Latest Threats Against Mobile Devices
Dave Jevans
Founder, Chairman and CTO
2
CyberCrime: Threats Against Mobile Devices
October 2012
“User-owned computers and smart phones are more than twice as likely to be infected with malware”
3
Advanced Persistent Threats
• APTs typically involve compromises of users’ devices or credentials
• 45% of enterprises see increase in spear phishing attacks targeting employees
4
9 Critical Threats Against Mobile Workers
1. Malware, Trojans, Zero-day Attacks2. Key loggers3. Compromised Wi-Fi Hotpots4. Poisoned DNS5. Malicious & Privacy Leaking Apps6. Jail broken & Rooted Devices7. Un-patched OS Versions8. Spear Phishing9. Advanced Persistent Threats
5
Bring Your Own Device = New Threats
• Multiple users per device, with many
apps and websites visited
• Users connect to 10+ networks a month
• Attacks against end-users give access to corporate networks, data, and cloud services
• Cyber-criminals know this
7
Phishing Continues To Explode
• Phishing and Spear-Phishing is At Record Levels
8
Spear-Phishing
• Spear-phishing is the #1 way that APTs are instigated
• Use DNS blacklisting to prevent access to phishing sites
9
10
11
Email Service ProvidersAre An Important Attack Vector
12
• RSA Security breached• Targeted spear phishing infected several employees’ computers
• Seeds and serial numbers for tens of millions of SecureID tokens stolen
• Key customers attacked after this
1313
14
15
Android Fragmentation
16
Exponential Growth in Mobile Malware
Source: Kaspersky Labs, March 2013
17
• Sites infected with bad iFrame
• Checks User-Agent
• Update.apk sent to browser
• Installed if device allows apps from unknown sources
• com.Security.Update
18
Hacked Apps Posted to Markets
19
Example: Fake Instagram
20
Example: Fake Authentication Apps
21
Example: Battery Monitor Trojan
22
Compromised WiFi Hotpots
• WiFi hotspots can intercept and redirect traffic
• Evil-Twin attacks, DNS attacks, network snooping, session hijacking & sidejacking
• You need a VPN service for all users, on every WiFi
23
Sidejacking on Public WiFi
24
Poisoned DNS
• DNS poisoning takes remote employees to criminal sites
• Can be poisoned upstream at the ISP, not just at the WiFi hotspot
• Apps are particularly vulnerable due to poor implementations of certificate validation
25
DNS attacks recently reported
26
Privacy Leaking Apps
• Legitimate apps may upload your corporate directory to a service in the cloud
• That service may be hacked or resold, exposing all of your employees to spear-phishing attacks
• You should deploy a cloud service to scan and analyze apps for malicious behavior and privacy violations
27
Jail-broken & Rooted Devices
• You should prevent access from jail-broken iPhones and rooted Android devices
• Jail-broken/rooted devices have almost zero security protections
28
Unpatched OS Versions
• Unpatched OS and plug-ins are the main attack vector of criminals against your users
29
Live Example
• This example is a live example of taking over the iTunes app on an iPad
• Click twice and enter your device password. You’re owned.
30
Phishing or Spear-Phishing Lure
31
iOS Allows Unsigned and Unverified Profiles
32
Click “Install Now”
33
Enter Your Device Password(if you have set one)
34
iTunes App Removed, Fake iTunes Installed
35
Use Fake iTunes To Steal Passwords, etc
36
Things That A Profile Can Change
• Safari security settings can be disabled
• Javascript settings
• Local app settings
• Allow untrusted TLS connections
• Device settings
• Install X.509 certificates
37
Even Worse: Hostile MDM Profile
• Expands the scope of malicious capabilities to include‒ App replacement and installation‒ OS replacement‒ Delete data‒ Route all traffic to Man-In-The-Middle sites
38
Architecture
App Feeds
Marble App
Reputation Database
Marble App Analysis
Instrumented Marble Access
NetworksWiFisDNS reportsApp reportsDevice fingerprints
MarbleThreat
Database
Marble Threat Reports
Marble Control
Marble Threat LabNetwork Feeds
Marble Access
39
App Analysis Architecture
3rd Party Feeds
Marble App Reputation DB
Rate by newness, behaviour, publisher, spread rates
Download from various app stores & sideloading sites
Use Android Grinder and other tools for analysis
Incident Response & Analysts Team
40
Marble’s Dynamic App Security ArchitectureGoogle Play
Marble Access Mobile Device Client
User Interface
Alerts & Reports
Analytics Engine
Rules
Controller/Scheduler
App Crawler
Risk Engine
Correlation Engine
Marble Security
Lab
Jammer Scanner
Database
Database
Real-time user interface
simulation
DNS lookups, network threat
correlation engine
Network Information
Network Threat
Database
Data Feeds
Stored Apps
Customer’s Security Admin
Marble Security Analysts
Marble Control Service
App Queue
Analyzer
Apple App Store
Other App Stores
Dynamic App Analysis Engine