The Rise of Mobile Spyware
By Michael Shaulov
In October 2012, Lacoon Mobile Security partnered with global cellular network providers to sample 250K subscribers. The results were astonishing: 1 in 1000 devices were infected with mobile surveillance software. A whopping 52% of infected devices were iOS-enabled.While the sampling focused on commercial offerings of mRATs, more targeted attacks originating most likely from nation states started recently to dominate the headlines. Highly publicized examples include:
- FinSpy, by The Gamma Group (August 2012, March 2013)—Reportedly targeted journalists and civilian activist groups worldwide. FinSpy can turn on the mobile’s microphone, take screenshots and bypass encryption methods and communications. FinSpy was infecting mobile devices using spear-phishing emails, and according to forensics results utilized exploitation capabilities for iOS and Android.
- LuckyCat (July 2012)—Research into a PC-based APT attack led to the infiltration of the Chinese C&C server. Files exposed on the attacker’s server showed mobile data collection.
- Android-targeted malware against Tibetan activists (March 2013)—spear phishing emails sent from a compromised account of a prominent Tibetan activist included a rogue Android package file. Once installed, the malicious app retrieved call logs, text messages, geo-location information and contact lists.
Mobile Device Management (MDM) solutions and their extended offerings—secure containers—do not provide a solution against these threats. However, MDMs are perceived as the ultimate end security solutions. Case in point, from Gartner’s October 2012 report: “Over the next five years, 65% of enterprises will adopt a mobile device management (MDM) solution for their corporate liable users.”The mRAT, though, undermines the three basic assumptions of MDMs and secure containers: