De nombreux entreprises, à travers leurs responsables informatiques et DSI ne reconnaissent toujours pas les logiciels malveillants mobiles comme une menace imminente. Selon une étude de Duo Security, un tiers des utilisateurs mobiles Android n'utilisent ne verrouillent pas l'écran de leurs appareils à l'aide d'un Mot de Passe, et la plupart ne prennent aucunes mesures de sécurité. En outre, les responsables informatiques et DSI déploient de nouvelles applications vers leurs clients et employés sans y intégrer de mesure de sécurité favorisant l'authentification et la mitigation des menaces.
Cependant, les logiciels malveillants mobiles ont évolué au fil des dernières années et constituent aujourd'hui des menaces réelle. Business Insider a noté que ces menaces sont désormais équivalentes à celles des PC en terme de distribution et de niveau de risque.
Malware on Smartphones and Tablets - The Inconvenient Truth
1. Malware on Smartphones and
Tablets - The Inconvenient Truth
Shaked Vax
Trusteer Products Strategist
Kaushik Srinivas
MaaS360 Strategy & Offering Management
2. Agenda
• Mobile is everywhere – Mobile Threats
• A look at Mobile Malware
• Threat landscape
– iOS
– Android
• Safeguard mobile devices with MaaS360 + Trusteer
• View consolidated MaaS360 event reports on QRadar
3. Mobile banking channel
development is the #1
technology priority of
N.A. retail banks (2013)
#1 Channel
Of customers won't
mobile bank because of
security fears
19%
Mobile Access to Everything
All businesses are leveraging mobile these days as a main communication channel with customers, as
well as collaboration and productivity tool for employees
• In Banking:
– Mobile banking is the most important deciding factor when switching
banks (32%)
– More important than fees (24%) or branch location (21%) or
services (21%)… a survey of mobile banking customers in the U.S. 1
• However for many end-users – Security concerns are a main
inhibitor to adoption
• And apparently….. For a good reason.
4. Mobile Malware Threats Scope
Line of Business Threats (Customer
Facing)
•Credential stealing via phishing /
malware
•In App session fraud (from mobile)
•Account take over (from / using
mobile)
•2nd Factor Authentication
circumvention
Enterprise Threats
(Employees)
•Employee identity theft by stealing
contacts / emails / calendar / SMS /
location
•Tempering/Stealing corporate data
and IP
•Files
•Photos of whiteboard drawings
•Recordings of phone calls / meetings
•Use stolen data to perform actions on
employee’s behalf:
•Send Mail/SMS
•Perform phone calls
Threats for individuals
•Monetary losses
•Ransomware
•Premium rate SMS/calls
•Apps purchase
•Privacy loss
•Mobile RATs
•InfoStealers
•Extortionware
•Device abuse
•Advertisement hijacking
•Illicit use of B/W, CPU
5. Mobile Malware Threats Scope
Line of Business Threats (Customer
Facing)
•Credential stealing via phishing /
malware
•In App session fraud (from mobile)
•Account take over (from mobile)
•2nd Factor Authentication
circumvention
Enterprise Threats
(Employees)
•Employee identity theft by stealing
contacts / emails / calendar / SMS /
location
•Tempering/Stealing corporate data
and IP
•Files
•Photos of whiteboard drawings
•Recordings of phone calls / meetings
•Use stolen data to perform actions on
behalf of employee:
