SlideShare a Scribd company logo
1 of 39
Download to read offline
Malware on Smartphones and
Tablets - The Inconvenient Truth
Shaked Vax
Trusteer Products Strategist
Kaushik Srinivas
MaaS360 Strategy & Offering Management
Agenda
• Mobile is everywhere – Mobile Threats
• A look at Mobile Malware
• Threat landscape
– iOS
– Android
• Safeguard mobile devices with MaaS360 + Trusteer
• View consolidated MaaS360 event reports on QRadar
Mobile banking channel
development is the #1
technology priority of
N.A. retail banks (2013)
#1 Channel
Of customers won't
mobile bank because of
security fears
19%
Mobile Access to Everything
All businesses are leveraging mobile these days as a main communication channel with customers, as
well as collaboration and productivity tool for employees
• In Banking:
– Mobile banking is the most important deciding factor when switching
banks (32%)
– More important than fees (24%) or branch location (21%) or
services (21%)… a survey of mobile banking customers in the U.S. 1
• However for many end-users – Security concerns are a main
inhibitor to adoption
• And apparently….. For a good reason.
Mobile Malware Threats Scope
Line of Business Threats (Customer
Facing)
•Credential stealing via phishing /
malware
•In App session fraud (from mobile)
•Account take over (from / using
mobile)
•2nd Factor Authentication
circumvention
Enterprise Threats
(Employees)
•Employee identity theft by stealing
contacts / emails / calendar / SMS /
location
•Tempering/Stealing corporate data
and IP
•Files
•Photos of whiteboard drawings
•Recordings of phone calls / meetings
•Use stolen data to perform actions on
employee’s behalf:
•Send Mail/SMS
•Perform phone calls
Threats for individuals
•Monetary losses
•Ransomware
•Premium rate SMS/calls
•Apps purchase
•Privacy loss
•Mobile RATs
•InfoStealers
•Extortionware
•Device abuse
•Advertisement hijacking
•Illicit use of B/W, CPU
Mobile Malware Threats Scope
Line of Business Threats (Customer
Facing)
•Credential stealing via phishing /
malware
•In App session fraud (from mobile)
•Account take over (from mobile)
•2nd Factor Authentication
circumvention
Enterprise Threats
(Employees)
•Employee identity theft by stealing
contacts / emails / calendar / SMS /
location
•Tempering/Stealing corporate data
and IP
•Files
•Photos of whiteboard drawings
•Recordings of phone calls / meetings
•Use stolen data to perform actions on
behalf of employee:
•Send Mail/SMS
•Perform phone calls
Threats for individuals
•Monetary losses
•Ransomware
•Premium rate SMS/calls
•Apps purchase
•Privacy loss
•Mobile RATs
•InfoStealers
•Extortionware
•Device abuse
•Advertisement hijacking
•Illicit use of B/W, CPU
Sensitive
Information
Stealing Using the Mobile
device/channel to perform
Attack/Fraud
Monetary loss to
the user
Anatomy of a Mobile Attack – How to Get In?
Attack Surface: Data Center
WEB SERVER
Platform Vulnerabilities
Server Misconfiguration
Cross-Site Scripting (XSS)
Cross Site Request Forgery
(CSRF)
Weak Input Validation
Brute Force Attacks
DATABASE
SQL Injection
Privilege Escalation
Data Dumping
OS Command Execution
Attack Surface: Network
Wi-Fi (No/Weak Encryption)
Rouge Access Point
Packet Sniffing
Man-in-the-Middle (MiTM)
Session Hijacking
DNS Poisoning
SSL Stripping
Fake SSL Certificate
Attack Surface: Mobile Device
BROWSER
Phishing
Pharming
Clickjacking
Man-in-the-Middle (MitM)
Buffer overflow
Data Caching
PHONE/SMS
Baseband Attacks
SMishing
APPS
Sensitive Data Storage
No/Weak Encryption
Improper SSL Validation
Dynamic Runtime Injection
Unintended Permissions
garneting
OPERATING SYSTEM
No/Weak Passcode
iOS Jailbreak
Android Root
OS Data Caching
Vendor/Carrier loaded
OS/Apps
No/Weak Encryption
Threat Landscape - iOS
Apple’s Walled Garden Security by Design
• Looking at the Apple eco-system “as designed” - legit devices without Jail-Break
• Only Apple controls AppStore
– No “alternative market” support*
– Apple reviews all apps
– Apple can remove apps and ban developers
• iOS Enforces Integrity
– Boot chain is signed
– Only signed code can be installed and executed
• iOS Sandbox
– Process memory isolation
– Filesystem isolation
– Some operations require entitlements (e.g., change
passcode, access camera)
Infection Vectors of Non-JB Devices
• Enterprise provisioning (299$/y, valid credit card, D-U-N-S)
• Distributed mostly via link (email/webpage/SMS), or USB
• Legitimate use
– MDM providers and “alternative markets” to some degree
– Other “alternative” markets (Emu4iOS, iNoCydia, …)
• Used maliciously in APT/targeted attacks
Pop Quiz:
Which of the
below pop-ups
is legit?
What Can Be Done Inside the Garden (non-JB)?
• Everything legitimately allowed to an app
• Private APIs and vulnerabilities
– Masque attack – replacing legit app with another app
• Trojanized versions of social apps found in Hakcing Team’s leak (August 2015)
Example of Trojanized Facebook App behavior
What Can Be Done Inside the Garden (non-JB)?
• Everything legitimately allowed to an app
• Private APIs and vulnerabilities
– Masque attack – replacing legit app with another app
• Trojanized versions of social apps found in Hakcing Team’s leak (August 2015)
– xCode Ghost (Sept 2015) –
• Infecting Apps through rouge App development environment targeted at credentials stealing
• 300 (or more…) rouge apps removed by Apple from AppStore
– Hiding apps
– Running in background  background keylogging
– Running on boot
– Taking screenshots
– Simulating screen/button presses
– Blocking OCSP (online certificate status protocol)
– Privilege escalation / sandbox escape
What Can Be Done Inside the Garden (non-JB)?
• APT/Malware
– RCS (2015) – installs alternative keyboard for keylogging + trojanized apps
– WireLurker (2014) – installs additional apps (Chinese game, 3rd party AppStore client,
comic reader)
– Find and Call (2012) – steal user’s contacts
• Apple usually responds fast – eliminating the Apps from the AppStore
Jailbreak Land
• What is Jailbreak process?
– Disables iOS enforcements / sandbox
– Introduces 3rd party application stores (e.g., Cydia)
• WW General estimation (2014): ~ 8% of all devices are JB, in China: ~14%
• Trusteer stats (2015) shows only 0.15%, however it may be attributed to the
fact it is detected and enforced by most customers
• Jailbreak hiders attempting to hide the device state
– xCON
– FLEX
• Infection vectors of JB devices
– Rogue apps via 3rd party AppStores
– USB (WireLurker, CloudAtlas)
Malware for Jailbroken Devices
• APT / targeted attacks
– Hacking Team RCS – steals contacts, calendar, screen, monitors user inputs, location,
network traffic. Remote exploit to crack device passcode
– Xsser mRAT – Chinese Trojan that steals device info, SMS and emails. Installed via
rogue Cydia
– CloudAtlas – steals device information, contacts, accounts, Apple ID,…
– XAgent “PawnStorm” - steals SMS, contacts, photos, GPS location, installed apps, wifi
status, remotely activates audio recording
– WireLurker – PC trojanize installed apps, steals contacts, SMS, iMessages, Apple ID,
device serial
• “Non-enterprise” malware
– Unfold “Baby Panda” – Chinese Trojan that steals Apple ID and password
– AdThief – hijacks advertisement of installed apps for revenue
Threat Landscape - Android
Android Infection Vectors
• Link via SMS/email (may contain exploits)
– E.g., Xsser mRAT distributed via whatsapp message
• Device preloaded with malware
– DeathRing, Mouabad, “Coolpad” backdoor
– Most common in Asia, some appearance in Spain and Africa
• Physical access of attacker (PC kit to deploy malware)
• USB from infected PC (e.g., DroidPak, WireLurker, AndroidRCS)
Android Infection Vectors
• Remote exploit
– 95% of Android devices exposed to Stagefright vulnerability
– On July 2015 ~28% of devices had OS 4.3 or lower which is vulnerable to
AOSP Browser & Masterkey (4years old!!)
• App markets – alternative markets and official Google Play
• Apps could deploy malware, weaponize, use exploits or have
trojanized functionality
Android Mobile Store Malware Infection Rates
Android Malware Types
• RATs - commercial or underground surveillanceware
– Tens of variants
– Some publicly available, some in underground, one is even open source
• Network proxy
– NotCompatible malware family
• InfoStealers
– Keyloggers, Overlay malware
The appearance of PC grade mobile malware
• “GM Bot” / “Mazar Banking Software” – recently appeared in global mobile malware
landscape
• Extensive PC malware like capabilities including:
– Dynamic Configuration via C&C
– Configurable Banking App injection/Overlay capabilities
– Ready made modules being sold to attack WW banks and financial services users in Australia,
Austria, France, Czech Republic, Hungary, Spain, Singapore, Germany, Poland, India, Turkey, New
Zealand, US
Android Malware Types
• High-end APT/targeted attacks
– Hacking Team RCS in Saudi Arabia (?-2015) - “Qatif Today” repack
– Xsser mRAT (2014)
• Chinese trojan spies on HongKong activists, steals contacts, SMS, calls, location, photos, mails, browser history,
