The Rise of Mobile Spyware
By Michael Shaulov
Mobile devices are the new platform for cyber-espionage. First, these devices provide constant access to the organization through enterprise mail, CRM and dedicated apps. Second, the great amount of storage and processing power of sensitive corporate information makes these devices very highly coveted by targeted attackers.
Mobile cyber espionage is carried out through dedicated spyware, a.k.a. Mobile Remote Access Trojans (mRAT). Once installed, mRATs can eavesdrop and gather surround recording—for example, record customer calls and board meetings, extract call and text logs, track locations of executives, snoop on corporate emails and their attachments, as well as to infiltrate a corporate’s LAN for malware to propagate to other endpoints.
Mobile Spyware in the Wild
In October 2012, Lacoon Mobile Security partnered with global cellular network providers to sample 250K subscribers. The results were astonishing: 1 in 1000 devices were infected with mobile surveillance software. A whopping 52% of infected devices were iOS-enabled.While the sampling focused on commercial offerings of mRATs, more targeted attacks originating most likely from nation states started recently to dominate the headlines. Highly publicized examples include:
- FinSpy, by The Gamma Group (August 2012, March 2013)—Reportedly targeted journalists and civilian activist groups worldwide. FinSpy can turn on the mobile’s microphone, take screenshots and bypass encryption methods and communications. FinSpy was infecting mobile devices using spear-phishing emails, and according to forensics results utilized exploitation capabilities for iOS and Android.
- LuckyCat (July 2012)—Research into a PC-based APT attack led to the infiltration of the Chinese C&C server. Files exposed on the attacker’s server showed mobile data collection.
- Android-targeted malware against Tibetan activists (March 2013)—spear phishing emails sent from a compromised account of a prominent Tibetan activist included a rogue Android package file. Once installed, the malicious app retrieved call logs, text messages, geo-location information and contact lists.
Mobile Device Management (MDM) Solutions Do Not Fit the Bill
Mobile Device Management (MDM) solutions and their extended offerings—secure containers—do not provide a solution against these threats. However, MDMs are perceived as the ultimate end security solutions. Case in point, from Gartner’s October 2012 report: “Over the next five years, 65% of enterprises will adopt a mobile device management (MDM) solution for their corporate liable users.”The mRAT, though, undermines the three basic assumptions of MDMs and secure containers:
-Encryption of business data
-Encryption of communications to the business
-Detection of jailbreaking / rooting of devices
The last point is highly pertinent as mRATs require the jailbreaking/rooting of the device. But looking at the current state of mobile devices, jailbreaking/rooting detection can easily be bypassed:
- Android: rooting detection mechanisms do not place checks over apps that exploit an OS vulnerability. However, every process can run as an administrator user (effectively, rooting the device) if it is able to trigger a vulnerability in the OS. Interestingly, every Android up until now has displayed a vulnerability.
- iOS: the jailbreaking “community” is vociferous and motivated. In fact, an October jailbreaking technique, nicknamed Evasion, garnered 7M hacked devices in just four days. More so, different projects such as the xCon collaborative project openly share tips and methods to bypass MDM jailbreaking detection.
Once the device is jailbroken or rooted, the mRAT is able to bypass the encryption mechanism. Rather than attacking the encryption technique directly, the mRAT grabs the data at the point where the user pulls up the data to read it. At that stage—when the content is decrypted for the user—the spyware can take control of the content and send it on to the attacker.
How Are IT Teams Responding?
Currently, IT teams are recognizing the shortcoming of MDM and secure container solutions to protect their sensitive data. Many teams are trying to deploy in-house solutions that monitor all data leaving the devices. About once a month, they examine the collected data and try to assess the security posture of these devices.
It’s easy to see, however, that these in-house attempts do not scale. To begin with, the testing is performed on a small set of devices. Second, analyzing the data is performed offline—losing out on the opportunity to block data-pilfering attacks in real-time. Third, these solutions are costly—requiring the hiring and development of individuals with a specific skill set, setting aside an appropriate amount of time, and building the automated tools in-house.
For these reasons, many companies are looking for external solutions to help them protect against such mobile targeted threats. The external solutions provide the required mobile activity visible to provide attack mitigation in real-time. In particular, they provide:
- Enforcing the protection around key stakeholders in the organization (these include executives, M&A employees, traders, sales and researchers).
- Analyzing the risk involved with each device, including:
- -A behavioral analysis of the downloaded applications
- -Calculating the risk associated with the device’s operating system vulnerabilities and usage
- -Conducting a multi-event analysis to uncover new, emerging and targeted attacks
- Enforcing network protection when the risk is high:
- -Blocking exploits and drive-by attacks
- -Containing devices from accessing corporate resources
- -Securing device communication on public hotspots
Michael Shaulov is CEO and co-founder of Lacoon Mobile Security. Michael has ten years of experience researching and working in the mobile security space, keeping a tight tab on the shift from feature-phones to smartphones.