malware on smartphones and tablets: the inconvenient truth

© 2016 IBM Corporation

Shaked Vax Trusteer Products Strategist IBM Security

Malware on Smartphones and Tablets - The Inconvenient Truth

2 © 2016 IBM Corporation

Agenda

!  Mobile is everywhere – Mobile Threats !  A look at Mobile Malware !  Threat landscape

–  iOS –  Android

!  Safeguard mobile devices with MaaS360 + Trusteer !  View consolidated MaaS360 event reports on QRadar


Mobile banking channel development is the #1 technology priority of N.A. retail banks (2013)

#1 Channel

Of customers won't mobile bank because of security fears

19%

Mobile Access to Everything

All businesses are leveraging mobile these days as a main communication channel with customers, as well as collaboration and productivity tool for employees

!  In Banking: –  Mobile banking is the most important deciding factor when switching

banks (32%) –  More important than fees (24%) or branch location (21%) or

services (21%)… a survey of mobile banking customers in the U.S. 1

!  However for many end-users – Security concerns are a main inhibitor to adoption

!  And apparently….. For a good reason.


Mobile Malware Threats Scope

Line of Business Threats (Customer Facing)

• Credential stealing via phishing / malware

•  In App session fraud (from mobile)

• Account take over (from / using mobile)

• 2nd Factor Authentication circumvention

Enterprise Threats (Employees)

• Employee identity theft by stealing contacts / emails / calendar / SMS / location

• Tempering/Stealing corporate data and IP • Files • Photos of whiteboard drawings • Recordings of phone calls /

meetings • Use stolen data to perform actions

on employee’s behalf: • Send Mail/SMS • Perform phone calls

Threats for individuals

• Monetary losses • Ransomware • Premium rate SMS/calls • Apps purchase

• Privacy loss • Mobile RATs •  InfoStealers • Extortionware

• Device abuse • Advertisement hijacking •  Illicit use of B/W, CPU


Mobile Malware Threats Scope

Line of Business Threats (Customer Facing)

• Credential stealing via phishing / malware

•  In App session fraud (from mobile)

• Account take over (from mobile)

• 2nd Factor Authentication circumvention

Enterprise Threats (Employees)

• Employee identity theft by stealing contacts / emails / calendar / SMS / location

• Tempering/Stealing corporate data and IP • Files • Photos of whiteboard drawings • Recordings of phone calls /

meetings • Use stolen data to perform actions

on behalf of employee: • Send Mail/SMS • Perform phone calls

Threats for individuals

• Monetary losses • Ransomware • Premium rate SMS/calls • Apps purchase

• Privacy loss • Mobile RATs •  InfoStealers • Extortionware

• Device abuse • Advertisement hijacking •  Illicit use of B/W, CPU

Sensitive Information Stealing

Using the Mobile device/channel to perform Attack/

Fraud Monetary loss to

the user


Anatomy of a Mobile Attack – How to Get In?

Attack Surface: Data Center

WEB SERVER Platform Vulnerabilities Server Misconfiguration Cross-Site Scripting (XSS) Cross Site Request Forgery (CSRF) Weak Input Validation Brute Force Attacks

DATABASE SQL Injection Privilege Escalation Data Dumping OS Command Execution

Attack Surface: Network

Wi-Fi (No/Weak Encryption) Rouge Access Point Packet Sniffing Man-in-the-Middle (MiTM) Session Hijacking

DNS Poisoning SSL Stripping Fake SSL Certificate

Attack Surface: Mobile Device

BROWSER Phishing Pharming Clickjacking Man-in-the-Middle (MitM) Buffer overflow Data Caching

PHONE/SMS

Baseband Attacks SMishing

APPS

Sensitive Data Storage No/Weak Encryption

Improper SSL Validation Dynamic Runtime Injection

Unintended Permissions garneting

OPERATING SYSTEM No/Weak Passcode iOS Jailbreak Android Root OS Data Caching Vendor/Carrier loaded OS/Apps No/Weak Encryption


Threat Landscape - iOS


Apple’s Walled Garden Security by Design

!  Looking at the Apple eco-system “as designed” - legit devices without Jail-Break !  Only Apple controls AppStore

–  No “alternative market” support* –  Apple reviews all apps –  Apple can remove apps and ban developers

!  iOS Enforces Integrity –  Boot chain is signed –  Only signed code can be installed and executed

!  iOS Sandbox –  Process memory isolation –  Filesystem isolation –  Some operations require entitlements (e.g., change

passcode, access camera)


Infection Vectors of Non-JB Devices

!  Enterprise provisioning (299$/y, valid credit card, D-U-N-S) !  Distributed mostly via link (email/webpage/SMS), or USB !  Legitimate use

–  MDM providers and “alternative markets” to some degree –  Other “alternative” markets (Emu4iOS, iNoCydia, …)

!  Used maliciously in APT/targeted attacks

Pop Quiz: Which of the

below pop-ups is legit?