audio (microphone), remote shell, and call
– RedOctober/CloudAtlas (2014)
• steals accounts, locations, contacts, files, calls, SMS, calendar, bookmarks, audio (microphone)
– APT1 (2013) - “Kakao Talk” repack
• spies on Tibetan activists contacts/SMS/location
– Word Uyghur Congress (2013)
• spies on Tibetan activists contacts/SMS/calls/location
– LuckyCat APT campaign (2012)
• phone info, file dir/upload/download, remote shell
– FinSpy mobile (2011) – Gamma Group’s APT, tied to Egypt
Android Malware and RATs Capabilities Overview
• Information theft
– Contacts
– Call log history
– Messages (SMS, LINE, Whatsapp, Viber, Skype,
Gtalk, Facebook, Twitter, …)
– Emails
– Geographical location
– Network data (wireless network SSID/password),
location, network state
– Phone information
(number/IMEI/IMSI/Vendor/model/Operator/SIM
serial/OS)
– Google Account
– Browsing history
– Photos/Videos/Audio
– Screenshots
– Clipboard content
– Arbitrary files on SD card
• Remote control
– Activation/delayed activation and capturing of
audio/video/photos/phone calls
– Execute shell / run exploits
– Launch browser
– Send SMS
– Make phone call
– Download/delete files
Commercial RAT Examples – SandroRAT/DroidJack Evolution
• Sandroid -> SandroRAT -> DroidJack
No root access
required!
8,380 DriodJack tutorials
currently on Google
Many more…
Network Proxy to Corporate Resources
• NotCompatible.C
– General purpose, proxying network (TCP/UDP)
– Has been used for spam, bruteforce, bulk ticket purchase
• Banks & other Enterprises could be a next target
Threats Summary
• Advanced/targeted attacks are real
– More dominant Asia, China being major player
– Global threat - HackingCrew , HackingTeam
• Most dominant threat are RATs
– Android – most easy to infect, highly commercialized
– Jailbroken iOS – has been done only in targeted attacks
– Non-JB iOS – effectively no (reported) harm done, even in targeted attacks but threat is imminent
• Vulnerabilities
– Applicable to iOS and Android, more problematic for Android due to highly segregated market
– Associated only with advanced/targeted attacks
• Network based attacks
– Imminent threat, no malicious incident reported yet
Taking action is easy
IBM Mobile Threat Management can effectively prevent
and take action against malware & threats
Criminals attack the weakest link
Taking action is easy - using layered security
Secure
the Device
Secure
the Content
Secure
the App
Secure
the Network
The MaaS360 layered security model
Taking action is easy
Managed Devices
(Owned/BYOD)
• Device level Security
• Using EMM/MDM to enforce
sensitive information access
policy
• MDM should include advanced
rooting/jailbreak & malware
detection
• Scan Home grown apps for
vulnerabilities
Unmanaged Devices
(Customers, partners, agents,
brokers, contractors)
• Application Level Security
• Every App should have
capabilities to assess device
security
• In-app enforcement of sensitive
info/operations
• Scan home grown apps for
vulnerabilities
IBM MaaS360 Mobile Threat Management
Detects, analyzes and remediates mobile risks
delivering a new layer of security for Enterprise Mobility
Management (EMM) with the integration of IBM
Security Trusteer® to protect against:
• Mobile malware
• Suspicious system configurations
• Compromised jailbroken or rooted devices
IBM Security QRadar integration with MaaS360
• Continuous Mobile Visibility
– Detect when smartphones and tablets are attempting to connect to the network
– Monitor enrollment of personally owned and corporate-liable devices
– Gain awareness of unauthorized devices
– Learn when users install blacklisted apps and access restricted websites
• Compromised Device Remediation
– Uncover devices infected with malware before they compromise your enterprise data
– Identify jailbroken iOS devices and rooted Android devices
– Set security policies and compliance rules to automate remediation
– Block access, or perform a selective wipe or full wipe of compromised devices
View MaaS360 compliance rule violations through IBM Security QRadar
View Out of Compliance events from MaaS360 on QRadar
34
Summary
• Malware exists on mobile and can pose a significant threat to your
organization’s IP / data
• Trusteer can aid in safeguarding this on mobile
• MaaS360 + Trusteer can detect and take actions on mobile devices
• MaaS360 reports mobile device events to QRadar for consolidated
reporting
Talk to a Mobile Expert: Visit IBM MaaS360 in the Expo Hall
Talk to an IBM MaaS360 Expert, Watch a Demo and Receive a
Mobile Themed Giveaway!
• Charge your Device Courtesy of MaaS360
• IBM Security Booth #314 (**charger location)
• IBM MobileFirst Booth #530 (**charger location)
• IBM Box Booth #202
• AT&T Booth #561
Like what you see? Try us out!
• Visit ibm.com/maas360 for free trial details
35
Notices and Disclaimers
36
Copyright © 2016 by International Business Machines Corporation (IBM). No part of this document may be reproduced or transmitted in any form without written permission
from IBM.
U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM.
Information in these presentations (including information relating to products that have not yet been announced by IBM) has been reviewed for accuracy as of the date of
initial publication and could include unintentional technical or typographical errors. IBM shall have no responsibility to update this information. THIS DOCUMENT IS
DISTRIBUTED "AS IS" WITHOUT ANY WARRANTY, EITHER EXPRESS OR IMPLIED. IN NO EVENT SHALL IBM BE LIABLE FOR ANY DAMAGE ARISING FROM THE
USE OF THIS INFORMATION, INCLUDING BUT NOT LIMITED TO, LOSS OF DATA, BUSINESS INTERRUPTION, LOSS OF PROFIT OR LOSS OF OPPORTUNITY.
IBM products and services are warranted according to the terms and conditions of the agreements under which they are provided.
Any statements regarding IBM's future direction, intent or product plans are subject to change or withdrawal without notice.
Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are presented as illustrations of how those customers
have used IBM products and the results they may have achieved. Actual performance, cost, savings or other results in other operating environments may vary.
References in this document to IBM products, programs, or services does not imply that IBM intends to make such products, programs or services available in all countries in
which IBM operates or does business.
Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not necessarily reflect the views of IBM. All materials
and discussions are provided for informational purposes only, and are neither intended to, nor shall constitute legal or other guidance or advice to any individual participant or
their specific situation.
It is the customer’s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal counsel as to the identification and
interpretation of any relevant laws and regulatory requirements that may affect the customer’s business and any actions the customer may need to take to comply with such
laws. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the customer is in compliance with any law
Notices and Disclaimers Con’t.
37
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not
tested those products in connection with this publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products.
Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. IBM does not warrant the quality of any third-party products, or the
ability of any such third-party products to interoperate with IBM’s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING BUT
NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
The provision of the information contained h erein is not intended to, and does not, grant any right or license under any IBM patents, copyrights, trademarks or other intellectual
property right.
IBM, the IBM logo, ibm.com, Aspera®, Bluemix, Blueworks Live, CICS, Clearcase, Cognos®, DOORS®, Emptoris®, Enterprise Document Management System™, FASP®,
FileNet®, Global Business Services ®, Global Technology Services ®, IBM ExperienceOne™, IBM SmartCloud®, IBM Social Business®, Information on Demand, ILOG,
Maximo®, MQIntegrator®, MQSeries®, Netcool®, OMEGAMON, OpenPower, PureAnalytics™, PureApplication®, pureCluster™, PureCoverage®, PureData®,
PureExperience®, PureFlex®, pureQuery®, pureScale®, PureSystems®, QRadar®, Rational®, Rhapsody®, Smarter Commerce®, SoDA, SPSS, Sterling Commerce®,
StoredIQ, Tealeaf®, Tivoli®, Trusteer®, Unica®, urban{code}®, Watson, WebSphere®, Worklight®, X-Force® and System z® Z/OS, are trademarks of International Business
Machines Corporation, registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM
trademarks is available on the Web at "Copyright and trademark information" at: www.ibm.com/legal/copytrade.shtml.
Thank You
Your Feedback is Important!
Access the InterConnect 2016 Conference Attendee
Portal to complete your session surveys from your
smartphone, laptop or conference kiosk.

