Spyphones are surveillance tools surreptitiously planted on a user’s handheld device. While malicious mobile applications, mainly phone fraud applications distributed through common application channels, target the typical consumer, spyphones are nation states tool of attacks. Why? Once installed, the software stealthy gathers information such as text messages (SMS), geo-location information, emails and even surround-recordings.
How are these mobile cyber-espionage attacks carried out? In this engaging session, we present novel proof-of-concept attack techniques - both on Android and iOS devices - which bypass traditional mobile malware detection measures- and even circumvent common Mobile Device Management (MDM) features, such as encryption.
Handwritten Text Recognition for manuscripts and early printed texts
BlackHat Europe 2013 - Practical Attacks against Mobile Device Management (MDM)
1. Practical Attacks against Mobile
Device Management (MDM)
Michael Shaulov, CEO
Daniel Brodie, Security Researcher
Lacoon Mobile Security
March 14, 2013
2. • Security researcher for almost a decade
– From PC to Mobile
– Low level OS research
• Researcher at Lacoon Mobile Security
– Developing a dynamic analysis framework for
analyzing spyphones and mobile malware
About: Daniel
3. • Decade of experience researching and
working in the mobile security space
– From feature-phones to smartphones
– Mobile Security Research Team leader at NICE
Systems
• CEO and co-founder of Lacoon Mobile Security
About: Michael
4. Introduction to MDM and Secure Containers
Rise of the Spyphones
Bypassing secure container encryption capabilities
Recommendations and summary
Agenda
6. • Helps enterprises manage BYOD (Bring Your
Own Device) and corporate mobile devices
• Policy and configuration management tool
• Offerings include separating between business
data and personal data
Mobile Device Management
7. MDM: Penetration in the Market
“Over the next five years, 65 percent of
enterprises will adopt a mobile device
management (MDM) solution for their corporate
liable users”
– Gartner, Inc. October 2012
16. The High-End
• FinSpy
– Gamma Group
• DaVinci RCS
– Hacking Team
• LuckyCat
– Chinese
• LeoImpact
Low
End
High
End
17. The Low-EndLow
End
High
End
• Starting at $4.99 a month! What a steal!
– For iOS, Android, Blackberry, Windows
Mobile/Phone, Symbian, …
• Professional worldwide support
• Very simple and mainstream
– So simple that even your mother could use it
• On your father
• Available at a reseller near you!
18. • From high-end to low-end
– Difference is in infection vector -> price
• End-result is the same
– For $5, you get nearly all the capabilities of a
$350K tool
Spyphones: Varying Costs, Similar Results
20. • Partnered with worldwide cellular network
operators:
– Sampled 250K subscribers
– Two separate sampling occasions
• Infection rates:
– March 2012: 1 in 3000 devices
– October 2012: 1 in 1000 devices
Spyphones in the Wild
24. • Secure Containers:
– Detect JailBreak/Root
– Prevent malicious application installation
– Encrypt data
– Dependent on the OS sandbox
Secure Container Re-Cap
25. • JailBreaking (iOS)/ Rooting (Android) detection
mechanism
– “Let Me Google That For You”
– Usually just check features of JB/ Root devices
(e.g. is Cydia/ SU installed)
• Cannot detect exploitation
Opening the Secure Container (1)
26. • Prevention of malicious app installation
(Android)
– Targeted towards mass malware
• Third-Party App restrictions
– Should protect against malware
• Has been bypassed
– Both for Android and iPhone
Opening the Secure Container (2)
28. • Install Malicious Application – Possible Vector
– Publish an app through the market
• Use “Two-Stage”: Download the rest of the dex later-
and only for the targets we want
• Get the target to install the app through spearphishing
– Physical access to the device would also work
Android Demo: Technical Details (1)
29. • Privilege Escalation
– We used the Exynos exploit. (Released Dec., 2012)
• Create a hidden ‘suid’ binary and use it for
specific actions
– Place in a folder with --x--x--x permissions
– Undetected by generic root-detectors
Android Demo: Technical Details (2)
30. • We listen to events in the logs
– For <=2.3 we can just use the logging permissions
– For >4.0 we use access the logs as root
• When an email is read….
