Understanding Mobile Threats

Version 1

    How Mobile Threats Infiltrate the Enterprise


    In today’s organizations, users increasingly use a wide range of mobile consumer devices— including smartphones, tablets, and laptops—to access valuable resources within the company network. As malware grows more abundant, threats to those types of devices become more dangerous.


    Cybercriminals use mobile devices as stepping stones to gain access to an enterprise's internal network and access proprietary data. Here are some examples of mobile malware threats to the enterprise:


    • A data stealer data app downloads authentication data, which the attacker uses to log in to the corporate network.
    • A root exploit impersonates the owner and sends forged text messages to business partners.
    • A surveillance app accesses calendar data to find out when an important meeting will occur, and makes an audio recording of the meeting.
    • A command and control (CnC) app downloads email messages, proprietary code, and other sensitive data from a company's internal servers.


    This trend has opened up a new threat vector for organizations already struggling to protect critical business data, intellectual property, and customer data.


    Stopping the Mobile Infection Lifecycle


    MTP Management Cloud identifies incidents correlated with phases of the mobile infection life cycle, and analyzes the incidents using the FireEye Multi-Vector Virtual Execution (MVX) engine. Rather than relying on binary signatures, the MVX engine detonates apps within instrumented virtual environments. The MVX engine uses dynamic analysis to examine various malware parameters. Using contextual correlation—connecting disparate actions for a full picture of the app's intent—it flags suspicious behaviors. This approach makes MTP Management Cloud resistant to obfuscation, code manipulation, and evasion techniques. The MVX engine ensures that MTP Management Cloud identifies known and unknown threats that other mobile security layers miss.


    Types of Mobile Threats


    MTP Management Cloud monitors many different kinds of mobile threats, including threats that have yet to be discovered. Mobile threats do not work in isolation. Attackers often create and distribute malware that uses more than one type of threat. Some threats infect a device and pave the way for other threats to start exploiting it.


    See the following sections for details about some of the common threats that MTP Management Cloud protects against:

        • Callback Activity
        • Data Theft
        • Bypassed Permissions
        • Root Exploits
        • Surveillance
        • Targeted Malware
        • Vulnerabilities
        • Adware
        • Premium Service Abusers
        • Masque Attacks


    Callback Activity


    MTP Management Cloud immediately flags an app as high risk when it observes outbound communications associated with a remote command and control (CnC) server, indicating that there is an established connection between an infected device and the CnC server. The activity can include botnet command and control communications, uploads of confidential information, and downloads of secondary payloads, such as spyware.


    Some of these high-risk apps prompt users to perform an update. When the user follows the update prompt, these malware apps install malicious packages and set up CnC connections.


    To avoid detection from antivirus software programs that might catch outgoing transactions, these apps encrypt the URLs of their CnC servers, root exploits, and embedded APK files.


    Data Theft


    Apps that perform data theft disguise themselves as legitimate apps, or are injected by malicious payloads that hackers repackage with common mobile apps. These apps are also known as "data stealers" because they steal OS versions, device IDs, Wi-Fi states, network types, International Mobile Subscriber Identities (IMSIs), International Mobile Station Equipment Identities (IMEIs), phone numbers, VPN login data, SMS messages, and GPS location information. The stolen information, which can be used for future attacks, is encrypted and sent via HTTP POST.


    The most high-risk data stealer apps directly target banks and online banking customers. Some data stealer apps steal emails containing bank account login credentials. Other data stealers steal SMS messages containing mobile transaction number (mTAN) codes, and send stolen credentials and device information to an attacker's mobile number and to a remote server.


    Bypassed Permissions


    App stores require app developers to disclose the permissions their apps request of users. However, some apps bypass higher-level permissions requirements and use native OS functionality or lower-level permissions requests to launch exploits. Because app stores do not alert users about lower-level permissions requests, you may see a notification, such as the one below, that an app is not requesting higher-level permissions.




    This type of notification does not disclose behind-the-scenes behaviors that don't require user interaction.


    Root Exploits


    Rooting-capable malware infects mobile devices to gain root privileges, which give malicious remote users access to a device's files and flash memory. Rooting helps malware drop copies of itself onto devices. Some apps drop copies of themselves in flash memory to avoid detection and deletion by antivirus products.


    Rooting-capable apps obtain access to the devices by disguising themselves as app installers and asking for administrative privileges to install apps.