Infection Vectors of Non-JB Devices

!  Enterprise provisioning (299$/y, valid credit card, D-U-N-S) !  Distributed mostly via link (email/webpage/SMS), or USB !  Legitimate use

–  MDM providers and “alternative markets” to some degree –  Other “alternative” markets (Emu4iOS, iNoCydia, …)

!  Used maliciously in APT/targeted attacks

!  xCode Ghost (Sept 2015) – –  Infecting Apps through rouge App development environment targeted at credentials stealing –  300 (or more…) rouge apps removed by Apple from AppStore


What Can Be Done Inside the Garden (non-JB)?

! Everything legitimately allowed to an app ! Private APIs and vulnerabilities

– Masque attack – replacing legit app with another app •  Trojanized versions of social apps found in Hakcing Team’s leak (August 2015)


Example of Trojanized Facebook App behavior



! Everything legitimately allowed to an app ! Private APIs and vulnerabilities

– Masque attack – replacing legit app with another app •  Trojanized versions of social apps found in Hakcing Team’s leak (August 2015)

–  Hiding apps –  Running in background " background keylogging –  Running on boot –  Taking screenshots –  Simulating screen/button presses –  Blocking OCSP (online certificate status protocol) –  Privilege escalation / sandbox escape



! APT/Malware – RCS (2015) – installs alternative keyboard for keylogging + trojanized apps – WireLurker (2014) – installs additional apps (Chinese game, 3rd party AppStore client,

comic reader) – Find and Call (2012) – steal user’s contacts

! Apple usually responds fast – eliminating the Apps from the AppStore


Jailbreak Land

! What is Jailbreak process? – Disables iOS enforcements / sandbox –  Introduces 3rd party application stores (e.g., Cydia)

! WW General estimation (2014): ~ 8% of all devices are JB, in China: ~14% !  Trusteer stats (2015) shows only 0.15%, however it may be attributed to the fact it

is detected and enforced by most customers !  Jailbreak hiders attempting to hide the device state

– xCON – FLEX

!  Infection vectors of JB devices – Rogue apps via 3rd party AppStores – USB (WireLurker, CloudAtlas)


Malware for Jailbroken Devices

! APT / targeted attacks – Hacking Team RCS – steals contacts, calendar, screen, monitors user inputs, location,

network traffic. Remote exploit to crack device passcode – Xsser mRAT – Chinese Trojan that steals device info, SMS and emails. Installed via rogue

Cydia – CloudAtlas – steals device information, contacts, accounts, Apple ID,… – XAgent “PawnStorm” - steals SMS, contacts, photos, GPS location, installed apps, wifi

status, remotely activates audio recording – WireLurker – PC trojanize installed apps, steals contacts, SMS, iMessages, Apple ID,

device serial !  “Non-enterprise” malware

– Unfold “Baby Panda” – Chinese Trojan that steals Apple ID and password – AdThief – hijacks advertisement of installed apps for revenue


Threat Landscape - Android


Android Infection Vectors

!  Link via SMS/email (may contain exploits) –  E.g., Xsser mRAT distributed via whatsapp message

!  Device preloaded with malware –  DeathRing, Mouabad, “Coolpad” backdoor –  Most common in Asia, some appearance in Spain and Africa

!  Physical access of attacker (PC kit to deploy malware)

!  USB from infected PC (e.g., DroidPak, WireLurker, AndroidRCS)



!  Remote exploit –  95% of Android devices exposed to Stagefright vulnerability –  On July 2015 ~28% of devices had OS 4.3 or lower which is vulnerable to AOSP Browser & Masterkey

(4years old!!)

!  App markets – alternative markets and official Google Play


Android Mobile Store Malware Infection Rates



!  Remote exploit –  95% of Android devices exposed to Stagefright vulnerability –  On July 2015 ~28% of devices had OS 4.3 or lower which is vulnerable to AOSP Browser & Masterkey

(4years old!!)

!  App markets – alternative markets and official Google Play

!  Apps could deploy malware, weaponize, use exploits or have trojanized functionality


Android Malware Types

! RATs - commercial or underground surveillanceware – Tens of variants – Some publicly available, some in underground, one is even open source

! Network proxy – NotCompatible malware family

!  InfoStealers – Keyloggers, Overlay malware


The appearance of PC grade mobile malware

!  “GM Bot” / “Mazar Banking Software”

!  Extensive PC malware like capabilities including: –  Dynamic Configuration via C&C –  Configurable Banking App injection/Overlay capabilities –  Ready made modules being sold to attack WW banks and financial services –  On-Mobile full Fraud life cycle – Credential-stealing, 2FA circumvent, block user/authorization –  Flash News: GM Bot Code Leak !! –  News 2: GM BOT 2.0 released

•  A month ago our Intelligence team identify dispute between a customer’s of the GMBot and "Gangaman“

•  The customer was very disappointed from the level of service, it was hard to deploy and bad support

•  So… the customer post the full source code in the underground

•  Since it was leaked, this malware is very trendy and effective, and now it will reach the hands of fraudsters for free


