g., Cydia)
! WW General estimation (2014): ~ 8% of all devices are JB, in China: ~14% ! Trusteer stats (2015) shows only 0.15%, however it may be attributed to the fact it
is detected and enforced by most customers ! Jailbreak hiders attempting to hide the device state
– xCON – FLEX
! Infection vectors of JB devices – Rogue apps via 3rd party AppStores – USB (WireLurker, CloudAtlas)
16 © 2016 IBM Corporation
Malware for Jailbroken Devices
! APT / targeted attacks – Hacking Team RCS – steals contacts, calendar, screen, monitors user inputs, location,
network traffic. Remote exploit to crack device passcode – Xsser mRAT – Chinese Trojan that steals device info, SMS and emails. Installed via rogue
Cydia – CloudAtlas – steals device information, contacts, accounts, Apple ID,… – XAgent “PawnStorm” - steals SMS, contacts, photos, GPS location, installed apps, wifi
status, remotely activates audio recording – WireLurker – PC trojanize installed apps, steals contacts, SMS, iMessages, Apple ID,
device serial ! “Non-enterprise” malware
– Unfold “Baby Panda” – Chinese Trojan that steals Apple ID and password – AdThief – hijacks advertisement of installed apps for revenue
© 2016 IBM Corporation
Threat Landscape - Android
18 © 2016 IBM Corporation
Android Infection Vectors
! Link via SMS/email (may contain exploits) – E.g., Xsser mRAT distributed via whatsapp message
! Device preloaded with malware – DeathRing, Mouabad, “Coolpad” backdoor – Most common in Asia, some appearance in Spain and Africa
! Physical access of attacker (PC kit to deploy malware)
! USB from infected PC (e.g., DroidPak, WireLurker, AndroidRCS)
19 © 2016 IBM Corporation
Android Infection Vectors
! Remote exploit – 95% of Android devices exposed to Stagefright vulnerability – On July 2015 ~28% of devices had OS 4.3 or lower which is vulnerable to AOSP Browser & Masterkey
(4years old!!)
! App markets – alternative markets and official Google Play
20 © 2016 IBM Corporation
Android Mobile Store Malware Infection Rates
21 © 2016 IBM Corporation
Android Infection Vectors
! Remote exploit – 95% of Android devices exposed to Stagefright vulnerability – On July 2015 ~28% of devices had OS 4.3 or lower which is vulnerable to AOSP Browser & Masterkey
(4years old!!)
! App markets – alternative markets and official Google Play
! Apps could deploy malware, weaponize, use exploits or have trojanized functionality
22 © 2016 IBM Corporation
Android Malware Types
! RATs - commercial or underground surveillanceware – Tens of variants – Some publicly available, some in underground, one is even open source
! Network proxy – NotCompatible malware family
! InfoStealers – Keyloggers, Overlay malware
23 © 2016 IBM Corporation
The appearance of PC grade mobile malware
! “GM Bot” / “Mazar Banking Software”
! Extensive PC malware like capabilities including: – Dynamic Configuration via C&C – Configurable Banking App injection/Overlay capabilities – Ready made modules being sold to attack WW banks and financial services – On-Mobile full Fraud life cycle – Credential-stealing, 2FA circumvent, block user/authorization – Flash News: GM Bot Code Leak !! – News 2: GM BOT 2.0 released
• A month ago our Intelligence team identify dispute between a customer’s of the GMBot and "Gangaman“
• The customer was very disappointed from the level of service, it was hard to deploy and bad support
• So… the customer post the full source code in the underground
• Since it was leaked, this malware is very trendy and effective, and now it will reach the hands of fraudsters for free
24 © 2016 IBM Corporation
Android Malware Types
! High-end APT/targeted attacks – Hacking Team RCS in Saudi Arabia (?-2015) - “Qatif Today” repack – Xsser mRAT (2014)
• Chinese trojan spies on HongKong activists, steals contacts, SMS, calls, location, photos, mails, browser history, audio (microphone), remote shell, and call
– RedOctober/CloudAtlas (2014) • steals accounts, locations, contacts, files, calls, SMS, calendar, bookmarks, audio (microphone)
– APT1 (2013) - “Kakao Talk” repack • spies on Tibetan activists contacts/SMS/location
– Word Uyghur Congress (2013) • spies on Tibetan activists contacts/SMS/calls/location
– LuckyCat APT campaign (2012) • phone info, file dir/upload/download, remote shell
– FinSpy mobile (2011) – Gamma Group’s APT, tied to Egypt
25 © 2016 IBM Corporation
Android Malware and RATs Capabilities Overview
! Information theft – Contacts – Call log history – Messages (SMS, LINE, Whatsapp, Viber,
Skype, Gtalk, Facebook, Twitter, …) – Emails – Geographical location – Network data (wireless network SSID/
password), location, network state – Phone information (number/IMEI/IMSI/Vendor/
model/Operator/SIM serial/OS) – Google Account
– Browsing history – Photos/Videos/Audio – Screenshots – Clipboard content – Arbitrary files on SD card
! Remote control – Activation/delayed activation and capturing of
audio/video/photos/phone calls – Execute shell / run exploits – Launch browser – Send SMS – Make phone call – Download/delete files
26 © 2016 IBM Corporation
Commercial RAT Examples – SandroRAT/DroidJack Evolution
! Sandroid -> SandroRAT -> DroidJack No root access
required!