•Send Mail/SMS
•Perform phone calls
Threats for individuals
•Monetary losses
•Ransomware
•Premium rate SMS/calls
•Apps purchase
•Privacy loss
•Mobile RATs
•InfoStealers
•Extortionware
•Device abuse
•Advertisement hijacking
•Illicit use of B/W, CPU
Sensitive
Information
Stealing Using the Mobile
device/channel to perform
Attack/Fraud
Monetary loss to
the user
6. Anatomy of a Mobile Attack – How to Get In?
Attack Surface: Data Center
WEB SERVER
Platform Vulnerabilities
Server Misconfiguration
Cross-Site Scripting (XSS)
Cross Site Request Forgery
(CSRF)
Weak Input Validation
Brute Force Attacks
DATABASE
SQL Injection
Privilege Escalation
Data Dumping
OS Command Execution
Attack Surface: Network
Wi-Fi (No/Weak Encryption)
Rouge Access Point
Packet Sniffing
Man-in-the-Middle (MiTM)
Session Hijacking
DNS Poisoning
SSL Stripping
Fake SSL Certificate
Attack Surface: Mobile Device
BROWSER
Phishing
Pharming
Clickjacking
Man-in-the-Middle (MitM)
Buffer overflow
Data Caching
PHONE/SMS
Baseband Attacks
SMishing
APPS
Sensitive Data Storage
No/Weak Encryption
Improper SSL Validation
Dynamic Runtime Injection
Unintended Permissions
garneting
OPERATING SYSTEM
No/Weak Passcode
iOS Jailbreak
Android Root
OS Data Caching
Vendor/Carrier loaded
OS/Apps
No/Weak Encryption
8. Apple’s Walled Garden Security by Design
• Looking at the Apple eco-system “as designed” - legit devices without Jail-Break
• Only Apple controls AppStore
– No “alternative market” support*
– Apple reviews all apps
– Apple can remove apps and ban developers
• iOS Enforces Integrity
– Boot chain is signed
– Only signed code can be installed and executed
• iOS Sandbox
– Process memory isolation
– Filesystem isolation
– Some operations require entitlements (e.g., change
passcode, access camera)
9. Infection Vectors of Non-JB Devices
• Enterprise provisioning (299$/y, valid credit card, D-U-N-S)
• Distributed mostly via link (email/webpage/SMS), or USB
• Legitimate use
– MDM providers and “alternative markets” to some degree
– Other “alternative” markets (Emu4iOS, iNoCydia, …)
• Used maliciously in APT/targeted attacks
Pop Quiz:
Which of the
below pop-ups
is legit?
10. What Can Be Done Inside the Garden (non-JB)?
• Everything legitimately allowed to an app
• Private APIs and vulnerabilities
– Masque attack – replacing legit app with another app
• Trojanized versions of social apps found in Hakcing Team’s leak (August 2015)
12. What Can Be Done Inside the Garden (non-JB)?
• Everything legitimately allowed to an app
• Private APIs and vulnerabilities
– Masque attack – replacing legit app with another app
• Trojanized versions of social apps found in Hakcing Team’s leak (August 2015)
– xCode Ghost (Sept 2015) –
• Infecting Apps through rouge App development environment targeted at credentials stealing
• 300 (or more…) rouge apps removed by Apple from AppStore
– Hiding apps
– Running in background background keylogging
– Running on boot
– Taking screenshots
– Simulating screen/button presses
– Blocking OCSP (online certificate status protocol)
– Privilege escalation / sandbox escape
13. What Can Be Done Inside the Garden (non-JB)?
• APT/Malware
– RCS (2015) – installs alternative keyboard for keylogging + trojanized apps
– WireLurker (2014) – installs additional apps (Chinese game, 3rd party AppStore client,
comic reader)
– Find and Call (2012) – steal user’s contacts
• Apple usually responds fast – eliminating the Apps from the AppStore
14. Jailbreak Land
• What is Jailbreak process?
– Disables iOS enforcements / sandbox
– Introduces 3rd party application stores (e.g., Cydia)
• WW General estimation (2014): ~ 8% of all devices are JB, in China: ~14%
• Trusteer stats (2015) shows only 0.15%, however it may be attributed to the
fact it is detected and enforced by most customers
• Jailbreak hiders attempting to hide the device state
– xCON
– FLEX
• Infection vectors of JB devices
– Rogue apps via 3rd party AppStores
– USB (WireLurker, CloudAtlas)
15. Malware for Jailbroken Devices
• APT / targeted attacks
– Hacking Team RCS – steals contacts, calendar, screen, monitors user inputs, location,
network traffic. Remote exploit to crack device passcode
– Xsser mRAT – Chinese Trojan that steals device info, SMS and emails. Installed via
rogue Cydia
– CloudAtlas – steals device information, contacts, accounts, Apple ID,…
– XAgent “PawnStorm” - steals SMS, contacts, photos, GPS location, installed apps, wifi
status, remotely activates audio recording
– WireLurker – PC trojanize installed apps, steals contacts, SMS, iMessages, Apple ID,
device serial
• “Non-enterprise” malware
– Unfold “Baby Panda” – Chinese Trojan that steals Apple ID and password
– AdThief – hijacks advertisement of installed apps for revenue
17. Android Infection Vectors
• Link via SMS/email (may contain exploits)
– E.g., Xsser mRAT distributed via whatsapp message
• Device preloaded with malware
– DeathRing, Mouabad, “Coolpad” backdoor
– Most common in Asia, some appearance in Spain and Africa
• Physical access of attacker (PC kit to deploy malware)
• USB from infected PC (e.g., DroidPak, WireLurker, AndroidRCS)
18. Android Infection Vectors
• Remote exploit
– 95% of Android devices exposed to Stagefright vulnerability
– On July 2015 ~28% of devices had OS 4.3 or lower which is vulnerable to
AOSP Browser & Masterkey (4years old!!)