More Related Content

What's hot

Mobile application security
Mobile application securityMobile application security
Mobile application security
Shubhneet Goel
 

What's hot (20)

Malware on Smartphones and Tablets: The Inconvenient Truth
Malware on Smartphones and Tablets: The Inconvenient TruthMalware on Smartphones and Tablets: The Inconvenient Truth
Malware on Smartphones and Tablets: The Inconvenient Truth
 
Jail breaking
Jail breakingJail breaking
Jail breaking
 
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and Exploitation
 
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.com
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.comMobile Application Security Testing, Testing for Mobility App | www.idexcel.com
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.com
 
Mobile Apps Security Testing -1
Mobile Apps Security Testing -1Mobile Apps Security Testing -1
Mobile Apps Security Testing -1
 
Chapter 4
Chapter 4Chapter 4
Chapter 4
 
iOS Security and Encryption
iOS Security and EncryptioniOS Security and Encryption
iOS Security and Encryption
 
Mobile Security
Mobile SecurityMobile Security
Mobile Security
 
Mobile App Security Testing -2
Mobile App Security Testing -2Mobile App Security Testing -2
Mobile App Security Testing -2
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
 
Mobile Security: The 5 Questions Modern Organizations Are Asking
Mobile Security: The 5 Questions Modern Organizations Are AskingMobile Security: The 5 Questions Modern Organizations Are Asking
Mobile Security: The 5 Questions Modern Organizations Are Asking
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application Security
 
Mobile application security
Mobile application securityMobile application security
Mobile application security
 
ISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and Privacy
 
CNIT 128 5: Mobile malware
CNIT 128 5: Mobile malwareCNIT 128 5: Mobile malware
CNIT 128 5: Mobile malware
 
Mobile security
Mobile securityMobile security
Mobile security
 
Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing!   hem...Mobile application security – effective methodology, efficient testing!   hem...
Mobile application security – effective methodology, efficient testing! hem...
 
New trends in Payments Security: NFC & Mobile
New trends in Payments Security: NFC & MobileNew trends in Payments Security: NFC & Mobile
New trends in Payments Security: NFC & Mobile
 
AusCERT - Developing Secure iOS Applications
AusCERT - Developing Secure iOS ApplicationsAusCERT - Developing Secure iOS Applications
AusCERT - Developing Secure iOS Applications
 
CNIT 128 Ch 1: The mobile risk ecosystem
CNIT 128 Ch 1: The mobile risk ecosystemCNIT 128 Ch 1: The mobile risk ecosystem
CNIT 128 Ch 1: The mobile risk ecosystem
 

Viewers also liked

Compressor Leaflet
Compressor LeafletCompressor Leaflet
Compressor Leaflet
Naki Bukhari
 
Best flattening irons
Best flattening ironsBest flattening irons
Best flattening irons
maulana2010
 
NEV Inno Center
NEV Inno CenterNEV Inno Center
NEV Inno Center
Xiao Yan
 
Pvillacanas presentacion pt&asignatura
Pvillacanas presentacion pt&asignaturaPvillacanas presentacion pt&asignatura
Pvillacanas presentacion pt&asignatura
pvillacanas
 
CURES Pilot Grant Research Guide - ap edits
CURES Pilot Grant Research Guide - ap editsCURES Pilot Grant Research Guide - ap edits
CURES Pilot Grant Research Guide - ap edits
Taiwo Adewunmi
 
NEV Inno Center
NEV Inno CenterNEV Inno Center
NEV Inno Center
Xiao Yan
 

Viewers also liked (18)

Mobility 201 : Productivity
Mobility 201 : ProductivityMobility 201 : Productivity
Mobility 201 : Productivity
 
