When Malware Goes Mobile


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • There are few things which make malware for Android more common then for other platforms. Adding new applications to the market is easy and Google’s process for controlling functionality of application is not very strict.It is very easy to become an Android developer and publish application. It is very easy to decompile an application, change its functionality and repackage the application as a completely new (effectively stolen application). Installation from third party sites is possible. There are number of alternative Android markets for applications, including the one set up by the network providers and other well known companies such as Amazon.In addition to that cracked applications are shared on many Android related forums and file sharing web sites. Piracy is a major problem. An article on forbes states “The costs of piracy are very real. One-in-three developers say they’ve lost more than $10,000 in revenue due to piracy. 32% say piracy increases their support costs. One-in-four say piracy increases their server costs, with all those extra users piling onto their servers.”There is a significant number of alternative markets in China, which is currently the main source of malicios applications.Overall, the situation with Android application is very similar to early days of Windows and considering that, it is not surprising that we are seeing increasing numbers of Android malware in our labs.
  • Most of the Android malware variants we have seen (around 100 at the moment) have been written this year, though some of them appeared last year as well (first ones in 2009). There is at least 500% increase year over year but the numbers are still very small comparing to numbers of Windows malware. The most significant malware attacks are the ones that successfully infiltrate the original Google Marketplace. The most well known example is Droiddream (March 2011).Attackers have managed, using three Android developer account to plant over 50 trojanized application into the original market.Droiddream uses 2 privilege escalation exploits (one for Linux kernel, one for Android) to obtain root access for the device and integrate with the operating system, it then collects potentially confidential information from the phone and sends it to the malware writers.
  • Interesting for tactics similar to Windows malware (fake installers, fake antivirus software), but also because files are dynamically built as they are served to the user which achieves a very crude server side polymorphism. A technique used to morph the APK file is to include a random number of images of .... See next slide
  • This scary looking dude. We thought at the beginning that this may be the virus writer (although that would be quite stupid on his side). It turns out this is the original photo from a wedding in Fryazino. This image was published on one of the popular forum sometimes in 2006 and became a major Russian internet meme with people adding the witness in many photos and ocassions, such as (see next slide).
  • Examples of some work including the Witness from Fryazino.
  • The principle of the compliance check is very simple. Compare information from the device against a set of rules. If any of the rules is violated, the device is not compliant. In this case, the device will be highlighted to the administrator. Optionally, a mitigation and enforcement rule can be executed and any further e-mail to the device will be blocked in the EAS proxy.
  • Pjapps-C is a detection for applications that are cracked. Not malicious necesarrily but cracked using a dodgy tool. Most probably illegal – PUA.Bbridge-A is a detection for data leakage and SMS sending malware it uses HTTP to connect and send the data to a malicious (C&C?) serverGeneric-S is a Labrules bucketBatteryD is another PUA which purports to be an app that saves the battery consumption but is agressive adware that may leak some personaly identifiable information.DrSheep-A – is a hack tool which allows an attacker to hijack sessions on the same wireless network if a web app is not using HTTPS (e.g. Works for linked in at the moment). Similar to FiresheepDroidRt-A – is an app containing a privilege escalation exploit, potentially used to root the deviceOpfake – is a fake Opera installer, real malware, finallyBoxer – is real malware (see next few slides), installs additional (malicious or non-malicious packages) and sends SMS messages premium line numbers (depending on the country)Faceniff- is a Facebook session sniffer (not sure how it works) but it is a hacking tool I think
  • The principle of the compliance check is very simple. Compare information from the device against a set of rules. If any of the rules is violated, the device is not compliant. In this case, the device will be highlighted to the administrator. Optionally, a mitigation and enforcement rule can be executed and any further e-mail to the device will be blocked in the EAS proxy.
  • So if you’re looking at your mobile strategy, think of your mobile devices as portable computers – but with additional risks , so you need to use more than just mobile device management to protect them. We have various tools to help you do that.
  • Complete security means we don’t just detect threats, we:Reduce the attack surface – We address the things that bring risk like vulnerabilities and applications.Protect everywhere – We make sure your users are protected wherever they are and whatever device they’re using.Stop attacks and breaches – Of course we can detect and prevent threats and data loss. But we’ve moved beyond signatures with innovations like live protection, which means we can stop new threats instantly.Crucially, we Keep people working – Both your users and the IT team. We engineer our products to simplify the tasks that take too much time today, like cleaning up infections and recovering forgotten passwords. So, as the threat and the ways that we use IT for work evolve, so does your protection. We stay on top of them, to simply give you all you need to stay secure. We engineer our products to work better together. And we look for opportunities to unify endpoint agents, gateway defenses, security policies and intelligence so it’s even easier.Agents – for every device, combining security to maximise protection and performanceAt the Gateway – virtual or hardware appliances and software options that match your protection priorities and sizeThroughPolicies - We let you create a policy once, and apply it anywhere to give you consistent protection and user experienceFrom our Labs - our experts have visibility of all aspects of security threats and use that expertise to actively fine-tune your protection for you and deliver instantly from the cloud
