More Related Content Similar to Malware on Smartphones and Tablets: The Inconvenient Truth (20) More from IBM Security (20) Malware on Smartphones and Tablets: The Inconvenient Truth1. © 2016 IBM Corporation
Shaked Vax
Trusteer Products Strategist
IBM Security
Malware on Smartphones and Tablets - The
Inconvenient Truth
2. 2© 2016 IBM Corporation
Agenda
! Mobile is everywhere – Mobile Threats
! A look at Mobile Malware
! Threat landscape
– iOS
– Android
! Safeguard mobile devices with MaaS360 + Trusteer
! View consolidated MaaS360 event reports on QRadar
3. 3© 2016 IBM Corporation
Mobile banking channel
development is the #1
technology priority of
N.A. retail banks (2013)
#1 Channel
Of customers won't
mobile bank because of
security fears
19%
Mobile Access to Everything
All businesses are leveraging mobile these days as a main communication channel with customers, as well
as collaboration and productivity tool for employees
! In Banking:
– Mobile banking is the most important deciding factor when switching
banks (32%)
– More important than fees (24%) or branch location (21%) or
services (21%)… a survey of mobile banking customers in the U.S. 1
! However for many end-users – Security concerns are a main
inhibitor to adoption
! And apparently….. For a good reason.
4. 4© 2016 IBM Corporation
Mobile Malware Threats Scope
Line of Business Threats (Customer
Facing)
• Credential stealing via phishing /
malware
• In App session fraud (from mobile)
• Account take over (from / using
mobile)
• 2nd Factor Authentication
circumvention
Enterprise Threats
(Employees)
• Employee identity theft by stealing
contacts / emails / calendar / SMS /
location
• Tempering/Stealing corporate data
and IP
• Files
• Photos of whiteboard drawings
• Recordings of phone calls /
meetings
• Use stolen data to perform actions
on employee’s behalf:
• Send Mail/SMS
• Perform phone calls
Threats for individuals
• Monetary losses
• Ransomware
• Premium rate SMS/calls
• Apps purchase
• Privacy loss
• Mobile RATs
• InfoStealers
• Extortionware
• Device abuse
• Advertisement hijacking
• Illicit use of B/W, CPU
5. 5© 2016 IBM Corporation
Mobile Malware Threats Scope
Line of Business Threats (Customer
Facing)
• Credential stealing via phishing /
malware
• In App session fraud (from mobile)
• Account take over (from mobile)
• 2nd Factor Authentication
circumvention
Enterprise Threats
(Employees)
• Employee identity theft by stealing
contacts / emails / calendar / SMS /
location
• Tempering/Stealing corporate data
and IP
• Files
• Photos of whiteboard drawings
• Recordings of phone calls /
meetings
• Use stolen data to perform actions
on behalf of employee:
• Send Mail/SMS
• Perform phone calls
Threats for individuals
• Monetary losses
• Ransomware
• Premium rate SMS/calls
• Apps purchase
• Privacy loss
• Mobile RATs
• InfoStealers
• Extortionware
• Device abuse
• Advertisement hijacking
• Illicit use of B/W, CPU
Sensitive
Information Stealing
Using the Mobile device/
channel to perform Attack/
Fraud
Monetary loss to
the user
6. 6© 2016 IBM Corporation
Anatomy of a Mobile Attack – How to Get In?