Android Demo: Technical Details (3)
31. • We dump the heap using /proc/<pid>/maps
and /mem
– Then search for the email structure, extract it, and
send it home
Android Demo: Technical Details (3)
34. • Install Malicious Application – Possible Vectors
– Use the JailBreak just for the installation
• Install signed code using Enterprise/Developer
certificate
• Remove any trace of the JailBreak
– Or just jailbreak and hide the jailbreak
– Repackage the original application
iOS Demo: Technical Details (1)
35. Load
malicious
dylib into
memory (it’s
signed!)
Hook using
standard
Objective-C
hooking
mechanisms
Get notified
when an
email is read
Pull the
email from
the UI
classes
Send every
email loaded
home
iOS Demo: Technical Details (2)
36. • DYLD_INSERT_LIBRARIES
– Was very common previously, a bit harder now
• MACH-O editing
– Requires to resign code or leave device jailbroken
– Number of tools to do the work for you
• Objective-C Hooking
– Objc_setImplementation….
Code Injection
39. • “Secure” Containers depend on the integrity
of the host system
1. If the host system is uncompromised: what is the
added value?
2. If the host system is compromised: what is the
added value?
• We’ve been through this movie before!
Secure Containers…Secure?
40. • MDM provides Management, not absolute Security
• Beneficial to separate between business and
personal data
• Main use-case
– Remote wipe of enterprise content only
– Copy & Paste DLP
Infection is Inevitable
41. • Use MDM as a baseline defense for a multi-
layer approach
• Needs rethinking outside the box (mobile)
• Solutions on the network layer:
– C&C communications
– Heuristic behavioral analysis
– Sequences of events
– Data intrusion detection
Mitigating Spyphone Threats
Software management — This is the ability to manage and support mobile applications, contentand operating systems. The components are:■ Configuration■ Updates■ Patches/fixes■ Backup/restore■ Provisioning■ Authorized software monitoring■ Transcode■ Hosting■ Managed mobile enterprise application platforms (MEAPs)■ Development■ Background synchronization.■ Network service management — This is the ability to gain information off of the device thatcaptures location, usage, and cellular and WLAN network information. The components are:■ Invoice/dispute■ Procure and provision■ Reporting■ Help desk/support■ Usage■ Service and contract■ Hardware management — Beyond basic asset management, this includes provisioning andsupport. The components are:■ Procurement■ ProvisioningGartner, Inc. | G00230508 Page 25 of 34■ Asset/inventory■ Activation■ Deactivation■ Shipping■ Imaging■ Performance■ Battery life■ Memory■ Security management — This is the enforcement of standard device security, authenticationand encryption. The components are:■ Remote wipe■ Remote lock■ Secure configuration■ Policy enforcement password-enabled■ Encryption■ Authentication■ Firewall■ Antivirus■ Mobile VPNAlthough many MDM vendors may have different definitions, these are the general areas we assessin MDM.
The Secure Container engine -Containment of corporate data in encrypted environmentEmailsDocsApp wrappers
Spyphone = Remote Access Tool
For mass market, success is dependent on number of users, identity irrelevantFor targeted attacks, success is dependent on reaching a specific person (or people)
RAT’s aren’t new, why the sudden rise in popularity for mobileOur assumption is
Spyphones more popular than spyware on laptops (Shai’s example).EavesdroppingExtracting Call and Text LogsTracking LocationInfiltrating Internal LANSnooping on Corporate Emails and Application Data
Wide spectrum of SpyPhones from official companies helping the average joe spy on his girlfriend, child, or catTo those sold only to goverments
Cost upwards of 250 eurosFinSpy- BaharainDaVinci - DrWebLuckyCat – A sample of amobie agent was found on one of the servres
Starcuks latte
The mindset is that everyone can go and buy one, but does it really happen, or is it just fear mongeringThese numbers are especially troubling when we realize that every person in this sample who was installed was targeted personallyTHIS IS NOT MASS MALWARE
October 2012: 1 in 1000 devices
Anyway to make it look better?
Akin to encrypting the phone but reading emails in plain-text