  • When Malware Goes Mobile

    1. 1. When Malware Goes MobileVanja Svajcer, Principal Researcher
    2. 2. Malware goes mobile•Mobile malware•Securing mobile devices2
    3. 3. Mobile malware •First malware for mobile platforms around 2004 •Symbian – most prevalent •JavaME – still being developed •WinCE – very few samples •iOS – few instances in 2010,2011 •Android – big growth in the number of malware samples3
    4. 4. Android environment •Platform popularity (75% new smartphones sales) •Adding applications to Google Play is easy •Alternative Android application markets •Forums and file sharing sites •“Cracked” and repackaged apps •China, Russia •Android app landscape similar to Windows4
    5. 5. Android – Google play5
    6. 6. Android Malware Cumulative number of discovered samples 80000 70000 60000 50000 40000 Series1 30000 20000 10000 06
    7. 7. Android Malware Samples discovered per year 80000 70000 60000 50000 40000 Samples 30000 20000 10000 0 2010 2011 20127
    8. 8. Android Malware Top malware families discovered 30% Andr/Boxer-D 33% Andr/Boxer-A Andr/Gmaster-A Andr/Boxer-C Andr/NewyearL-B Andr/Kmin-C Andr/Opfake-F Andr/KongFu-A Andr/Opfake-G 2% Andr/FakeIns-A 2% 11% Others 3% 3% 3% 5% 4% 4%8
    9. 9. Android Malware Discovered Android vs JavaME samples 100% 90% 80% 70% 60% 50% 40% JavaME samples 30% Android samples 20% 10% 0% 2011-10 2011-07 2011-08 2011-09 2011-12 2011-11 2012-01 2012-02 2012-03 2012-04 2012-05 2012-06 2012-07 2012-08 2012-099
    10. 10. Android malware •Over 70k unique samples of malware known •Information stealers (Andr/SMSRep) •SMS senders (Andr/AdSMS) •Phishing (fake mobile banking software) •Privilege escalation exploits (DroidDream) •Zeus for Android (Zitmo)10
    11. 11. Andr/Boxer family11
    12. 12. Andr/Boxer family Witness12
    13. 13. Andr/Boxer family Witness13
    14. 14. Zitmo environment Zeus/Zitmo C & C server Send status & SMS messages Attacker Victim SMS mTAN 14
    15. 15. Android malware ItW Andr/Boxer-A Malware reports ItW 2% Andr/FaceNiff-A 1% Andr/Opfake-A 1% Andr/Opfake-C 2% Others 5% Andr/DroidRt-A 2% Andr/DrSheep-A 3% Andr/BatteryD-A 4% Andr/Generic-S 6% Andr/BBridge-A 9% Andr/PJApps-C 65%15
    16. 16. PJApps distribution 16
    17. 17. Android malware ItW Android malware reports per country Others Peru 17% 1% China United States 1% 17% Republic of Korea 2% India Romania 2% 2% United Kingdom Switzerland 13% 2% Netherlands 3% Mexico Germany 3% 10% Costa Rica 3% Argentina Italy Brazil 3% Spain 4% 8% 3% Cyprus Venezuela 4% 4%17
    18. 18. Android Malware Android Threat Exposure Rate 14.00% 12.00% 10.00% 8.00% Threat Exposure Rate 6.00% 4.00% 2.00% 0.00% Australia Brazil United Others Malaysia Germany India France United Iran States Kingdom18
    19. 19. Paradigm shift ?
    20. 20. Securing mobile devices • Platform and device diversity • Compliance for access to corporate data • Device security • Application security • IT productivity20
    21. 21. Diversity Use MDM framework to manage all major smartphones and tablet types from a single console • Apple iOS • Android • RIM Blackberry 5.x, 6.x • Windows 8?21
    22. 22. Compliance • Compliance enforcement • Best practice in configuration • Best practice in app security • Protecting enterprise assets22
    23. 23. Compliance Enforcement - Basics Validate rules Send status Control mail access EAS Proxy Exchange23
    24. 24. Device & data security (loss) • Remote Lock and/or Wipe • Auto-wipe after a number of failed login attempts • Locate lost or stolen phone • SIM change notification/wipe • Device encryption !!!24
    25. 25. Application security Enterprise App Store for recommended apps • Recommend supported apps • Enforce required apps • Distribute homegrown apps • Help for the agnostic user • Limit the risk of too many used apps Keep OS and apps up to date • Easier with apps • Difficult (for Android) for OS25
    26. 26. IT Productivity – remote and OTA management • Define password policy and lock period • Control installation of apps • Block use of camera, browser, Youtube, … • Send text notification to client • Manage endpoint security/anti-malware software • Prevent jailbreaking • Blackberry most suited for fine tuning, then iOS, Android26
    27. 27. Conclusions • Mobile devices are changing the enterprise • Diversity (apps rule, not OSes), BYOD • Android most targeted by malware • Malware growth to continue • Malware complexities increase • Follow the best practice to secure mobile devices27
    28. 28. Control, secure, protect Sophos Mobile Control - Mobile Device Management On-premise or cloud-based solution to manage, control and protect mobile devices. Enable BYOD without the risks Sophos Mobile Security – Anti-Virus for Android Scans for malicious data-stealing apps and provides loss and theft protection. Free download    Protect devices from Android malware Sophos Mobile Encryption – Mobile Data Protection Extends SafeGuard Encryption for Cloud Storage to mobile devices – iOS or Android* Ensure persistent encryption Android version available late September 2012
    29. 29. Complete Security Endpoint Web Email Data Mobile NetworkReduce attack surface Protect everywhere Stop attacks and breaches Keep people working URL Filtering Web Application Endpoint Web Encryption Data Control Access control Automation WiFi security Firewall Protection for cloud Anti-spam Patch Manager Mobile Control Virtualization Anti-malware User education Visibility Local self-help Application Mobile app Clean up Technical Device Control Secure branch Intrusion Firewall Control security support offices prevention Encryption Live Protection Email encryption29
    30. 30. Staying ahead of the curveStaying ahead of the curve US and Canada facebook.com/securitybysophos 1-866-866-2802 NASales@sophos.com Sophos on Google+ UK and Worldwide linkedin.com/company/sophos + 44 1235 55 9933 Sales@sophos.com twitter.com/Sophos_News nakedsecurity.sophos.com 30