The Monkey Steals the BerriesMobile Malware – The State of Mobile Security
Presenter Background© 2010 Veracode, Inc.   2
Agenda Background Attacker Motivation Case Studies Mobile Security Mechanisms Potential Effects and Behaviors Detect...
Background© 2010 Veracode, Inc.                4
Malicious Mobile Applications Modifications to legit programs Developer created Intentional Inadvertent Any programmi...
Attacker Motivation© 2010 Veracode, Inc.                         6
Attacker Motivation Practical method of compromise Retrieve or manipulate valuable private data Cost effective and reli...
Units Sold By Operating System               90,000.00                             80,879               80,000.00         ...
Units Sold Market Growth                                        8%                                                        ...
Application Counts                                    160,000        150,998                                    140,000   ...
iPhone Applications Sold                                      3.00    Applications Sold (In Billions)                     ...
Back To The Future© 2010 Veracode, Inc.   12
Back To The Future© 2010 Veracode, Inc.   13
Case Studies© 2010 Veracode, Inc.                  14
FlexiSpy http://www.flexispy.com $149 - $350 PER YEAR depending on features© 2010 Veracode, Inc.                        ...
FlexiSpy Web Site Quotes “Download FlexiSPY spyphone software directly onto a mobile  phone and receive copies of SMS, Ca...
Mobile Spy http://www.mobile-spy.com $49.97 PER QUARTER or $99.97 PER YEAR© 2010 Veracode, Inc.                     17
Mobile Spy Web Site Quotes “This high-tech spy software will allow you to see exactly what they  do while you are away. A...
eBlaster Mobile http://www.spectorsoft.com $49.95 a year© 2010 Veracode, Inc.          19
Etisalat (SS8) UAE cellular carrier Distribution: SMS link to patch Command & Control: BB PIN Hidden on device Data s...
Storm8 Phone Number Farming iPhone video game maker Built into game Distribution: iTunes Command & Control: None Hidd...
Symbian Sexy Space No real facade Botnet for Symbian phone Distribution: Malicious web sites Worm: SPAM contacts Data...
09Droid – Banking Applications Attack 09Droid developer Web frontends to 50+ banks Distribution: Android Marketplace D...
3D Anti-Terrorist / PDA Poker Art / Codec Pack WM1.0 Original author: Huike Repackaged in Russia Built into game Distr...
Mobile Security Mechanisms© 2010 Veracode, Inc.                                25
Does It Really Matter?!    Only 23% of smartphone owners use the security software                   installed on the devi...
Common Mobile Security Mechanisms Corporate level security policies Application level security policies Mobile anti-vir...
V5.0.0.328 Trusted 3rd Party Application Permissions                          Bluetooth        PhoneUSB Connections       ...
V5.0.0.328 Untrusted 3rd Party Application Permissions                          Bluetooth        PhoneUSB Connections     ...
Potential Effects and Behaviors© 2010 Veracode, Inc.                                     30
Installation Methods                  Application Marketplace                 Over The Air (OTA)                          ...
Technical Methods Data Dumpers Listeners Exfiltration Methods Command and Control© 2010 Veracode, Inc.    32
Logging and Dumping               Monitor connected / disconnected calls               Monitor PIM added / removed / updat...
Exfiltration and C&C Methods               SMS (No CDMA)               SMS Datagrams (Supports CDMA)               Email  ...
Detecting Malicious Mobile Code© 2010 Veracode, Inc.                                     35
Detecting Malicious Mobile Code Signature Based Detection      – Broken Resource Usage Whitelisting      – Semi-broken ...
Mobile Malicious Code Detection© 2010 Veracode, Inc.             37
Defense in Depth                               Do all of the above! Implement and enforce strong IT policies Implement a...
Demonstration© 2010 Veracode, Inc.                   39
Conclusion We are currently trusting the vendor application store provider for the  majority of our mobile device securit...
The Monkey Steals the Berries!                                Questions?© 2010 Veracode, Inc.                             ...
Questions?
Upcoming SlideShare
Loading in …5
×

GovCert.NL - The Monkey Steals The Berries

1,423 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,423
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

