Malware on Smartphones and Tablets - The Inconvenient Truth Shaked Vax

Trusteer Products Strategist

Kaushik Srinivas

MaaS360 Strategy & Offering Management

Agenda

• Mobile is everywhere – Mobile Threats • A look at Mobile Malware • Threat landscape

– iOS – Android

• Safeguard mobile devices with MaaS360 + Trusteer • View consolidated MaaS360 event reports on QRadar

Mobile banking channel development is the #1 technology priority of N.A. retail banks (2013)

#1 Channel

Of customers won't mobile bank because of security fears

19%

Mobile Access to Everything

All businesses are leveraging mobile these days as a main communication channel with customers, as well as collaboration and productivity tool for employees

• In Banking:

– Mobile banking is the most important deciding factor when switching banks (32%)

– More important than fees (24%) or branch location (21%) or services (21%)… a survey of mobile banking customers in the U.S. 1

• However for many end-users – Security concerns are a main

inhibitor to adoption

• And apparently….. For a good reason.

Mobile Malware Threats Scope Line of Business Threats (Customer

Facing)

•Credential stealing via phishing / malware

•In App session fraud (from mobile)

•Account take over (from / using mobile)

•2nd Factor Authentication circumvention

Enterprise Threats (Employees)

•Employee identity theft by stealing contacts / emails / calendar / SMS / location

•Tempering/Stealing corporate data and IP •Files •Photos of whiteboard drawings •Recordings of phone calls / meetings

•Use stolen data to perform actions on employee’s behalf: •Send Mail/SMS •Perform phone calls

Threats for individuals

•Monetary losses •Ransomware •Premium rate SMS/calls •Apps purchase

•Privacy loss •Mobile RATs •InfoStealers •Extortionware

•Device abuse •Advertisement hijacking •Illicit use of B/W, CPU

Mobile Malware Threats Scope

Line of Business Threats (Customer Facing)

•Credential stealing via phishing / malware

•In App session fraud (from mobile)

•Account take over (from mobile)

•2nd Factor Authentication circumvention

Enterprise Threats (Employees)

•Employee identity theft by stealing contacts / emails / calendar / SMS / location

•Tempering/Stealing corporate data and IP •Files •Photos of whiteboard drawings •Recordings of phone calls / meetings

•Use stolen data to perform actions on behalf of employee: •Send Mail/SMS •Perform phone calls

Threats for individuals

•Monetary losses •Ransomware •Premium rate SMS/calls •Apps purchase

•Privacy loss •Mobile RATs •InfoStealers •Extortionware

•Device abuse •Advertisement hijacking •Illicit use of B/W, CPU

Sensitive Information

Stealing Using the Mobile device/channel to perform

Attack/Fraud Monetary loss to

the user

Anatomy of a Mobile Attack – How to Get In?

Attack Surface: Data Center

WEB SERVER Platform Vulnerabilities Server Misconfiguration Cross-Site Scripting (XSS) Cross Site Request Forgery (CSRF) Weak Input Validation Brute Force Attacks

DATABASE SQL Injection Privilege Escalation Data Dumping OS Command Execution

Attack Surface: Network

Wi-Fi (No/Weak Encryption) Rouge Access Point Packet Sniffing Man-in-the-Middle (MiTM) Session Hijacking

DNS Poisoning SSL Stripping Fake SSL Certificate

Attack Surface: Mobile Device

BROWSER Phishing Pharming Clickjacking Man-in-the-Middle (MitM) Buffer overflow Data Caching

PHONE/SMS

Baseband Attacks SMishing

APPS

Sensitive Data Storage No/Weak Encryption

Improper SSL Validation Dynamic Runtime Injection

Unintended Permissions garneting

OPERATING SYSTEM No/Weak Passcode iOS Jailbreak Android Root OS Data Caching Vendor/Carrier loaded OS/Apps No/Weak Encryption

Threat Landscape - iOS

Apple’s Walled Garden Security by Design

• Looking at the Apple eco-system “as designed” - legit devices without Jail-Break • Only Apple controls AppStore

– No “alternative market” support*

– Apple reviews all apps

– Apple can remove apps and ban developers

• iOS Enforces Integrity – Boot chain is signed

– Only signed code can be installed and executed

• iOS Sandbox – Process memory isolation

– Filesystem isolation

– Some operations require entitlements (e.g., change passcode, access camera)

Infection Vectors of Non-JB Devices

• Enterprise provisioning (299$/y, valid credit card, D-U-N-S) • Distributed mostly via link (email/webpage/SMS), or USB • Legitimate use

– MDM providers and “alternative markets” to some degree

– Other “alternative” markets (Emu4iOS, iNoCydia, …)

• Used maliciously in APT/targeted attacks

Pop Quiz: Which of the

below pop-ups is legit?

