A recent study by McAfee found that over 60% of Android malware samples they received were from a single family of malware, known as “FakeInstaller.” FakeInstallers disguise themselves as legitimate apps. They may be available on a web page that pretends to be an official website or on an unofficial, fake Android Market with no protection against malware. Once installed, they send premium-rate SMS text messages in the background, costing you money.On Android 4.2, the built-in malware protection would hopefully catch a FakeInstaller as soon as it’s sideloaded. Even if it didn’t, Android would alert the user when the app tried to send SMS messages in the background.Another recent study by F-Secure, which found that Android malware was exploding, found a scary-sounding 28,398 samples of Android malware in Q3 2012. However, only 146 of these samples came from Google Play – in other words, only 0.5% of malware found was from Google Play. 99.5% came from outside Google Play, particularly on unofficial app stores in other countries where no checking or policing for malware is done.
App certs2 factor user authentication
Mobile security blog
Understanding Mobile Securityin a BYOD world20 steps to success
Remember the days when the IT security admin had a policyfor connecting PCs to the corporate network?That world is over!The Policy:• Your PC must be owned and issued by the company• Your PC must be connected to the corporate domain• Your PC must be running anti-virus software• You will not have local administrative access to your PCBYOD - According to data from Aberdeen, 75 percent of companies allow employee-owned smartphones and/ortablets to be used at work. Meanwhile, Gartner predicted that this number would rise to 90 percent by 2014
Step 1: Understand that the smartphonedevice is a computer with more featuresPhone 3G WIFIOperating SystemNative App BrowserEmailGPSSmartphoneLAN WIFIOperating SystemNative App BrowserEmailComputer
Step 2: Understand the platforms and issuesAndroid accounted for 79 % of all malware in 2012, up from66.7% in 2011 and just 11.25% in 2010. This sharplycontrasts with Apple’s iOS statistics, only yielding .7% ofmalware on its platform: F-Secure
Step 3: Understand the scope of the problem• Many types of devices – iPhone, iPad, Android, RIM, MS… (not to mention many carriers, handsetmanufacturers and versions of handsets…)• Many versions of OS – iOS versions, Android versions etc… all with different functionality and security issues• While apps on Google Play are checked for malware, apps that are sideloaded (installed from elsewhere) were not checked for malware priorto Android 4.2—with 4.2 when you first try to sideload an app, you’ll be asked whether you want to verify sideloaded apps are safe• Every iOS device running version 4.3.5 is vulnerable to SSL MITM which hackers can exploit easily. Since Apple wont allow certain devicecategories to be upgraded to this level it means that there are millions of permanently exploitable devices out there.• Different OS architectures – e.g. iOS is very different from Android• IT Knowledge – Mobile hardware is not well understood by IT organizations• User Knowledge – Users don’t always know what they are downloading onto their phones and the impact• Less tools – The market is not mature, it’s fragmented but growing fast
More Fun• FinSpy, by The Gamma Group (August 2012, March 2013) – Reportedly targeted journalists andcivilian activist groups worldwide. FinSpy can turn on the mobile’s microphone, takescreenshots, and bypass encryption methods and communications. FinSpy was infecting mobiledevices using spear-phishing emails, and according to forensics results, utilized exploitationcapabilities for iOS and Android.• LuckyCat (July 2012) – Research into a PC-based APT attack led to the infiltration of theChinese command and control (C&C) server. Files exposed on the attacker’s server showedmobile data collection.• Red October’s mobile component (January 2013) – The Red October campaign targetedembassies, governments and federal agencies. Malware behavior included the gathering of alldata on the victim’s mobile devices (iPhone, Nokia and Windows mobile) upon mobile sync withthe PC. Additionally, it installed a backdoor on Windows mobile phones.• SD-Card malware (February 2013) – Users downloading Google apps that masqueraded ascleanup tools were hit with audio-recording malware upon mobile sync with the their PCs• Android-targeted malware against Tibetan activists (March 2013) – spear-phishing emails sentfrom a compromised account of a prominent Tibetian activist included a rogue Android packagefile. Once installed, the malicious app retrieved call logs, text messages, geo-locationinformation and contact lists.http://tabbforum.com/opinions/spyphones-anatomy-of-a-mobile-attack?print_preview=true&single=true
Step 4: Start with the assumption that thedevices trying to connect to your networkhave been compromised
Step 5: Understand that the iOS and RIM 10OS’s are more secure than your laptop OS(click links below)iOS security architectureBlackberry 10 security architectureAndroid has the potential to be more secure since it is Linux based,but many of the Linux security features are not enabledAndroid security architecture**learn about SE Android at http://selinuxproject.org/page/SEAndroid
Step 6: Understand what specifically needsto be secureData!