Attack Surface: Data Center
WEB SERVER
Platform Vulnerabilities
Server Misconfiguration
Cross-Site Scripting (XSS)
Cross Site Request Forgery
(CSRF)
Weak Input Validation
Brute Force Attacks
DATABASE
SQL Injection
Privilege Escalation
Data Dumping
OS Command Execution
Attack Surface: Network
Wi-Fi (No/Weak Encryption)
Rouge Access Point
Packet Sniffing
Man-in-the-Middle (MiTM)
Session Hijacking
DNS Poisoning
SSL Stripping
Fake SSL Certificate
Attack Surface: Mobile Device
BROWSER
Phishing
Pharming
Clickjacking
Man-in-the-Middle (MitM)
Buffer overflow
Data Caching
PHONE/SMS
Baseband Attacks
SMishing
APPS
Sensitive Data Storage
No/Weak Encryption
Improper SSL Validation
Dynamic Runtime Injection
Unintended Permissions
garneting
OPERATING SYSTEM
No/Weak Passcode
iOS Jailbreak
Android Root
OS Data Caching
Vendor/Carrier loaded OS/Apps
No/Weak Encryption
8. 8© 2016 IBM Corporation
Apple’s Walled Garden Security by Design
! Looking at the Apple eco-system “as designed” - legit devices without Jail-Break
! Only Apple controls AppStore
– No “alternative market” support*
– Apple reviews all apps
– Apple can remove apps and ban developers
! iOS Enforces Integrity
– Boot chain is signed
– Only signed code can be installed and executed
! iOS Sandbox
– Process memory isolation
– Filesystem isolation
– Some operations require entitlements (e.g., change
passcode, access camera)
9. 9© 2016 IBM Corporation
Infection Vectors of Non-JB Devices
! Enterprise provisioning (299$/y, valid credit card, D-U-N-S)
! Distributed mostly via link (email/webpage/SMS), or USB
! Legitimate use
– MDM providers and “alternative markets” to some degree
– Other “alternative” markets (Emu4iOS, iNoCydia, …)
! Used maliciously in APT/targeted attacks
Pop Quiz:
Which of the
below pop-ups is
legit?
10. 10© 2016 IBM Corporation
Infection Vectors of Non-JB Devices
! Enterprise provisioning (299$/y, valid credit card, D-U-N-S)
! Distributed mostly via link (email/webpage/SMS), or USB
! Legitimate use
– MDM providers and “alternative markets” to some degree
– Other “alternative” markets (Emu4iOS, iNoCydia, …)
! Used maliciously in APT/targeted attacks
! xCode Ghost (Sept 2015) –
– Infecting Apps through rouge App development environment targeted at credentials stealing
– 300 (or more…) rouge apps removed by Apple from AppStore
11. 11© 2016 IBM Corporation
What Can Be Done Inside the Garden (non-JB)?
! Everything legitimately allowed to an app
! Private APIs and vulnerabilities
– Masque attack – replacing legit app with another app
• Trojanized versions of social apps found in Hakcing Team’s leak (August 2015)
12. 12© 2016 IBM Corporation
Example of Trojanized Facebook App behavior
13. 13© 2016 IBM Corporation
What Can Be Done Inside the Garden (non-JB)?
! Everything legitimately allowed to an app
! Private APIs and vulnerabilities
– Masque attack – replacing legit app with another app
• Trojanized versions of social apps found in Hakcing Team’s leak (August 2015)
– Hiding apps
– Running in background " background keylogging
– Running on boot
– Taking screenshots
– Simulating screen/button presses
– Blocking OCSP (online certificate status protocol)
– Privilege escalation / sandbox escape
14. 14© 2016 IBM Corporation
What Can Be Done Inside the Garden (non-JB)?
! APT/Malware
– RCS (2015) – installs alternative keyboard for keylogging + trojanized apps
– WireLurker (2014) – installs additional apps (Chinese game, 3rd party AppStore client,
comic reader)
– Find and Call (2012) – steal user’s contacts
! Apple usually responds fast – eliminating the Apps from the AppStore
15. 15© 2016 IBM Corporation
Jailbreak Land
! What is Jailbreak process?
