Organized cybercriminals are conducting man-in-the-middle attacks against iOS and Android devices, primarily in Asia, to extract personal data through phishing and malicious apps. These sophisticated attacks target both personal and company-supplied mobile devices and services, exploiting vulnerabilities in mobile protocols and jailbroken or unlocked phones. Security experts advise users to avoid public WiFi, use VPNs, ignore suspicious messages, and only install apps from official app stores.
2. = overview
Evidence suggests that organized and resourceful malicious
actors are attacking smartphones and tablets, primarily in
Asia
• The attacks attempt to extract personal data by phishing, man-in-the-
middle attacks, and installation of malicious applications such as
Remote Access Trojans
• Both iOS and Android devices are being targeted
• Attack techniques suggest a level of skill and resources typically only
available to veteran cybercriminals
The attacks illustrate the level of effort malicious actors are
willing to use to compromise mobile users
2 / [state of the internet] / threat advisory
3. = open-source attack intelligence
A variety of sources have publicized large attacks involving
mobile devices, including:
• FireEye published research that suggested the use of sophisticated
customized malware, indicating a high-level of skill and resources
typically only available to veteran criminals
• Large-scale attacks appear to have targeted companies that supply
SaaS and application services, such as Apple application services, by
conducting man-in-the-middle attacks on the Internet infrastructure
• GreatFire.org reported a man-in-the-middle attack against Apple iCloud
service, coinciding with the release of the iPhone 6
3 / [state of the internet] / threat advisory
4. = mobile interception
• Cell phone interception techniques may also have been used to
target victims of mobile attacks
• Interception and exploitation of common mobile protocols such
as GSM and CDMA is possible
• Cell phone interception allows attackers to:
⁄ Pinpoint the user’s location
⁄ Eavesdrop on communications
⁄ Modify incoming transmissions
⁄ View the communication and application protocol in use
• The attackers may have used this technology to target specific
applications and generate customized mobile payloads
4 / [state of the internet] / threat advisory
5. = Android, iOS, and the jailbreaking factor
Both iOS and Android OSes have been targeted by
the attacks
Android can be exploited much more readily than iOS
• Development resources are free and open-source
• Users can easily install unsigned and unverified third-party
apps
Exploitation can range from footprinting a specific
operating system version to complete takeover and
command
5 / [state of the internet] / threat advisory
6. = Android, iOS, and the jailbreaking factor
iOS attacks require high levels of skill on the part of the attackers
• iOS is closed-source, with limited access to development tools
• Applications must go through verification, approval, and review
• OS-based security controls require apps to be signed by Apple and downloaded
from the Apple Store
Attackers generally either:
• Impersonated or bypassed the Apple Store
• Created malicious apps which appeared identical to legitimate apps already
installed, replacing them without alerting security
Many users jailbreak their phones to install unverified third-party apps
• In China, 14% of the 60 million iOS devices have been jailbroken
• Entirely bypasses the security controls, leaving iOS open to attack
6 / [state of the internet] / threat advisory
7. = attack spotlight: Xsser mRAT
Xsser Mobile Remote Access Trojan (mRAT) is the first advanced
Chinese iOS Trojan
• Based off of Android spyware
• Broadly distributed in Hong Kong
• Infects jailbroken iOS devices by way of Cydia
• Payload is disguised as a Cydia source for a legitimate app
Once the payload binary is established, the malicious actor will
receive sensitive information about the infected device
• Stolen data may be used for extortion or social engineering
7 / [state of the internet] / threat advisory
8. = security advice
These attacks may be very hard to detect by the user
To prevent mobile infection, PLXsert recommends:
• Avoid using free Internet hot-spots
• Disable automatic Wi-Fi connection in untrusted places
• When possible, use VPNs to avoid eavesdropping and man-in-the-middle
attacks
• Ignore sudden or unexpected communications with unusual origin or content
• Do not respond with sensitive information without verifying the origin of
requests or communications
• Do not install any application from an unsigned and untrusted source
• Do not jailbreak phones; this exposes iOS to a wide range of attacks
8 / [state of the internet] / threat advisory
9. = threat advisory: mobile man-in-the-middle attacks
PLXSert has published a comprehensive threat advisory on this
topic: Man-in-the-Middle Attacks Target iOS and Android
The report contains detailed analysis on:
• Open source intelligence about attacks against mobile devices
• How attackers access Android devices
• How attackers access iOS devices
• Man-in-the-middle GSM and CDMA vulnerabilities
• Why jailbroken phones are at high risk
• How Xsser mRAT ends up on mobile phones
• The malicious use of the Cydia repository
• Infection prevention tips
9 / [state of the internet] / threat advisory
10. = about stateoftheinternet.com
• StateoftheInternet.com, brought to you by Akamai, serves as the
home for content and information intended to provide an
informed view into online connectivity and cybersecurity trends
as well as related metrics, including Internet connection speeds,
broadband adoption, mobile usage, outages, and cyber-attacks
and threats.
• Visitors to www.stateoftheinternet.com can find current and
archived versions of Akamai’s State of the Internet (Connectivity
and Security) reports, the company’s data visualizations, and
other resources designed to put context around the ever-
changing Internet landscape.
10 / [state of the internet] / threat advisory