What Can Be Done Inside the Garden (non-JB)?

• Everything legitimately allowed to an app • Private APIs and vulnerabilities

– Masque attack – replacing legit app with another app • Trojanized versions of social apps found in Hakcing Team’s leak (August 2015)

Example of Trojanized Facebook App behavior

What Can Be Done Inside the Garden (non-JB)?

• Everything legitimately allowed to an app • Private APIs and vulnerabilities

– Masque attack – replacing legit app with another app • Trojanized versions of social apps found in Hakcing Team’s leak (August 2015)

– xCode Ghost (Sept 2015) – • Infecting Apps through rouge App development environment targeted at credentials stealing • 300 (or more…) rouge apps removed by Apple from AppStore

– Hiding apps – Running in background background keylogging – Running on boot – Taking screenshots – Simulating screen/button presses – Blocking OCSP (online certificate status protocol) – Privilege escalation / sandbox escape

What Can Be Done Inside the Garden (non-JB)?

• APT/Malware – RCS (2015) – installs alternative keyboard for keylogging + trojanized apps – WireLurker (2014) – installs additional apps (Chinese game, 3rd party AppStore client,

comic reader) – Find and Call (2012) – steal user’s contacts

• Apple usually responds fast – eliminating the Apps from the AppStore

Jailbreak Land

• What is Jailbreak process? – Disables iOS enforcements / sandbox – Introduces 3rd party application stores (e.g., Cydia)

• WW General estimation (2014): ~ 8% of all devices are JB, in China: ~14% • Trusteer stats (2015) shows only 0.15%, however it may be attributed to the

fact it is detected and enforced by most customers • Jailbreak hiders attempting to hide the device state

– xCON – FLEX

• Infection vectors of JB devices – Rogue apps via 3rd party AppStores – USB (WireLurker, CloudAtlas)

Malware for Jailbroken Devices

• APT / targeted attacks – Hacking Team RCS – steals contacts, calendar, screen, monitors user inputs, location,

network traffic. Remote exploit to crack device passcode – Xsser mRAT – Chinese Trojan that steals device info, SMS and emails. Installed via

rogue Cydia – CloudAtlas – steals device information, contacts, accounts, Apple ID,… – XAgent “PawnStorm” - steals SMS, contacts, photos, GPS location, installed apps, wifi

status, remotely activates audio recording – WireLurker – PC trojanize installed apps, steals contacts, SMS, iMessages, Apple ID,

device serial

• “Non-enterprise” malware – Unfold “Baby Panda” – Chinese Trojan that steals Apple ID and password – AdThief – hijacks advertisement of installed apps for revenue

Threat Landscape - Android

Android Infection Vectors

• Link via SMS/email (may contain exploits) – E.g., Xsser mRAT distributed via whatsapp message

• Device preloaded with malware – DeathRing, Mouabad, “Coolpad” backdoor – Most common in Asia, some appearance in Spain and Africa

• Physical access of attacker (PC kit to deploy malware)

• USB from infected PC (e.g., DroidPak, WireLurker, AndroidRCS)

Android Infection Vectors

• Remote exploit – 95% of Android devices exposed to Stagefright vulnerability – On July 2015 ~28% of devices had OS 4.3 or lower which is vulnerable to

AOSP Browser & Masterkey (4years old!!)