– Disables iOS enforcements / sandbox
– Introduces 3rd party application stores (e.g., Cydia)
! WW General estimation (2014): ~ 8% of all devices are JB, in China: ~14%
! Trusteer stats (2015) shows only 0.15%, however it may be attributed to the fact it
is detected and enforced by most customers
! Jailbreak hiders attempting to hide the device state
– xCON
– FLEX
! Infection vectors of JB devices
– Rogue apps via 3rd party AppStores
– USB (WireLurker, CloudAtlas)
16. 16© 2016 IBM Corporation
Malware for Jailbroken Devices
! APT / targeted attacks
– Hacking Team RCS – steals contacts, calendar, screen, monitors user inputs, location,
network traffic. Remote exploit to crack device passcode
– Xsser mRAT – Chinese Trojan that steals device info, SMS and emails. Installed via rogue
Cydia
– CloudAtlas – steals device information, contacts, accounts, Apple ID,…
– XAgent “PawnStorm” - steals SMS, contacts, photos, GPS location, installed apps, wifi
status, remotely activates audio recording
– WireLurker – PC trojanize installed apps, steals contacts, SMS, iMessages, Apple ID,
device serial
! “Non-enterprise” malware
– Unfold “Baby Panda” – Chinese Trojan that steals Apple ID and password
– AdThief – hijacks advertisement of installed apps for revenue
17. © 2016 IBM Corporation
Threat Landscape - Android
18. 18© 2016 IBM Corporation
Android Infection Vectors
! Link via SMS/email (may contain exploits)
– E.g., Xsser mRAT distributed via whatsapp message
! Device preloaded with malware
– DeathRing, Mouabad, “Coolpad” backdoor
– Most common in Asia, some appearance in Spain and Africa
! Physical access of attacker (PC kit to deploy malware)
! USB from infected PC (e.g., DroidPak, WireLurker, AndroidRCS)
19. 19© 2016 IBM Corporation
Android Infection Vectors
! Remote exploit
– 95% of Android devices exposed to Stagefright vulnerability
– On July 2015 ~28% of devices had OS 4.3 or lower which is vulnerable to AOSP Browser & Masterkey
(4years old!!)
! App markets – alternative markets and official Google Play
20. 20© 2016 IBM Corporation
Android Mobile Store Malware Infection Rates
21. 21© 2016 IBM Corporation
Android Infection Vectors
! Remote exploit
– 95% of Android devices exposed to Stagefright vulnerability
– On July 2015 ~28% of devices had OS 4.3 or lower which is vulnerable to AOSP Browser & Masterkey
(4years old!!)
! App markets – alternative markets and official Google Play
! Apps could deploy malware, weaponize, use exploits or have trojanized functionality
22. 22© 2016 IBM Corporation
Android Malware Types
! RATs - commercial or underground surveillanceware
– Tens of variants
– Some publicly available, some in underground, one is even open source
! Network proxy
– NotCompatible malware family
! InfoStealers
– Keyloggers, Overlay malware
23. 23© 2016 IBM Corporation
The appearance of PC grade mobile malware
! “GM Bot” / “Mazar Banking Software”
! Extensive PC malware like capabilities including:
– Dynamic Configuration via C&C
– Configurable Banking App injection/Overlay capabilities
– Ready made modules being sold to attack WW banks and financial services
– On-Mobile full Fraud life cycle – Credential-stealing, 2FA circumvent, block user/authorization
– Flash News: GM Bot Code Leak !!
– News 2: GM BOT 2.0 released
• A month ago our Intelligence
team identify dispute
between a customer’s of the
GMBot and "Gangaman“
• The customer was very
disappointed from the level
of service, it was hard to
deploy and bad support
• So… the customer post the
full source code in the
underground
• Since it was leaked, this
malware is very trendy and
effective, and now it will
reach the hands of
fraudsters for free
24. 24© 2016 IBM Corporation
Android Malware Types
! High-end APT/targeted attacks
– Hacking Team RCS in Saudi Arabia (?-2015) - “Qatif Today” repack
– Xsser mRAT (2014)
• Chinese trojan spies on HongKong activists, steals contacts, SMS, calls, location, photos, mails, browser history, audio
(microphone), remote shell, and call
– RedOctober/CloudAtlas (2014)
• steals accounts, locations, contacts, files, calls, SMS, calendar, bookmarks, audio (microphone)
– APT1 (2013) - “Kakao Talk” repack
• spies on Tibetan activists contacts/SMS/location
– Word Uyghur Congress (2013)
• spies on Tibetan activists contacts/SMS/calls/location
– LuckyCat APT campaign (2012)
• phone info, file dir/upload/download, remote shell
– FinSpy mobile (2011) – Gamma Group’s APT, tied to Egypt
25. 25© 2016 IBM Corporation
Android Malware and RATs Capabilities Overview
! Information theft
– Contacts
– Call log history
– Messages (SMS, LINE, Whatsapp, Viber,
Skype, Gtalk, Facebook, Twitter, …)
– Emails
– Geographical location
– Network data (wireless network SSID/
password), location, network state
– Phone information (number/IMEI/IMSI/Vendor/
model/Operator/SIM serial/OS)
– Google Account
– Browsing history
– Photos/Videos/Audio
– Screenshots
– Clipboard content
– Arbitrary files on SD card
! Remote control
– Activation/delayed activation and capturing of
audio/video/photos/phone calls
– Execute shell / run exploits
– Launch browser
– Send SMS
– Make phone call
– Download/delete files
26. 26© 2016 IBM Corporation
Commercial RAT Examples – SandroRAT/DroidJack Evolution
! Sandroid -> SandroRAT -> DroidJack
No root access
required!
