The document discusses the vulnerabilities of Mobile Device Management (MDM) systems and the rise of spyphones, emphasizing that secure containers are not entirely secure against sophisticated attacks. It highlights the prevalence of mobile malware and the effectiveness of low-end spy tools that can compromise both personal and corporate data. The conclusion advocates for a multi-layered security approach, noting that while MDM can separate business and personal data, it cannot guarantee absolute security.

1. Practical Attacks against Mobile
Device Management (MDM)
Michael Shaulov, CEO
Daniel Brodie, Security Researcher
Lacoon Mobile Security
March 14, 2013

2. • Security researcher for almost a decade
– From PC to Mobile
– Low level OS research
• Researcher at Lacoon Mobile Security
– Developing a dynamic analysis framework for
analyzing spyphones and mobile malware
About: Daniel

3. • Decade of experience researching and
working in the mobile security space
– From feature-phones to smartphones
– Mobile Security Research Team leader at NICE
Systems
• CEO and co-founder of Lacoon Mobile Security
About: Michael

4. Introduction to MDM and Secure Containers
Rise of the Spyphones
Bypassing secure container encryption capabilities
Recommendations and summary
Agenda

5. MDM AND SECURE CONTAINERS
101

6. • Helps enterprises manage BYOD (Bring Your
Own Device) and corporate mobile devices
• Policy and configuration management tool
• Offerings include separating between business
data and personal data
Mobile Device Management

7. MDM: Penetration in the Market
“Over the next five years, 65 percent of
enterprises will adopt a mobile device
management (MDM) solution for their corporate
liable users”
– Gartner, Inc. October 2012

8. • Software management
• Network service management
• Hardware management
• Security management
– Remote wipe
– Secure configuration enforcement
– Encryption
MDM Key Capabilities

9. • All leading MDM solutions provide secure
containers
– MobileIron
– AirWatch
– Fiberlink
– Zenprise
– Good Technologies
Secure Containers

10. Behind the Scenes: Secure Containers
Enterprise
Application
Sandbox
Secure
Container
Encrypted
Storage
Secure Communication
(SSL/VPN)

11. RISE
OF THE
SPYPHONES

12. Business
Impact
Complexity
Mobile
Malware
Apps
Consumer-oriented. Mass.
Financially motivated, e.g.:
- Premium SMS
- Fraudulent charges
- Botnets
Spyphones
Targeted:
• Personal
• Organization
• Cyber
espionage
The Mobile Threatscape

13. Convergence of
Personal Info
• Contacts
• Emails
• Messages
• Calls
• Corporate
Information
Follows us
everywhere
• Office
• Meetings
• Home
• Travel
Perfect Spy
Hardware
• Always Online
• Location
• Microphone
• Camera
Why Mobile?

14. Spyphone Capabilities
Eavesdropping
and Surround
Recording
Extracting Call
and Text Logs
Tracking Location
Infiltrating
Internal LAN
Snooping on
Emails and
Application Data
Collecting
Passwords

15. Examples
More Than 50 Different Families in the Wild

16. The High-End
• FinSpy
– Gamma Group
• DaVinci RCS
– Hacking Team
• LuckyCat
– Chinese
• LeoImpact
Low
End
High
End

17. The Low-EndLow
End
High
End
• Starting at $4.99 a month! What a steal!
– For iOS, Android, Blackberry, Windows
Mobile/Phone, Symbian, …
• Professional worldwide support
• Very simple and mainstream
– So simple that even your mother could use it
• On your father
• Available at a reseller near you!