• App markets – alternative markets and official Google Play

• Apps could deploy malware, weaponize, use exploits or have trojanized functionality

Android Mobile Store Malware Infection Rates

Android Malware Types

• RATs - commercial or underground surveillanceware – Tens of variants – Some publicly available, some in underground, one is even open source

• Network proxy

– NotCompatible malware family

• InfoStealers

– Keyloggers, Overlay malware

The appearance of PC grade mobile malware

• “GM Bot” / “Mazar Banking Software” – recently appeared in global mobile malware landscape

• Extensive PC malware like capabilities including: – Dynamic Configuration via C&C – Configurable Banking App injection/Overlay capabilities – Ready made modules being sold to attack WW banks and financial services users in Australia,

Austria, France, Czech Republic, Hungary, Spain, Singapore, Germany, Poland, India, Turkey, New Zealand, US

Android Malware Types

• High-end APT/targeted attacks – Hacking Team RCS in Saudi Arabia (?-2015) - “Qatif Today” repack – Xsser mRAT (2014)

• Chinese trojan spies on HongKong activists, steals contacts, SMS, calls, location, photos, mails, browser history, audio (microphone), remote shell, and call

– RedOctober/CloudAtlas (2014) • steals accounts, locations, contacts, files, calls, SMS, calendar, bookmarks, audio (microphone)

– APT1 (2013) - “Kakao Talk” repack • spies on Tibetan activists contacts/SMS/location

– Word Uyghur Congress (2013) • spies on Tibetan activists contacts/SMS/calls/location

– LuckyCat APT campaign (2012) • phone info, file dir/upload/download, remote shell

– FinSpy mobile (2011) – Gamma Group’s APT, tied to Egypt

Android Malware and RATs Capabilities Overview

• Information theft – Contacts

– Call log history

– Messages (SMS, LINE, Whatsapp, Viber, Skype, Gtalk, Facebook, Twitter, …)

– Emails

– Geographical location

– Network data (wireless network SSID/password), location, network state

– Phone information (number/IMEI/IMSI/Vendor/model/Operator/SIM serial/OS)

– Google Account

– Browsing history

– Photos/Videos/Audio

– Screenshots

– Clipboard content

– Arbitrary files on SD card

• Remote control – Activation/delayed activation and capturing of

audio/video/photos/phone calls

– Execute shell / run exploits

– Launch browser

– Send SMS

– Make phone call

– Download/delete files

Commercial RAT Examples – SandroRAT/DroidJack Evolution

• Sandroid -> SandroRAT -> DroidJack No root access

required!

8,380 DriodJack tutorials currently on Google

Many more…

Network Proxy to Corporate Resources

• NotCompatible.C – General purpose, proxying network (TCP/UDP) – Has been used for spam, bruteforce, bulk ticket purchase

• Banks & other Enterprises could be a next target

Threats Summary

• Advanced/targeted attacks are real – More dominant Asia, China being major player

– Global threat - HackingCrew , HackingTeam

• Most dominant threat are RATs – Android – most easy to infect, highly commercialized

– Jailbroken iOS – has been done only in targeted attacks

– Non-JB iOS – effectively no (reported) harm done, even in targeted attacks but threat is imminent

• Vulnerabilities – Applicable to iOS and Android, more problematic for Android due to highly segregated market

– Associated only with advanced/targeted attacks

• Network based attacks – Imminent threat, no malicious incident reported yet

Taking action is easy IBM Mobile Threat Management can effectively prevent and take action against malware & threats

Criminals attack the weakest link

Taking action is easy - using layered security

Secure the Device

Secure the Content

Secure the App

Secure the Network

The MaaS360 layered security model

Taking action is easy

Managed Devices (Owned/BYOD)

• Device level Security

• Using EMM/MDM to enforce sensitive information access policy

• MDM should include advanced rooting/jailbreak & malware detection

• Scan Home grown apps for vulnerabilities

Unmanaged Devices (Customers, partners, agents,

brokers, contractors)

• Application Level Security • Every App should have

capabilities to assess device security

• In-app enforcement of sensitive info/operations

• Scan home grown apps for vulnerabilities

IBM MaaS360 Mobile Threat Management Detects, analyzes and remediates mobile risks delivering a new layer of security for Enterprise Mobility Management (EMM) with the integration of IBM Security Trusteer® to protect against: • Mobile malware • Suspicious system configurations • Compromised jailbroken or rooted devices

IBM Security QRadar integration with MaaS360

• Continuous Mobile Visibility – Detect when smartphones and tablets are attempting to connect to the network – Monitor enrollment of personally owned and corporate-liable devices – Gain awareness of unauthorized devices – Learn when users install blacklisted apps and access restricted websites