8,380 DriodJack tutorials
currently on Google
28. 28© 2016 IBM Corporation
Network Proxy to Corporate Resources
! NotCompatible.C
– General purpose, proxying network (TCP/UDP)
– Has been used for spam, bruteforce, bulk ticket purchase
! Banks & other Enterprises could be a next target
29. 29© 2016 IBM Corporation
Threats Summary
! Advanced/targeted attacks are real
– More dominant Asia, China being major player
– Global threat - HackingCrew , HackingTeam
! Most dominant threat are RATs
– Android – most easy to infect, highly commercialized
– Jailbroken iOS – has been done only in targeted attacks
– Non-JB iOS – effectively no (reported) harm done, even in targeted attacks but threat is imminent
! Vulnerabilities
– Applicable to iOS and Android, more problematic for Android due to highly segregated market
– Associated only with advanced/targeted attacks
! Network based attacks
– Imminent threat, no malicious incident reported yet
30. © 2016 IBM Corporation
IBM Mobile Threat Management can effectively prevent and
take action against malware & threats
Taking Action step by step
31. 31© 2016 IBM Corporation
Criminals attack the weakest link
Mobile Protection
Cyber Criminal
Enterprise Data
Employee / Customer
Firewall
Perimeter Protection
Intrusion Prevention System
Anti-Virus Gateway
Encryption
Mobile Malware
32. 32© 2016 IBM Corporation
Taking action is easy - using layered security
Secure
the Device
Secure
the Content
Secure
the App
Secure
the Network
The MaaS360 layered security model
33. 33© 2016 IBM Corporation
Taking action – Managed and Unmanaged device
Managed Devices
(Owned/BYOD)
• Device level Security
• Using EMM/MDM to enforce sensitive
information access policy
• MDM should include advanced rooting/jailbreak &
malware detection
• Scan Home grown apps for vulnerabilities
Unmanaged Devices
(Customers, partners, agents, brokers,
contractors)
• Application Level Security
• Every App should have capabilities to assess
device security
• In-app enforcement of sensitive info/operations
• Scan home grown apps for vulnerabilities
34. 34© 2016 IBM Corporation
IBM MaaS360 Mobile Threat Management
! Detects, analyzes and remediates mobile risks delivering a new layer of
security for Enterprise Mobility Management (EMM) with the integration of
IBM Security Trusteer® to protect against:
! Mobile malware
! Suspicious system configurations
! Compromised jailbroken or rooted devices
35. 35© 2016 IBM Corporation
IBM Security QRadar integration with MaaS360
! Continuous Mobile Visibility
– Detect when smartphones and tablets are attempting to connect to the network
– Monitor enrollment of personally owned and corporate-liable devices
– Gain awareness of unauthorized devices
– Learn when users install blacklisted apps and access restricted websites
! Compromised Device Remediation
– Uncover devices infected with malware before they compromise your enterprise data
– Identify jailbroken iOS devices and rooted Android devices
– Set security policies and compliance rules to automate remediation
– Block access, or perform a selective wipe or full wipe of compromised devices
View MaaS360 compliance rule violations through IBM Security QRadar
36. 36© 2016 IBM Corporation
View Out of Compliance events from MaaS360 on QRadar
37. 37© 2016 IBM Corporation
Summary
• Malware exists on mobile and can pose a significant threat to your organization’s IP / data
• IBM Security Trusteer can aid in safeguarding this on mobile
• MaaS360 + Trusteer can detect and take actions on mobile devices
• MaaS360 reports mobile device events to QRadar for consolidated reporting
38. © 2016 IBM Corporation
Shaked Vax - svax@us.ibm.com
Thank You