8,380 DriodJack tutorials currently on Google
27 © 2016 IBM Corporation
Many more…
28 © 2016 IBM Corporation
Network Proxy to Corporate Resources
! NotCompatible.C – General purpose, proxying network (TCP/UDP) – Has been used for spam, bruteforce, bulk ticket purchase
! Banks & other Enterprises could be a next target
29 © 2016 IBM Corporation
Threats Summary
! Advanced/targeted attacks are real – More dominant Asia, China being major player – Global threat - HackingCrew , HackingTeam
! Most dominant threat are RATs – Android – most easy to infect, highly commercialized – Jailbroken iOS – has been done only in targeted attacks – Non-JB iOS – effectively no (reported) harm done, even in targeted attacks but threat is imminent
! Vulnerabilities – Applicable to iOS and Android, more problematic for Android due to highly segregated market – Associated only with advanced/targeted attacks
! Network based attacks – Imminent threat, no malicious incident reported yet
© 2016 IBM Corporation
IBM Mobile Threat Management can effectively prevent and take action against malware & threats
Taking Action step by step
31 © 2016 IBM Corporation
Criminals attack the weakest link
Mobile Protection
Cyber Criminal
Enterprise DataEmployee / Customer
FirewallPerimeter Protection
Intrusion Prevention SystemAnti-Virus GatewayEncryption
Mobile Malware
32 © 2016 IBM Corporation
Taking action is easy - using layered security
Secure the Device
Secure the Content
Secure the App
Secure the Network
The MaaS360 layered security model
33 © 2016 IBM Corporation
Taking action – Managed and Unmanaged device
Managed Devices (Owned/BYOD)
• Device level Security • Using EMM/MDM to enforce sensitive
information access policy • MDM should include advanced rooting/jailbreak &
malware detection • Scan Home grown apps for vulnerabilities
Unmanaged Devices (Customers, partners, agents, brokers,
contractors)
• Application Level Security • Every App should have capabilities to assess
device security • In-app enforcement of sensitive info/operations
• Scan home grown apps for vulnerabilities
34 © 2016 IBM Corporation
IBM MaaS360 Mobile Threat Management
! Detects, analyzes and remediates mobile risks delivering a new layer of security for Enterprise Mobility Management (EMM) with the integration of IBM Security Trusteer® to protect against:
! Mobile malware ! Suspicious system configurations ! Compromised jailbroken or rooted devices
35 © 2016 IBM Corporation
IBM Security QRadar integration with MaaS360
! Continuous Mobile Visibility – Detect when smartphones and tablets are attempting to connect to the network – Monitor enrollment of personally owned and corporate-liable devices – Gain awareness of unauthorized devices – Learn when users install blacklisted apps and access restricted websites
! Compromised Device Remediation – Uncover devices infected with malware before they compromise your enterprise data – Identify jailbroken iOS devices and rooted Android devices – Set security policies and compliance rules to automate remediation – Block access, or perform a selective wipe or full wipe of compromised devices
View MaaS360 compliance rule violations through IBM Security QRadar
36 © 2016 IBM Corporation
View Out of Compliance events from MaaS360 on QRadar
37 © 2016 IBM Corporation
37
Summary • Malware exists on mobile and can pose a significant threat to your organization’s IP / data • IBM Security Trusteer can aid in safeguarding this on mobile • MaaS360 + Trusteer can detect and take actions on mobile devices • MaaS360 reports mobile device events to QRadar for consolidated reporting
© 2016 IBM Corporation
Shaked Vax - [email protected] Thank You