• Compromised Device Remediation – Uncover devices infected with malware before they compromise your enterprise data – Identify jailbroken iOS devices and rooted Android devices – Set security policies and compliance rules to automate remediation – Block access, or perform a selective wipe or full wipe of compromised devices

View MaaS360 compliance rule violations through IBM Security QRadar

View Out of Compliance events from MaaS360 on QRadar

34

Summary • Malware exists on mobile and can pose a significant threat to your

organization’s IP / data • Trusteer can aid in safeguarding this on mobile • MaaS360 + Trusteer can detect and take actions on mobile devices • MaaS360 reports mobile device events to QRadar for consolidated

reporting

Talk to a Mobile Expert: Visit IBM MaaS360 in the Expo Hall

Talk to an IBM MaaS360 Expert, Watch a Demo and Receive a Mobile Themed Giveaway! • Charge your Device Courtesy of MaaS360 • IBM Security Booth #314 (**charger location)

• IBM MobileFirst Booth #530 (**charger location)

• IBM Box Booth #202 • AT&T Booth #561 Like what you see? Try us out! • Visit ibm.com/maas360 for free trial details

35

Notices and Disclaimers

36

Copyright © 2016 by International Business Machines Corporation (IBM). No part of this document may be reproduced or transmitted in any form without written permission from IBM.

U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM.

Information in these presentations (including information relating to products that have not yet been announced by IBM) has been reviewed for accuracy as of the date of initial publication and could include unintentional technical or typographical errors. IBM shall have no responsibility to update this information. THIS DOCUMENT IS DISTRIBUTED "AS IS" WITHOUT ANY WARRANTY, EITHER EXPRESS OR IMPLIED. IN NO EVENT SHALL IBM BE LIABLE FOR ANY DAMAGE ARISING FROM THE USE OF THIS INFORMATION, INCLUDING BUT NOT LIMITED TO, LOSS OF DATA, BUSINESS INTERRUPTION, LOSS OF PROFIT OR LOSS OF OPPORTUNITY. IBM products and services are warranted according to the terms and conditions of the agreements under which they are provided.

Any statements regarding IBM's future direction, intent or product plans are subject to change or withdrawal without notice.

Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual performance, cost, savings or other results in other operating environments may vary.

References in this document to IBM products, programs, or services does not imply that IBM intends to make such products, programs or services available in all countries in which IBM operates or does business.

Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not necessarily reflect the views of IBM. All materials and discussions are provided for informational purposes only, and are neither intended to, nor shall constitute legal or other guidance or advice to any individual participant or their specific situation.

It is the customer’s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer’s business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the customer is in compliance with any law

Notices and Disclaimers Con’t.

37

Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products in connection with this publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to interoperate with IBM’s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.

The provision of the information contained h erein is not intended to, and does not, grant any right or license under any IBM patents, copyrights, trademarks or other intellectual property right.

IBM, the IBM logo, ibm.com, Aspera®, Bluemix, Blueworks Live, CICS, Clearcase, Cognos®, DOORS®, Emptoris®, Enterprise Document Management System™, FASP®, FileNet®, Global Business Services ®, Global Technology Services ®, IBM ExperienceOne™, IBM SmartCloud®, IBM Social Business®, Information on Demand, ILOG, Maximo®, MQIntegrator®, MQSeries®, Netcool®, OMEGAMON, OpenPower, PureAnalytics™, PureApplication®, pureCluster™, PureCoverage®, PureData®, PureExperience®, PureFlex®, pureQuery®, pureScale®, PureSystems®, QRadar®, Rational®, Rhapsody®, Smarter Commerce®, SoDA, SPSS, Sterling Commerce®, StoredIQ, Tealeaf®, Tivoli®, Trusteer®, Unica®, urban{code}®, Watson, WebSphere®, Worklight®, X-Force® and System z® Z/OS, are trademarks of International Business Machines Corporation, registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at: www.ibm.com/legal/copytrade.shtml.

Thank You Your Feedback is Important!

Access the InterConnect 2016 Conference Attendee Portal to complete your session surveys from your

smartphone, laptop or conference kiosk.