• App markets – alternative markets and official Google Play
• Apps could deploy malware, weaponize, use exploits or have
trojanized functionality
20. Android Malware Types
• RATs - commercial or underground surveillanceware
– Tens of variants
– Some publicly available, some in underground, one is even open source
• Network proxy
– NotCompatible malware family
• InfoStealers
– Keyloggers, Overlay malware
21. The appearance of PC grade mobile malware
• “GM Bot” / “Mazar Banking Software” – recently appeared in global mobile malware
landscape
• Extensive PC malware like capabilities including:
– Dynamic Configuration via C&C
– Configurable Banking App injection/Overlay capabilities
– Ready made modules being sold to attack WW banks and financial services users in Australia,
Austria, France, Czech Republic, Hungary, Spain, Singapore, Germany, Poland, India, Turkey, New
Zealand, US
22. Android Malware Types
• High-end APT/targeted attacks
– Hacking Team RCS in Saudi Arabia (?-2015) - “Qatif Today” repack
– Xsser mRAT (2014)
• Chinese trojan spies on HongKong activists, steals contacts, SMS, calls, location, photos, mails, browser history,
audio (microphone), remote shell, and call
– RedOctober/CloudAtlas (2014)
• steals accounts, locations, contacts, files, calls, SMS, calendar, bookmarks, audio (microphone)
– APT1 (2013) - “Kakao Talk” repack
• spies on Tibetan activists contacts/SMS/location
– Word Uyghur Congress (2013)
• spies on Tibetan activists contacts/SMS/calls/location
– LuckyCat APT campaign (2012)
• phone info, file dir/upload/download, remote shell
– FinSpy mobile (2011) – Gamma Group’s APT, tied to Egypt
23. Android Malware and RATs Capabilities Overview
• Information theft
– Contacts
– Call log history
– Messages (SMS, LINE, Whatsapp, Viber, Skype,
Gtalk, Facebook, Twitter, …)
– Emails
– Geographical location
– Network data (wireless network SSID/password),
location, network state
– Phone information
(number/IMEI/IMSI/Vendor/model/Operator/SIM
serial/OS)
– Google Account
– Browsing history
– Photos/Videos/Audio
– Screenshots
– Clipboard content
– Arbitrary files on SD card
• Remote control
– Activation/delayed activation and capturing of
audio/video/photos/phone calls
– Execute shell / run exploits
– Launch browser
– Send SMS
– Make phone call
– Download/delete files
24. Commercial RAT Examples – SandroRAT/DroidJack Evolution
• Sandroid -> SandroRAT -> DroidJack
No root access
required!