Medicina
MedicinaMedicina
Medicina
 
Compressor Leaflet
Compressor LeafletCompressor Leaflet
Compressor Leaflet
 
Curso basico de emsamblador
Curso basico de emsambladorCurso basico de emsamblador
Curso basico de emsamblador
 
Best flattening irons
Best flattening ironsBest flattening irons
Best flattening irons
 
NEV Inno Center
NEV Inno CenterNEV Inno Center
NEV Inno Center
 
Kitchen1
Kitchen1Kitchen1
Kitchen1
 
Pvillacanas presentacion pt&asignatura
Pvillacanas presentacion pt&asignaturaPvillacanas presentacion pt&asignatura
Pvillacanas presentacion pt&asignatura
 
CURES Pilot Grant Research Guide - ap edits
CURES Pilot Grant Research Guide - ap editsCURES Pilot Grant Research Guide - ap edits
CURES Pilot Grant Research Guide - ap edits
 
NEV Inno Center
NEV Inno CenterNEV Inno Center
NEV Inno Center
 
พ.อ.ดร.เศรษฐพงค์ ตลาดโทรคมนาคมของประเทศไทย
พ.อ.ดร.เศรษฐพงค์   ตลาดโทรคมนาคมของประเทศไทยพ.อ.ดร.เศรษฐพงค์   ตลาดโทรคมนาคมของประเทศไทย
พ.อ.ดร.เศรษฐพงค์ ตลาดโทรคมนาคมของประเทศไทย
 
Livingroom
LivingroomLivingroom
Livingroom
 
Eday16
Eday16Eday16
Eday16
 
NFV Ecosystem Enabler - a well-enabled VNF package catalyst
NFV Ecosystem Enabler - a well-enabled VNF package catalystNFV Ecosystem Enabler - a well-enabled VNF package catalyst
NFV Ecosystem Enabler - a well-enabled VNF package catalyst
 
Inversion na2
Inversion na2Inversion na2
Inversion na2
 
British education.
British education.British education.
British education.
 
I poststructuralism deconstruction
I poststructuralism deconstructionI poststructuralism deconstruction
I poststructuralism deconstruction
 
Material para primer grado de primaria
Material para primer grado de primariaMaterial para primer grado de primaria
Material para primer grado de primaria
 

Similar to Malware on Smartphones and Tablets - The Inconvenient Truth

Battling Malware In The Enterprise
Battling Malware In The EnterpriseBattling Malware In The Enterprise
Battling Malware In The Enterprise
Ayed Al Qartah
 
Droidcon2013 security genes_trendmicro
Droidcon2013 security genes_trendmicroDroidcon2013 security genes_trendmicro
Droidcon2013 security genes_trendmicro
Droidcon Berlin
 
6.3. How to get out of an inprivacy jail
6.3. How to get out of an inprivacy jail6.3. How to get out of an inprivacy jail
6.3. How to get out of an inprivacy jail
defconmoscow
 
IQT 2010 - The App Does That!?
IQT 2010 - The App Does That!?IQT 2010 - The App Does That!?
IQT 2010 - The App Does That!?
Tyler Shields
 
Enterprise mobileapplicationsecurity
Enterprise mobileapplicationsecurityEnterprise mobileapplicationsecurity
Enterprise mobileapplicationsecurity
Venkat Alagarsamy
 
Mobile Commerce: A Security Perspective
Mobile Commerce: A Security PerspectiveMobile Commerce: A Security Perspective
Mobile Commerce: A Security Perspective
Pragati Rai
 
SECON'2017, Чемёркин Юрий, Безопасность данных мобильных приложений
SECON'2017, Чемёркин Юрий, Безопасность данных мобильных приложенийSECON'2017, Чемёркин Юрий, Безопасность данных мобильных приложений
SECON'2017, Чемёркин Юрий, Безопасность данных мобильных приложений
SECON
 
4471_mobile_device_security_handout.ppt
4471_mobile_device_security_handout.ppt4471_mobile_device_security_handout.ppt
4471_mobile_device_security_handout.ppt
BalwinderKaur626266
 

Similar to Malware on Smartphones and Tablets - The Inconvenient Truth (20)

Can You Steal From Me Now? Mobile and BYOD Security Risks
Can You Steal From Me Now? Mobile and BYOD Security RisksCan You Steal From Me Now? Mobile and BYOD Security Risks
Can You Steal From Me Now? Mobile and BYOD Security Risks
 
Mobile Apps and Security Attacks: An Introduction
Mobile Apps and Security Attacks: An IntroductionMobile Apps and Security Attacks: An Introduction
Mobile Apps and Security Attacks: An Introduction
 
18-mobile-malware.pptx
18-mobile-malware.pptx18-mobile-malware.pptx
18-mobile-malware.pptx
 
Mobile Malware
Mobile MalwareMobile Malware
Mobile Malware
 
Mobile phone as Trusted identity assistant
Mobile phone as Trusted identity assistantMobile phone as Trusted identity assistant
Mobile phone as Trusted identity assistant
 
Battling Malware In The Enterprise
Battling Malware In The EnterpriseBattling Malware In The Enterprise
Battling Malware In The Enterprise
 
Droidcon2013 security genes_trendmicro
Droidcon2013 security genes_trendmicroDroidcon2013 security genes_trendmicro
Droidcon2013 security genes_trendmicro
 
Developing Secure Mobile Applications
Developing Secure Mobile ApplicationsDeveloping Secure Mobile Applications
Developing Secure Mobile Applications
 
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
 
6.3. How to get out of an inprivacy jail
6.3. How to get out of an inprivacy jail6.3. How to get out of an inprivacy jail
6.3. How to get out of an inprivacy jail
 
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
 
17-Android.pptx
17-Android.pptx17-Android.pptx
17-Android.pptx
 
IQT 2010 - The App Does That!?
IQT 2010 - The App Does That!?IQT 2010 - The App Does That!?
IQT 2010 - The App Does That!?
 
Mobile application security and threat modeling
Mobile application security and threat modelingMobile application security and threat modeling
Mobile application security and threat modeling
 
Enterprise mobileapplicationsecurity
Enterprise mobileapplicationsecurityEnterprise mobileapplicationsecurity
Enterprise mobileapplicationsecurity
 
Countering mobile malware in CSP’s network. Android honeypot as anti-fraud so...
Countering mobile malware in CSP’s network. Android honeypot as anti-fraud so...Countering mobile malware in CSP’s network. Android honeypot as anti-fraud so...
Countering mobile malware in CSP’s network. Android honeypot as anti-fraud so...
 