Android Malware Types

!  High-end APT/targeted attacks –  Hacking Team RCS in Saudi Arabia (?-2015) - “Qatif Today” repack –  Xsser mRAT (2014)

•  Chinese trojan spies on HongKong activists, steals contacts, SMS, calls, location, photos, mails, browser history, audio (microphone), remote shell, and call

–  RedOctober/CloudAtlas (2014) •  steals accounts, locations, contacts, files, calls, SMS, calendar, bookmarks, audio (microphone)

–  APT1 (2013) - “Kakao Talk” repack •  spies on Tibetan activists contacts/SMS/location

–  Word Uyghur Congress (2013) •  spies on Tibetan activists contacts/SMS/calls/location

–  LuckyCat APT campaign (2012) •  phone info, file dir/upload/download, remote shell

–  FinSpy mobile (2011) – Gamma Group’s APT, tied to Egypt


Android Malware and RATs Capabilities Overview

!  Information theft –  Contacts –  Call log history –  Messages (SMS, LINE, Whatsapp, Viber,

Skype, Gtalk, Facebook, Twitter, …) –  Emails –  Geographical location –  Network data (wireless network SSID/

password), location, network state –  Phone information (number/IMEI/IMSI/Vendor/

model/Operator/SIM serial/OS) –  Google Account

–  Browsing history –  Photos/Videos/Audio –  Screenshots –  Clipboard content –  Arbitrary files on SD card

! Remote control –  Activation/delayed activation and capturing of

audio/video/photos/phone calls –  Execute shell / run exploits –  Launch browser –  Send SMS –  Make phone call –  Download/delete files


Commercial RAT Examples – SandroRAT/DroidJack Evolution

!  Sandroid -> SandroRAT -> DroidJack No root access

required!

8,380 DriodJack tutorials currently on Google


Many more…


Network Proxy to Corporate Resources

!  NotCompatible.C –  General purpose, proxying network (TCP/UDP) –  Has been used for spam, bruteforce, bulk ticket purchase

!  Banks & other Enterprises could be a next target


Threats Summary

!  Advanced/targeted attacks are real –  More dominant Asia, China being major player –  Global threat - HackingCrew , HackingTeam

!  Most dominant threat are RATs –  Android – most easy to infect, highly commercialized –  Jailbroken iOS – has been done only in targeted attacks –  Non-JB iOS – effectively no (reported) harm done, even in targeted attacks but threat is imminent

!  Vulnerabilities –  Applicable to iOS and Android, more problematic for Android due to highly segregated market –  Associated only with advanced/targeted attacks

!  Network based attacks –  Imminent threat, no malicious incident reported yet


IBM Mobile Threat Management can effectively prevent and take action against malware & threats

Taking Action step by step


Criminals attack the weakest link

Mobile Protection

Cyber Criminal

Enterprise DataEmployee / Customer

FirewallPerimeter Protection

Intrusion Prevention SystemAnti-Virus GatewayEncryption

Mobile Malware


Taking action is easy - using layered security

Secure the Device

Secure the Content

Secure the App

Secure the Network

The MaaS360 layered security model


Taking action – Managed and Unmanaged device

Managed Devices (Owned/BYOD)

•  Device level Security •  Using EMM/MDM to enforce sensitive

information access policy •  MDM should include advanced rooting/jailbreak &

malware detection •  Scan Home grown apps for vulnerabilities

Unmanaged Devices (Customers, partners, agents, brokers,

contractors)

•  Application Level Security •  Every App should have capabilities to assess

device security •  In-app enforcement of sensitive info/operations

•  Scan home grown apps for vulnerabilities


IBM MaaS360 Mobile Threat Management

!  Detects, analyzes and remediates mobile risks delivering a new layer of security for Enterprise Mobility Management (EMM) with the integration of IBM Security Trusteer® to protect against:

!  Mobile malware !  Suspicious system configurations !  Compromised jailbroken or rooted devices


IBM Security QRadar integration with MaaS360

! Continuous Mobile Visibility – Detect when smartphones and tablets are attempting to connect to the network – Monitor enrollment of personally owned and corporate-liable devices – Gain awareness of unauthorized devices – Learn when users install blacklisted apps and access restricted websites

! Compromised Device Remediation – Uncover devices infected with malware before they compromise your enterprise data –  Identify jailbroken iOS devices and rooted Android devices – Set security policies and compliance rules to automate remediation – Block access, or perform a selective wipe or full wipe of compromised devices

View MaaS360 compliance rule violations through IBM Security QRadar


View Out of Compliance events from MaaS360 on QRadar


37

Summary •  Malware exists on mobile and can pose a significant threat to your organization’s IP / data •  IBM Security Trusteer can aid in safeguarding this on mobile •  MaaS360 + Trusteer can detect and take actions on mobile devices •  MaaS360 reports mobile device events to QRadar for consolidated reporting


Shaked Vax - [email protected] Thank You

malware on smartphones and tablets: the inconvenient truth

Technology