8,380 DriodJack tutorials
currently on Google
26. Network Proxy to Corporate Resources
• NotCompatible.C
– General purpose, proxying network (TCP/UDP)
– Has been used for spam, bruteforce, bulk ticket purchase
• Banks & other Enterprises could be a next target
27. Threats Summary
• Advanced/targeted attacks are real
– More dominant Asia, China being major player
– Global threat - HackingCrew , HackingTeam
• Most dominant threat are RATs
– Android – most easy to infect, highly commercialized
– Jailbroken iOS – has been done only in targeted attacks
– Non-JB iOS – effectively no (reported) harm done, even in targeted attacks but threat is imminent
• Vulnerabilities
– Applicable to iOS and Android, more problematic for Android due to highly segregated market
– Associated only with advanced/targeted attacks
• Network based attacks
– Imminent threat, no malicious incident reported yet
28. Taking action is easy
IBM Mobile Threat Management can effectively prevent
and take action against malware & threats
30. Taking action is easy - using layered security
Secure
the Device
Secure
the Content
Secure
the App
Secure
the Network
The MaaS360 layered security model
31. Taking action is easy
Managed Devices
(Owned/BYOD)
• Device level Security
• Using EMM/MDM to enforce
sensitive information access
policy
• MDM should include advanced
rooting/jailbreak & malware
detection
• Scan Home grown apps for
vulnerabilities
Unmanaged Devices
(Customers, partners, agents,
brokers, contractors)
• Application Level Security
• Every App should have
capabilities to assess device
security
• In-app enforcement of sensitive
info/operations
• Scan home grown apps for
vulnerabilities
32. IBM MaaS360 Mobile Threat Management
Detects, analyzes and remediates mobile risks
delivering a new layer of security for Enterprise Mobility
Management (EMM) with the integration of IBM
Security Trusteer® to protect against:
• Mobile malware
• Suspicious system configurations
• Compromised jailbroken or rooted devices
33. IBM Security QRadar integration with MaaS360
• Continuous Mobile Visibility
– Detect when smartphones and tablets are attempting to connect to the network
– Monitor enrollment of personally owned and corporate-liable devices
– Gain awareness of unauthorized devices
– Learn when users install blacklisted apps and access restricted websites
• Compromised Device Remediation
– Uncover devices infected with malware before they compromise your enterprise data
– Identify jailbroken iOS devices and rooted Android devices
– Set security policies and compliance rules to automate remediation
– Block access, or perform a selective wipe or full wipe of compromised devices
View MaaS360 compliance rule violations through IBM Security QRadar
34. View Out of Compliance events from MaaS360 on QRadar
35. 34
Summary
• Malware exists on mobile and can pose a significant threat to your
organization’s IP / data
• Trusteer can aid in safeguarding this on mobile
• MaaS360 + Trusteer can detect and take actions on mobile devices
• MaaS360 reports mobile device events to QRadar for consolidated
reporting
36. Talk to a Mobile Expert: Visit IBM MaaS360 in the Expo Hall
Talk to an IBM MaaS360 Expert, Watch a Demo and Receive a
Mobile Themed Giveaway!
• Charge your Device Courtesy of MaaS360
• IBM Security Booth #314 (**charger location)
• IBM MobileFirst Booth #530 (**charger location)
• IBM Box Booth #202
• AT&T Booth #561
Like what you see? Try us out!
• Visit ibm.com/maas360 for free trial details
35
38. Notices and Disclaimers Con’t.
37
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not
tested those products in connection with this publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products.
Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. IBM does not warrant the quality of any third-party products, or the
ability of any such third-party products to interoperate with IBM’s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING BUT
NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
The provision of the information contained h erein is not intended to, and does not, grant any right or license under any IBM patents, copyrights, trademarks or other intellectual
property right.
IBM, the IBM logo, ibm.com, Aspera®, Bluemix, Blueworks Live, CICS, Clearcase, Cognos®, DOORS®, Emptoris®, Enterprise Document Management System™, FASP®,
FileNet®, Global Business Services ®, Global Technology Services ®, IBM ExperienceOne™, IBM SmartCloud®, IBM Social Business®, Information on Demand, ILOG,
Maximo®, MQIntegrator®, MQSeries®, Netcool®, OMEGAMON, OpenPower, PureAnalytics™, PureApplication®, pureCluster™, PureCoverage®, PureData®,
PureExperience®, PureFlex®, pureQuery®, pureScale®, PureSystems®, QRadar®, Rational®, Rhapsody®, Smarter Commerce®, SoDA, SPSS, Sterling Commerce®,
StoredIQ, Tealeaf®, Tivoli®, Trusteer®, Unica®, urban{code}®, Watson, WebSphere®, Worklight®, X-Force® and System z® Z/OS, are trademarks of International Business
Machines Corporation, registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM
trademarks is available on the Web at "Copyright and trademark information" at: www.ibm.com/legal/copytrade.shtml.
39. Thank You
Your Feedback is Important!
Access the InterConnect 2016 Conference Attendee
Portal to complete your session surveys from your
smartphone, laptop or conference kiosk.