Mobile Commerce: A Security Perspective
Mobile Commerce: A Security PerspectiveMobile Commerce: A Security Perspective
Mobile Commerce: A Security Perspective
 
SECON'2017, Чемёркин Юрий, Безопасность данных мобильных приложений
SECON'2017, Чемёркин Юрий, Безопасность данных мобильных приложенийSECON'2017, Чемёркин Юрий, Безопасность данных мобильных приложений
SECON'2017, Чемёркин Юрий, Безопасность данных мобильных приложений
 
4471_mobile_device_security_handout.ppt
4471_mobile_device_security_handout.ppt4471_mobile_device_security_handout.ppt
4471_mobile_device_security_handout.ppt
 
Unit-3.pptx
Unit-3.pptxUnit-3.pptx
Unit-3.pptx
 

More from AGILLY

AGILLY-CISO-Guide de prévention des ransonwares.fr (1).pdf
AGILLY-CISO-Guide de prévention des ransonwares.fr (1).pdfAGILLY-CISO-Guide de prévention des ransonwares.fr (1).pdf
AGILLY-CISO-Guide de prévention des ransonwares.fr (1).pdf
AGILLY
 
Le Nouveau Défi des Applis et leur Adoption dans l'Entreprises
Le Nouveau Défi des Applis et leur Adoption dans l'EntreprisesLe Nouveau Défi des Applis et leur Adoption dans l'Entreprises
Le Nouveau Défi des Applis et leur Adoption dans l'Entreprises
AGILLY
 

More from AGILLY (20)

RAPPORT Magic Quadrant 2022 de Gartner pour la gestion des accès à privilè...
RAPPORT Magic Quadrant 2022 de Gartner pour la gestion des accès à privilè...RAPPORT Magic Quadrant 2022 de Gartner pour la gestion des accès à privilè...
RAPPORT Magic Quadrant 2022 de Gartner pour la gestion des accès à privilè...
 
AGILLY-CISO-Guide de prévention des ransonwares.fr (1).pdf
AGILLY-CISO-Guide de prévention des ransonwares.fr (1).pdfAGILLY-CISO-Guide de prévention des ransonwares.fr (1).pdf
AGILLY-CISO-Guide de prévention des ransonwares.fr (1).pdf
 
Group-IB_AGILLY-secteur financier_VS_Fraud_E-booklet_2022.en.fr .pdf
Group-IB_AGILLY-secteur financier_VS_Fraud_E-booklet_2022.en.fr .pdfGroup-IB_AGILLY-secteur financier_VS_Fraud_E-booklet_2022.en.fr .pdf
Group-IB_AGILLY-secteur financier_VS_Fraud_E-booklet_2022.en.fr .pdf
 
AGILLY-sécurisez vos emails, qui le fait le mieux ?(1).pdf
AGILLY-sécurisez vos emails, qui le fait le mieux ?(1).pdfAGILLY-sécurisez vos emails, qui le fait le mieux ?(1).pdf
AGILLY-sécurisez vos emails, qui le fait le mieux ?(1).pdf
 
AGILLY Présentation services MSP - Cloud & Security Workshop - 28 09 2022 v2...
AGILLY Présentation services MSP - Cloud & Security Workshop - 28 09 2022 v2...AGILLY Présentation services MSP - Cloud & Security Workshop - 28 09 2022 v2...
AGILLY Présentation services MSP - Cloud & Security Workshop - 28 09 2022 v2...
 
5 façons de transformer la connectivité cloud
5 façons de transformer la connectivité cloud5 façons de transformer la connectivité cloud
5 façons de transformer la connectivité cloud
 
Agilly vulnérabilité log4j-sucuri
Agilly vulnérabilité log4j-sucuriAgilly vulnérabilité log4j-sucuri
Agilly vulnérabilité log4j-sucuri
 
Ds sandblast-mobile fr
Ds sandblast-mobile frDs sandblast-mobile fr
Ds sandblast-mobile fr
 
Sandblast agent-solution-brief fr
Sandblast agent-solution-brief frSandblast agent-solution-brief fr
Sandblast agent-solution-brief fr
 
Sand Blast Agent Anti Ransomware Presentation
Sand Blast Agent Anti Ransomware PresentationSand Blast Agent Anti Ransomware Presentation
Sand Blast Agent Anti Ransomware Presentation
 
Sécurité Mobile : Votre Entreprise est-elle préparée pour 2020?
Sécurité Mobile : Votre Entreprise est-elle préparée pour 2020?Sécurité Mobile : Votre Entreprise est-elle préparée pour 2020?
Sécurité Mobile : Votre Entreprise est-elle préparée pour 2020?
 
12 Prédictions Majeures sur la Cyber Sécurité en 2017
12 Prédictions Majeures sur la Cyber Sécurité en 201712 Prédictions Majeures sur la Cyber Sécurité en 2017
12 Prédictions Majeures sur la Cyber Sécurité en 2017
 
Mobility Training Series : Mobility 301 protect
Mobility Training Series  : Mobility 301 protectMobility Training Series  : Mobility 301 protect
Mobility Training Series : Mobility 301 protect
 
Le Nouveau Défi des Applis et leur Adoption dans l'Entreprises
Le Nouveau Défi des Applis et leur Adoption dans l'EntreprisesLe Nouveau Défi des Applis et leur Adoption dans l'Entreprises
Le Nouveau Défi des Applis et leur Adoption dans l'Entreprises
 
Bluemix Plateforme d'Innovation Numérique
Bluemix Plateforme d'Innovation NumériqueBluemix Plateforme d'Innovation Numérique
Bluemix Plateforme d'Innovation Numérique
 
Bluemix Overview
Bluemix OverviewBluemix Overview
Bluemix Overview
 
Windows 10 A Guide to Secure Mobility in the Enterprise
Windows 10 A Guide to Secure Mobility in the EnterpriseWindows 10 A Guide to Secure Mobility in the Enterprise
Windows 10 A Guide to Secure Mobility in the Enterprise
 
Mobility 101 : Provision
Mobility 101 : ProvisionMobility 101 : Provision
Mobility 101 : Provision
 
Mobility 301 : Protect
Mobility 301 : ProtectMobility 301 : Protect
Mobility 301 : Protect
 
Tour d'horizons de la Sécurité Mobile en 2015 et prédictions 2016
Tour d'horizons de la Sécurité Mobile en 2015 et prédictions 2016Tour d'horizons de la Sécurité Mobile en 2015 et prédictions 2016
Tour d'horizons de la Sécurité Mobile en 2015 et prédictions 2016
 

Recently uploaded

Recently uploaded (20)

Rapidoform for Modern Form Building and Insights
Rapidoform for Modern Form Building and InsightsRapidoform for Modern Form Building and Insights
Rapidoform for Modern Form Building and Insights
 
Abortion Clinic In Johannesburg ](+27832195400*)[ 🏥 Safe Abortion Pills in Jo...
Abortion Clinic In Johannesburg ](+27832195400*)[ 🏥 Safe Abortion Pills in Jo...Abortion Clinic In Johannesburg ](+27832195400*)[ 🏥 Safe Abortion Pills in Jo...
Abortion Clinic In Johannesburg ](+27832195400*)[ 🏥 Safe Abortion Pills in Jo...
 