18. • From high-end to low-end
– Difference is in infection vector -> price
• End-result is the same
– For $5, you get nearly all the capabilities of a
$350K tool
Spyphones: Varying Costs, Similar Results

19. SPYPHONE DEMO

20. • Partnered with worldwide cellular network
operators:
– Sampled 250K subscribers
– Two separate sampling occasions
• Infection rates:
– March 2012: 1 in 3000 devices
– October 2012: 1 in 1000 devices
Spyphones in the Wild

21. Spyphone Distribution by OS
52%
35%
7% 6%
iOS
Android
Symbian
Unknown

22. 51%
12.39%
30.79%
1.40%
3.90%
Android
Blackberry
iOS
Symbian
Windows Phone 7
and Windows
Mobile
Mobile OS Market ShareSpyphone Distribution by OS
Comscore, March 2012
52%
35%
7% 6%
iOS
Android
Symbian
Unknown

23. IT’S ALRIGHT,
IT’S OK,
“SECURE CONTAINER”
IS THE WAY?

24. • Secure Containers:
– Detect JailBreak/Root
– Prevent malicious application installation
– Encrypt data
– Dependent on the OS sandbox
Secure Container Re-Cap

25. • JailBreaking (iOS)/ Rooting (Android) detection
mechanism
– “Let Me Google That For You”
– Usually just check features of JB/ Root devices
(e.g. is Cydia/ SU installed)
• Cannot detect exploitation
Opening the Secure Container (1)

26. • Prevention of malicious app installation
(Android)
– Targeted towards mass malware
• Third-Party App restrictions
– Should protect against malware
• Has been bypassed
– Both for Android and iPhone
Opening the Secure Container (2)

27. ANDROID DEMO

28. • Install Malicious Application – Possible Vector
– Publish an app through the market
• Use “Two-Stage”: Download the rest of the dex later-
and only for the targets we want
• Get the target to install the app through spearphishing
– Physical access to the device would also work
Android Demo: Technical Details (1)

29. • Privilege Escalation
– We used the Exynos exploit. (Released Dec., 2012)
• Create a hidden ‘suid’ binary and use it for
specific actions
– Place in a folder with --x--x--x permissions
– Undetected by generic root-detectors
Android Demo: Technical Details (2)

30. • We listen to events in the logs
– For <=2.3 we can just use the logging permissions
– For >4.0 we use access the logs as root
• When an email is read….
Android Demo: Technical Details (3)

31. • We dump the heap using /proc/<pid>/maps
and /mem
– Then search for the email structure, extract it, and
send it home
Android Demo: Technical Details (3)

32. Android Heap Searching

33. IOS DEMO

34. • Install Malicious Application – Possible Vectors
– Use the JailBreak just for the installation
• Install signed code using Enterprise/Developer
certificate
• Remove any trace of the JailBreak
– Or just jailbreak and hide the jailbreak
– Repackage the original application
iOS Demo: Technical Details (1)

35. Load
malicious
dylib into
memory (it’s
signed!)
Hook using
standard
Objective-C
hooking
mechanisms
Get notified
when an
email is read
Pull the
email from
the UI
classes
Send every
email loaded
home
iOS Demo: Technical Details (2)

36. • DYLD_INSERT_LIBRARIES
– Was very common previously, a bit harder now
• MACH-O editing
– Requires to resign code or leave device jailbroken
– Number of tools to do the work for you
• Objective-C Hooking
– Objc_setImplementation….
Code Injection

37. Objective-C Hooking

38. CONCLUSIONS

39. • “Secure” Containers depend on the integrity
of the host system
1. If the host system is uncompromised: what is the
added value?
2. If the host system is compromised: what is the
added value?
• We’ve been through this movie before!
Secure Containers…Secure?

40. • MDM provides Management, not absolute Security
• Beneficial to separate between business and
personal data
• Main use-case
– Remote wipe of enterprise content only
– Copy & Paste DLP
Infection is Inevitable

41. • Use MDM as a baseline defense for a multi-
layer approach
• Needs rethinking outside the box (mobile)
• Solutions on the network layer:
– C&C communications
– Heuristic behavioral analysis
– Sequences of events
– Data intrusion detection
Mitigating Spyphone Threats

42. THANK YOU!
QUESTIONS?
Email us at:
michael@lacoon.com
daniel@lacoon.com