    When a malware app obtains root privileges, it can install or uninstall any other app. For example, a malware app may contain embedded applications with back-door threats (threats that allow remote access to the device). Malware apps can convert devices into bots (devices that are controlled remotely and prompted to perform automated tasks for the benefit of the attacker).


    Rooting-capable apps are known for leaking sensitive information, such as International Mobile Station Equipment Identities (IMEIs), Subscriber IDs, the names of installed apps, and network information in an obfuscated manner to remote servers. They are also known for sending unauthorized premium SMS messages in the background without the user’s knowledge.


    Root exploits can be used to steal passwords, authentication tokens, and data, not only on your mobile devices, but also on any cloud services that your device can access. For example, with root exploits, attackers can easily get all your Gmail information and DropBox files, and monitor all your Skype communications.


    In addition to root exploit apps, there are "helper apps" that enable root exploits to infect

    1. devices. Carefully examine all app behaviors, and be aware of apps that execute the su command, which escalates an app's privileges.




    Mobile device spyware monitors information stored on infected devices. For example, an app that includes spyware can read and monitor a device's model, OS, device ID, GPS location, contacts, SMS messages, email messages, and the names of installed apps. Although spyware apps can send the stolen data to specific URLs via HTTP posts, they tend to focus more on surveillance than data theft.



    Targeted Malware


    Targeted malware consists of apps that disguise themselves as legitimate apps, and then perform high-risk activities in the background. Some examples of targeted malware include:


    • Fake wallpaper apps that turn devices into bots used for producing crypto currency (digital currency) in a process known as "bitcoin mining." The process uses the device's battery power and processor to perform operations without the user's consent.
    • Fake antivirus apps and games that read the contacts on a device and send spam email messages to them.
    • Fake app store apps that read sensitive data and send data in the background without the user's consent.





    Vulnerabilities allow remote attackers to perform high-risk operations by exploiting "security holes" in operating systems and protocols. Some examples of vulnerabilities that affect mobile users include the following:


    - Javascript vulnerabilities:


    o Javascript Binding over HTTP is a vulnerability that affects Android 4.1 and below.

    If an app running Android 4.1 or below uses the Javascript binding method addJavascriptInterface and loads the content in the WebView over HTTP, then a remote attacker can hijack the HTTP traffic, inject malicious content into the WebView, and take control over the host application.


    o Javascript sidedoor is a vulnerability that affects ad libraries. If an ad library uses the

    @JavascriptInterface annotation to expose security-sensitive interfaces and loads the content in the WebView over HTTP, then a remote attacker can inject malicious content into the WebView to misuse the interfaces exposed through the Javascript binding annotation.


    For more information, see http://www.fireeye.com/blog/technical/2014/01/js- binding-over-http-vulnerability-and-javascript-sidedoor.html.


         - OpenSSL Heartbleed is a vulnerability that uses malicious servers to attack vulnerable clients and steal sensitive information. The OpenSSL Heartbleed vulnerability mostly affects games and office-based apps.


    See http://www.fireeye.com/blog/technical/2014/04/if-an-android-has-a-heart-does-it- bleed.html




    Mobile adware is code within ad networks that can access more data and perform more functions on your device than you may be aware of. Adware can read device information and post that information to its server. It downloads information about ads from its server and tries to download the advertised apps to the user's device. If the applications are successfully downloaded, then it asks users to install them. After the apps are installed, it can automatically launch the installed ads. Google Play doesn't block adware.



    Premium Service Abusers


    Apps in this category cause users to be charged for services they were not aware they were using which increases their monthly charges.


    Masque Attacks


          Masque Attacks exploit various vulnerabilities of iOS app installation process and pose serious threats to users. Both jailbroken and non-jailbroken devices are vulnerable to Masque Attacks.


    Masque Attacks can be launched by rogue apps to replace legitimate App Store apps with malware and access storage and steal sensitive data or user credentials stored by the official app. Some other Masque Attacks can hijack the infected device’s network traffic and disable MDM. Even official App Store apps can be vulnerable to URL hijacking, which is one of several types

    of Masque Attacks. Furthermore, attackers can abuse powerful iOS private APIs or exploit other iOS vulnerabilities to perform advanced persistent attacks.


    Legitimate iOS apps on App Store are reviewed by Apple, which rejects apps that use private APIs or perform explicit malicious behaviors. By using the enterprise and ad-hoc distribution methods, though, attackers can deploy malicious apps that bypass the App Store yet run on non- jailbroken devices.