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-Cloud
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-CloudAlluxio Monthly Webinar | Simplify Data Access for AI in Multi-Cloud
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-Cloud
 
Your Ultimate Web Studio for Streaming Anywhere | Evmux
Your Ultimate Web Studio for Streaming Anywhere | EvmuxYour Ultimate Web Studio for Streaming Anywhere | Evmux
Your Ultimate Web Studio for Streaming Anywhere | Evmux
 
Abortion Clinic In Stanger ](+27832195400*)[ 🏥 Safe Abortion Pills In Stanger...
Abortion Clinic In Stanger ](+27832195400*)[ 🏥 Safe Abortion Pills In Stanger...Abortion Clinic In Stanger ](+27832195400*)[ 🏥 Safe Abortion Pills In Stanger...
Abortion Clinic In Stanger ](+27832195400*)[ 🏥 Safe Abortion Pills In Stanger...
 
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
 
[GRCPP] Introduction to concepts (C++20)
[GRCPP] Introduction to concepts (C++20)[GRCPP] Introduction to concepts (C++20)
[GRCPP] Introduction to concepts (C++20)
 
Abortion Pill Prices Germiston ](+27832195400*)[ 🏥 Women's Abortion Clinic in...
Abortion Pill Prices Germiston ](+27832195400*)[ 🏥 Women's Abortion Clinic in...Abortion Pill Prices Germiston ](+27832195400*)[ 🏥 Women's Abortion Clinic in...
Abortion Pill Prices Germiston ](+27832195400*)[ 🏥 Women's Abortion Clinic in...
 
UNI DI NAPOLI FEDERICO II - Il ruolo dei grafi nell'AI Conversazionale Ibrida
UNI DI NAPOLI FEDERICO II - Il ruolo dei grafi nell'AI Conversazionale IbridaUNI DI NAPOLI FEDERICO II - Il ruolo dei grafi nell'AI Conversazionale Ibrida
UNI DI NAPOLI FEDERICO II - Il ruolo dei grafi nell'AI Conversazionale Ibrida
 
Abortion Pill Prices Turfloop ](+27832195400*)[ 🏥 Women's Abortion Clinic in ...
Abortion Pill Prices Turfloop ](+27832195400*)[ 🏥 Women's Abortion Clinic in ...Abortion Pill Prices Turfloop ](+27832195400*)[ 🏥 Women's Abortion Clinic in ...
Abortion Pill Prices Turfloop ](+27832195400*)[ 🏥 Women's Abortion Clinic in ...
 
Navigation in flutter – how to add stack, tab, and drawer navigators to your ...
Navigation in flutter – how to add stack, tab, and drawer navigators to your ...Navigation in flutter – how to add stack, tab, and drawer navigators to your ...
Navigation in flutter – how to add stack, tab, and drawer navigators to your ...
 
Automate your OpenSIPS config tests - OpenSIPS Summit 2024
Automate your OpenSIPS config tests - OpenSIPS Summit 2024Automate your OpenSIPS config tests - OpenSIPS Summit 2024
Automate your OpenSIPS config tests - OpenSIPS Summit 2024
 
BusinessGPT - Security and Governance for Generative AI
BusinessGPT  - Security and Governance for Generative AIBusinessGPT  - Security and Governance for Generative AI
BusinessGPT - Security and Governance for Generative AI
 
Prompt Engineering - an Art, a Science, or your next Job Title?
Prompt Engineering - an Art, a Science, or your next Job Title?Prompt Engineering - an Art, a Science, or your next Job Title?
Prompt Engineering - an Art, a Science, or your next Job Title?
 
Abortion Pill Prices Mthatha (@](+27832195400*)[ 🏥 Women's Abortion Clinic In...
Abortion Pill Prices Mthatha (@](+27832195400*)[ 🏥 Women's Abortion Clinic In...Abortion Pill Prices Mthatha (@](+27832195400*)[ 🏥 Women's Abortion Clinic In...
Abortion Pill Prices Mthatha (@](+27832195400*)[ 🏥 Women's Abortion Clinic In...
 
[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse
[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse
[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse
 
Abortion Pill Prices Jozini ](+27832195400*)[ 🏥 Women's Abortion Clinic in Jo...
Abortion Pill Prices Jozini ](+27832195400*)[ 🏥 Women's Abortion Clinic in Jo...Abortion Pill Prices Jozini ](+27832195400*)[ 🏥 Women's Abortion Clinic in Jo...
Abortion Pill Prices Jozini ](+27832195400*)[ 🏥 Women's Abortion Clinic in Jo...
 
The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)
 
Transformer Neural Network Use Cases with Links
Transformer Neural Network Use Cases with LinksTransformer Neural Network Use Cases with Links
Transformer Neural Network Use Cases with Links
 
Test Automation Design Patterns_ A Comprehensive Guide.pdf
Test Automation Design Patterns_ A Comprehensive Guide.pdfTest Automation Design Patterns_ A Comprehensive Guide.pdf
Test Automation Design Patterns_ A Comprehensive Guide.pdf
 