Data• Data at Rest – How do you secure the enterprise/agency dataon the device itself?• Data in Motion – How do you secure the connection betweenthe device and the enterprise– This is the bigger threat since it is a direct line into theagency and can be used to extract significantly moreinformation than just what is on the device
Step 7: How do you attach a device to yournetwork securely (i.e. configure it and lock itdown) and keep the device compliant?MDM (Mobile Device Management)!
MDM• From a security standpoint theMDM must support– Device certs– Service certs (WIFI, VPN etc..)– User authorization** try not to create another group/policyauthorization infrastructure, buy an MDM that boltsinto your current directory infrastructure• Solutions Review Buyers Guide (here)Good uses Boxtone’s MDMOnly MDM that secures the MDMserver infrastructure
Step 8: Create a Mobile Security Policy(How to create here)(Gov BYOD policy here)A key policy issue of BYOD which is often overlooked is BYODs phone number problem, which raises the question of theownership of the phone number. The issue becomes apparent when employees in sales or other customer-facing roles leave thecompany and take their phone number with them. Customers calling the number will then potentially be calling competitors whichcan lead to loss of business for BYOD enterprises.
Step 9: Secure Apps your company createsSecure Containers!
Secure Container Options• Virtualization and Dual Persona Solutions– VMWare, OK-Labs, Divide, Fixmo SafeZone• Embedded SDK – Use their SDK when you build the app– Air-Watch, Good Technology• Wrapping – Post code injection– Mocana
Step 10: Invest in secure apps for email,calendar, browsing, IM, doc editing and filesharingGood Technology
Step 11: Secure the Apps your employeesdownload from public App StoresYou don’t always need to if you have MDMand Secure Apps but if you do look atAppthority
Step 12: Understand that you don’t needvirus detection software on the deviceThere is not enough CPU, bandwidth &memory on the device to keep up… if youhave completed the other steps you are fine.
Step 14: Worry about device integritybit level comparison of the deviceFixmoKaprica
Step 15: Understand a device (mostly noniOS) can still get infected with Malware, but ifyou do all the previous steps you won’t losecorporate data, however the user still mightlose their personal data
Step 16: Answer your employees questionsQ: Can I get malware on my device that can a) use the phone,microphone or camera to surreptitiously record information, b) dokeystroke logging, c) gather information on my location or d) forwardinformation from my device (e.g. my contacts)?A:You can, but if you are enrolled in our MDM and use our―secure apps‖ you will not lose corporate information
Step 17: Answer your employees questionsQ: How can I ensure I don’t lose personal information?A: understand what not to do (here)A: Here is another specific example of what not to do: ―download otherprovisioning profiles" – these are installed by the user via a phishing attack and can beused to reroute traffic to malicious servers, monitor a wide array of device and user activity,and install root certificates.
Step 18: Answer your employees questionsQ: What happens if I lose my device?A: With the MDM you can lock, find and wipe the device remotely
Step 19: Answer your employees questionsQ: Am I still vulnerable to non-malware exploits?A: No, the MDM will keep you safe… well, until its compromised…Network Exploits - Network exploits take advantage of software flaws in the system that operates on local (e.g., Bluetooth, WiFi) or cellular networks. Network exploitsoften can succeed without any user interaction, making them especially dangerous when used to automatically propagate malware. With special tools, attackers can findusers on a WiFi network, hijack the users’ credentials, and use those credentials to impersonate a user online. Another possible attack, known as bluesnarfing, enablesattackers to gain access to contact data by exploiting a software flaw in a Bluetooth-enabled device.Data interception - Data interception can occur when an attacker is eavesdropping on communications originating from or being sent to a mobile device. Electroniceavesdropping is possible through various techniques, such as (1) man-in-the-middle attacks, which occur when a mobile device connects to an unsecured WiFinetwork and an attacker intercepts and alters the communication; and (2) WiFi sniffing, which occurs when data are sent to or from a device over an unsecured (i.e., notencrypted) network connection, allowing an eavesdropper to ―listen to‖ and record the information that is exchanged.
Step 20: Understand, even with all of thisinfection is inevitable…The true objective with mobile device security and management is to add on as muchsecurity, in layers, as possible without a significant impact on end user experience.Security needs to be an approach of layers.Solutions like FireEye, Damballa, Fidelis and Checkpoint still need to be deployed tolook at different network parameters and aberrant behavior to detect a compromiseddevice in the process of exfiltrating data.
Good Reads• Protecting Portable Devices: Data Security• Protecting Portable Devices: Physical Security• Practical attacks against Mobile Device Management• US DOD Plan• Dark Reading Mobile Security Portal