Malware on Smartphones and Tablets - The Inconvenient Truth

  • 1. Malware on Smartphones and Tablets - The Inconvenient Truth Shaked Vax Trusteer Products Strategist Kaushik Srinivas MaaS360 Strategy & Offering Management
  • 2. Agenda • Mobile is everywhere – Mobile Threats • A look at Mobile Malware • Threat landscape – iOS – Android • Safeguard mobile devices with MaaS360 + Trusteer • View consolidated MaaS360 event reports on QRadar
  • 3. Mobile banking channel development is the #1 technology priority of N.A. retail banks (2013) #1 Channel Of customers won't mobile bank because of security fears 19% Mobile Access to Everything All businesses are leveraging mobile these days as a main communication channel with customers, as well as collaboration and productivity tool for employees • In Banking: – Mobile banking is the most important deciding factor when switching banks (32%) – More important than fees (24%) or branch location (21%) or services (21%)… a survey of mobile banking customers in the U.S. 1 • However for many end-users – Security concerns are a main inhibitor to adoption • And apparently….. For a good reason.
  • 4. Mobile Malware Threats Scope Line of Business Threats (Customer Facing) •Credential stealing via phishing / malware •In App session fraud (from mobile) •Account take over (from / using mobile) •2nd Factor Authentication circumvention Enterprise Threats (Employees) •Employee identity theft by stealing contacts / emails / calendar / SMS / location •Tempering/Stealing corporate data and IP •Files •Photos of whiteboard drawings •Recordings of phone calls / meetings •Use stolen data to perform actions on employee’s behalf: •Send Mail/SMS •Perform phone calls Threats for individuals •Monetary losses •Ransomware •Premium rate SMS/calls •Apps purchase •Privacy loss •Mobile RATs •InfoStealers •Extortionware •Device abuse •Advertisement hijacking •Illicit use of B/W, CPU
  • 5. Mobile Malware Threats Scope Line of Business Threats (Customer Facing) •Credential stealing via phishing / malware •In App session fraud (from mobile) •Account take over (from mobile) •2nd Factor Authentication circumvention Enterprise Threats (Employees) •Employee identity theft by stealing contacts / emails / calendar / SMS / location •Tempering/Stealing corporate data and IP •Files •Photos of whiteboard drawings •Recordings of phone calls / meetings •Use stolen data to perform actions on behalf of employee: •Send Mail/SMS •Perform phone calls Threats for individuals •Monetary losses •Ransomware •Premium rate SMS/calls •Apps purchase •Privacy loss •Mobile RATs •InfoStealers •Extortionware •Device abuse •Advertisement hijacking •Illicit use of B/W, CPU Sensitive Information Stealing Using the Mobile device/channel to perform Attack/Fraud Monetary loss to the user
  • 6. Anatomy of a Mobile Attack – How to Get In? Attack Surface: Data Center WEB SERVER Platform Vulnerabilities Server Misconfiguration Cross-Site Scripting (XSS) Cross Site Request Forgery (CSRF) Weak Input Validation Brute Force Attacks DATABASE SQL Injection Privilege Escalation Data Dumping OS Command Execution Attack Surface: Network Wi-Fi (No/Weak Encryption) Rouge Access Point Packet Sniffing Man-in-the-Middle (MiTM) Session Hijacking DNS Poisoning SSL Stripping Fake SSL Certificate Attack Surface: Mobile Device BROWSER Phishing Pharming Clickjacking Man-in-the-Middle (MitM) Buffer overflow Data Caching PHONE/SMS Baseband Attacks SMishing APPS Sensitive Data Storage No/Weak Encryption Improper SSL Validation Dynamic Runtime Injection Unintended Permissions garneting OPERATING SYSTEM No/Weak Passcode iOS Jailbreak Android Root OS Data Caching Vendor/Carrier loaded OS/Apps No/Weak Encryption
  • 8. Apple’s Walled Garden Security by Design • Looking at the Apple eco-system “as designed” - legit devices without Jail-Break • Only Apple controls AppStore – No “alternative market” support* – Apple reviews all apps – Apple can remove apps and ban developers • iOS Enforces Integrity – Boot chain is signed – Only signed code can be installed and executed • iOS Sandbox – Process memory isolation – Filesystem isolation – Some operations require entitlements (e.g., change passcode, access camera)
  • 9. Infection Vectors of Non-JB Devices • Enterprise provisioning (299$/y, valid credit card, D-U-N-S) • Distributed mostly via link (email/webpage/SMS), or USB • Legitimate use – MDM providers and “alternative markets” to some degree – Other “alternative” markets (Emu4iOS, iNoCydia, …) • Used maliciously in APT/targeted attacks Pop Quiz: Which of the below pop-ups is legit?
  • 10. What Can Be Done Inside the Garden (non-JB)? • Everything legitimately allowed to an app • Private APIs and vulnerabilities – Masque attack – replacing legit app with another app • Trojanized versions of social apps found in Hakcing Team’s leak (August 2015)
  • 11. Example of Trojanized Facebook App behavior
  • 12. What Can Be Done Inside the Garden (non-JB)? • Everything legitimately allowed to an app • Private APIs and vulnerabilities – Masque attack – replacing legit app with another app • Trojanized versions of social apps found in Hakcing Team’s leak (August 2015) – xCode Ghost (Sept 2015) – • Infecting Apps through rouge App development environment targeted at credentials stealing • 300 (or more…) rouge apps removed by Apple from AppStore – Hiding apps – Running in background  background keylogging – Running on boot – Taking screenshots – Simulating screen/button presses – Blocking OCSP (online certificate status protocol) – Privilege escalation / sandbox escape
  • 13. What Can Be Done Inside the Garden (non-JB)? • APT/Malware – RCS (2015) – installs alternative keyboard for keylogging + trojanized apps – WireLurker (2014) – installs additional apps (Chinese game, 3rd party AppStore client, comic reader) – Find and Call (2012) – steal user’s contacts • Apple usually responds fast – eliminating the Apps from the AppStore
  • 14. Jailbreak Land • What is Jailbreak process? – Disables iOS enforcements / sandbox – Introduces 3rd party application stores (e.g., Cydia) • WW General estimation (2014): ~ 8% of all devices are JB, in China: ~14% • Trusteer stats (2015) shows only 0.15%, however it may be attributed to the fact it is detected and enforced by most customers • Jailbreak hiders attempting to hide the device state – xCON – FLEX • Infection vectors of JB devices – Rogue apps via 3rd party AppStores – USB (WireLurker, CloudAtlas)
  • 15. Malware for Jailbroken Devices • APT / targeted attacks – Hacking Team RCS – steals contacts, calendar, screen, monitors user inputs, location, network traffic. Remote exploit to crack device passcode – Xsser mRAT – Chinese Trojan that steals device info, SMS and emails. Installed via rogue Cydia – CloudAtlas – steals device information, contacts, accounts, Apple ID,… – XAgent “PawnStorm” - steals SMS, contacts, photos, GPS location, installed apps, wifi status, remotely activates audio recording – WireLurker – PC trojanize installed apps, steals contacts, SMS, iMessages, Apple ID, device serial • “Non-enterprise” malware – Unfold “Baby Panda” – Chinese Trojan that steals Apple ID and password – AdThief – hijacks advertisement of installed apps for revenue
  • 17. Android Infection Vectors • Link via SMS/email (may contain exploits) – E.g., Xsser mRAT distributed via whatsapp message • Device preloaded with malware – DeathRing, Mouabad, “Coolpad” backdoor – Most common in Asia, some appearance in Spain and Africa • Physical access of attacker (PC kit to deploy malware) • USB from infected PC (e.g., DroidPak, WireLurker, AndroidRCS)
  • 18. Android Infection Vectors • Remote exploit – 95% of Android devices exposed to Stagefright vulnerability – On July 2015 ~28% of devices had OS 4.3 or lower which is vulnerable to AOSP Browser & Masterkey (4years old!!) • App markets – alternative markets and official Google Play • Apps could deploy malware, weaponize, use exploits or have trojanized functionality
  • 19. Android Mobile Store Malware Infection Rates
  • 20. Android Malware Types • RATs - commercial or underground surveillanceware – Tens of variants – Some publicly available, some in underground, one is even open source • Network proxy – NotCompatible malware family • InfoStealers – Keyloggers, Overlay malware
  • 21. The appearance of PC grade mobile malware • “GM Bot” / “Mazar Banking Software” – recently appeared in global mobile malware landscape • Extensive PC malware like capabilities including: – Dynamic Configuration via C&C – Configurable Banking App injection/Overlay capabilities – Ready made modules being sold to attack WW banks and financial services users in Australia, Austria, France, Czech Republic, Hungary, Spain, Singapore, Germany, Poland, India, Turkey, New Zealand, US
  • 22. Android Malware Types • High-end APT/targeted attacks – Hacking Team RCS in Saudi Arabia (?-2015) - “Qatif Today” repack – Xsser mRAT (2014) • Chinese trojan spies on HongKong activists, steals contacts, SMS, calls, location, photos, mails, browser history, audio (microphone), remote shell, and call – RedOctober/CloudAtlas (2014) • steals accounts, locations, contacts, files, calls, SMS, calendar, bookmarks, audio (microphone) – APT1 (2013) - “Kakao Talk” repack • spies on Tibetan activists contacts/SMS/location – Word Uyghur Congress (2013) • spies on Tibetan activists contacts/SMS/calls/location – LuckyCat APT campaign (2012) • phone info, file dir/upload/download, remote shell – FinSpy mobile (2011) – Gamma Group’s APT, tied to Egypt
  • 23. Android Malware and RATs Capabilities Overview • Information theft – Contacts – Call log history – Messages (SMS, LINE, Whatsapp, Viber, Skype, Gtalk, Facebook, Twitter, …) – Emails – Geographical location – Network data (wireless network SSID/password), location, network state – Phone information (number/IMEI/IMSI/Vendor/model/Operator/SIM serial/OS) – Google Account – Browsing history – Photos/Videos/Audio – Screenshots – Clipboard content – Arbitrary files on SD card • Remote control – Activation/delayed activation and capturing of audio/video/photos/phone calls – Execute shell / run exploits – Launch browser – Send SMS – Make phone call – Download/delete files
  • 24. Commercial RAT Examples – SandroRAT/DroidJack Evolution • Sandroid -> SandroRAT -> DroidJack No root access required! 8,380 DriodJack tutorials currently on Google
  • 26. Network Proxy to Corporate Resources • NotCompatible.C – General purpose, proxying network (TCP/UDP) – Has been used for spam, bruteforce, bulk ticket purchase • Banks & other Enterprises could be a next target
  • 27. Threats Summary • Advanced/targeted attacks are real – More dominant Asia, China being major player – Global threat - HackingCrew , HackingTeam • Most dominant threat are RATs – Android – most easy to infect, highly commercialized – Jailbroken iOS – has been done only in targeted attacks – Non-JB iOS – effectively no (reported) harm done, even in targeted attacks but threat is imminent • Vulnerabilities – Applicable to iOS and Android, more problematic for Android due to highly segregated market – Associated only with advanced/targeted attacks • Network based attacks – Imminent threat, no malicious incident reported yet
  • 28. Taking action is easy IBM Mobile Threat Management can effectively prevent and take action against malware & threats
  • 29. Criminals attack the weakest link
  • 30. Taking action is easy - using layered security Secure the Device Secure the Content Secure the App Secure the Network The MaaS360 layered security model
  • 31. Taking action is easy Managed Devices (Owned/BYOD) • Device level Security • Using EMM/MDM to enforce sensitive information access policy • MDM should include advanced rooting/jailbreak & malware detection • Scan Home grown apps for vulnerabilities Unmanaged Devices (Customers, partners, agents, brokers, contractors) • Application Level Security • Every App should have capabilities to assess device security • In-app enforcement of sensitive info/operations • Scan home grown apps for vulnerabilities
  • 32. IBM MaaS360 Mobile Threat Management Detects, analyzes and remediates mobile risks delivering a new layer of security for Enterprise Mobility Management (EMM) with the integration of IBM Security Trusteer® to protect against: • Mobile malware • Suspicious system configurations • Compromised jailbroken or rooted devices
  • 33. IBM Security QRadar integration with MaaS360 • Continuous Mobile Visibility – Detect when smartphones and tablets are attempting to connect to the network – Monitor enrollment of personally owned and corporate-liable devices – Gain awareness of unauthorized devices – Learn when users install blacklisted apps and access restricted websites • Compromised Device Remediation – Uncover devices infected with malware before they compromise your enterprise data – Identify jailbroken iOS devices and rooted Android devices – Set security policies and compliance rules to automate remediation – Block access, or perform a selective wipe or full wipe of compromised devices View MaaS360 compliance rule violations through IBM Security QRadar
  • 34. View Out of Compliance events from MaaS360 on QRadar
  • 35. 34 Summary • Malware exists on mobile and can pose a significant threat to your organization’s IP / data • Trusteer can aid in safeguarding this on mobile • MaaS360 + Trusteer can detect and take actions on mobile devices • MaaS360 reports mobile device events to QRadar for consolidated reporting
  • 36. Talk to a Mobile Expert: Visit IBM MaaS360 in the Expo Hall Talk to an IBM MaaS360 Expert, Watch a Demo and Receive a Mobile Themed Giveaway! • Charge your Device Courtesy of MaaS360 • IBM Security Booth #314 (**charger location) • IBM MobileFirst Booth #530 (**charger location) • IBM Box Booth #202 • AT&T Booth #561 Like what you see? Try us out! • Visit ibm.com/maas360 for free trial details 35
  • 37. Notices and Disclaimers 36 Copyright © 2016 by International Business Machines Corporation (IBM). No part of this document may be reproduced or transmitted in any form without written permission from IBM. U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM. Information in these presentations (including information relating to products that have not yet been announced by IBM) has been reviewed for accuracy as of the date of initial publication and could include unintentional technical or typographical errors. IBM shall have no responsibility to update this information. THIS DOCUMENT IS DISTRIBUTED "AS IS" WITHOUT ANY WARRANTY, EITHER EXPRESS OR IMPLIED. IN NO EVENT SHALL IBM BE LIABLE FOR ANY DAMAGE ARISING FROM THE USE OF THIS INFORMATION, INCLUDING BUT NOT LIMITED TO, LOSS OF DATA, BUSINESS INTERRUPTION, LOSS OF PROFIT OR LOSS OF OPPORTUNITY. IBM products and services are warranted according to the terms and conditions of the agreements under which they are provided. Any statements regarding IBM's future direction, intent or product plans are subject to change or withdrawal without notice. Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual performance, cost, savings or other results in other operating environments may vary. References in this document to IBM products, programs, or services does not imply that IBM intends to make such products, programs or services available in all countries in which IBM operates or does business. Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not necessarily reflect the views of IBM. All materials and discussions are provided for informational purposes only, and are neither intended to, nor shall constitute legal or other guidance or advice to any individual participant or their specific situation. It is the customer’s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer’s business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the customer is in compliance with any law
  • 38. Notices and Disclaimers Con’t. 37 Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products in connection with this publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to interoperate with IBM’s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. The provision of the information contained h erein is not intended to, and does not, grant any right or license under any IBM patents, copyrights, trademarks or other intellectual property right. IBM, the IBM logo, ibm.com, Aspera®, Bluemix, Blueworks Live, CICS, Clearcase, Cognos®, DOORS®, Emptoris®, Enterprise Document Management System™, FASP®, FileNet®, Global Business Services ®, Global Technology Services ®, IBM ExperienceOne™, IBM SmartCloud®, IBM Social Business®, Information on Demand, ILOG, Maximo®, MQIntegrator®, MQSeries®, Netcool®, OMEGAMON, OpenPower, PureAnalytics™, PureApplication®, pureCluster™, PureCoverage®, PureData®, PureExperience®, PureFlex®, pureQuery®, pureScale®, PureSystems®, QRadar®, Rational®, Rhapsody®, Smarter Commerce®, SoDA, SPSS, Sterling Commerce®, StoredIQ, Tealeaf®, Tivoli®, Trusteer®, Unica®, urban{code}®, Watson, WebSphere®, Worklight®, X-Force® and System z® Z/OS, are trademarks of International Business Machines Corporation, registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at: www.ibm.com/legal/copytrade.shtml.
  • 39. Thank You Your Feedback is Important! Access the InterConnect 2016 Conference Attendee Portal to complete your session surveys from your smartphone, laptop or conference kiosk.