GovCert.NL - The Monkey Steals The Berries

  1. 1. The Monkey Steals the BerriesMobile Malware – The State of Mobile Security
  2. 2. Presenter Background© 2010 Veracode, Inc. 2
  3. 3. Agenda Background Attacker Motivation Case Studies Mobile Security Mechanisms Potential Effects and Behaviors Detecting Malicious Mobile Applications Demonstration Conclusion© 2010 Veracode, Inc. 3
  4. 4. Background© 2010 Veracode, Inc. 4
  5. 5. Malicious Mobile Applications Modifications to legit programs Developer created Intentional Inadvertent Any programming language Any operating system© 2010 Veracode, Inc. 5
  6. 6. Attacker Motivation© 2010 Veracode, Inc. 6
  7. 7. Attacker Motivation Practical method of compromise Retrieve or manipulate valuable private data Cost effective and reliable© 2010 Veracode, Inc. 7
  8. 8. Units Sold By Operating System 90,000.00 80,879 80,000.00 72,934 70,000.00 60,000.00 Units Sold 50,000.00 40,000.00 34,347 2008 Units 2009 Units 30,000.00 24,890 23,149 20,000.00 16,498 11,418 10,622 10,000.00 15,028 6,798 1,193 4,027 8,127 641 0 1,112 0.00 Symbian Research In iPhone OS Microsoft Linux Android WebOS Other OSs Motion Windows Mobile Data Source: DISTMO Appstore Analytics Operating System www.appstore.info© 2010 Veracode, Inc. 8
  9. 9. Units Sold Market Growth 8% 6% 6% Percentage Growth in Market Share 4% 3% 3% 2% 0% 0% Symbian Research In iPhone OS Microsoft Linux Android WebOS Other OSs 0% Motion Windows Mobile -2% -2% -3% -3% -4% -6% -6% Operating System Data Source: DISTMO Appstore Analytics www.appstore.info© 2010 Veracode, Inc. 9
  10. 10. Application Counts 160,000 150,998 140,000 120,000 Number Of Applications In Store Last Counted Jan/Feb 2010 100,000 80,000 60,000 40,000 19,897 20,000 6118 5291 1452 944 0 iPhone App Store Android Nokia Ovi Store Blackberry App Palm App Catalog Windows Marketplace (Maemo) World Marketplace Data Source: DISTMO Appstore Analytics Marketplace Name www.appstore.info© 2010 Veracode, Inc. 10
  11. 11. iPhone Applications Sold 3.00 Applications Sold (In Billions) 2.50 2.00 1.50 1.00 0.50 0.00Data Source: Gartner, Inc., a research and advisory firm© 2010 Veracode, Inc. 11
  12. 12. Back To The Future© 2010 Veracode, Inc. 12
  13. 13. Back To The Future© 2010 Veracode, Inc. 13
  14. 14. Case Studies© 2010 Veracode, Inc. 14
  15. 15. FlexiSpy http://www.flexispy.com $149 - $350 PER YEAR depending on features© 2010 Veracode, Inc. 15
  16. 16. FlexiSpy Web Site Quotes “Download FlexiSPY spyphone software directly onto a mobile phone and receive copies of SMS, Call Logs, Emails, Locations and listen to conversations within minutes of purchase. “ “Catch cheating wives or cheating husbands, stop employee espionage, protect children, make automatic backups, bug meetings rooms etc.” “F Secure seem to think that its ok for them to interfere with legitimate, legal and accountable software. Who appointed them judge, jury and executioner anyway, and why wont they answer our emails, so we have to ask who is the real malware? Here is how to remove FSecure malware from your device. Please dont believe the fsecure fear mongers who simply wish you to buy their products.”© 2010 Veracode, Inc. 16
  17. 17. Mobile Spy http://www.mobile-spy.com $49.97 PER QUARTER or $99.97 PER YEAR© 2010 Veracode, Inc. 17
  18. 18. Mobile Spy Web Site Quotes “This high-tech spy software will allow you to see exactly what they do while you are away. Are your kids texting while driving or using the phone in all hours of the night? Are your employees sending company secrets? Do they erase their phone logs?” “Our software is not for use on a phone you do not own or have proper permission to monitor from the user or owner. You must always follow all applicable laws and regulations in your region.” “Purchased by more than 30,000 customers in over 150 countries”© 2010 Veracode, Inc. 18
  19. 19. eBlaster Mobile http://www.spectorsoft.com $49.95 a year© 2010 Veracode, Inc. 19
  20. 20. Etisalat (SS8) UAE cellular carrier Distribution: SMS link to patch Command & Control: BB PIN Hidden on device Data stolen: Email, SMS© 2010 Veracode, Inc. 20
  21. 21. Storm8 Phone Number Farming iPhone video game maker Built into game Distribution: iTunes Command & Control: None Hidden within application Data stolen: Phone Number© 2010 Veracode, Inc. 21
  22. 22. Symbian Sexy Space No real facade Botnet for Symbian phone Distribution: Malicious web sites Worm: SPAM contacts Data stolen: Phone number, network information Signed by Symbian as safe! – Anti-virus scan – Some manual assessment© 2010 Veracode, Inc. 22
  23. 23. 09Droid – Banking Applications Attack 09Droid developer Web frontends to 50+ banks Distribution: Android Marketplace Data stolen: Unknown – likely none Multiple bank fraud warnings released© 2010 Veracode, Inc. 23
  24. 24. 3D Anti-Terrorist / PDA Poker Art / Codec Pack WM1.0 Original author: Huike Repackaged in Russia Built into game Distribution: WM shareware web sites Command & Control: None Data stolen: Money!© 2010 Veracode, Inc. 24
  25. 25. Mobile Security Mechanisms© 2010 Veracode, Inc. 25
  26. 26. Does It Really Matter?! Only 23% of smartphone owners use the security software installed on the devices. (Source: Trend Micro Inc. survey of 1,016 U.S. smartphone users, June 2009) 13% of organizations currently protect from mobile viruses (Mobile Security 2009 Survey by Goode Intelligence)© 2010 Veracode, Inc. 26
  27. 27. Common Mobile Security Mechanisms Corporate level security policies Application level security policies Mobile anti-virus Application marketplace screening Code Signing© 2010 Veracode, Inc. 27
  28. 28. V5.0.0.328 Trusted 3rd Party Application Permissions Bluetooth PhoneUSB Connections Location Data Connections Connections Server Network Internet IPC Device Settings Application Media Themes Input Simulation Management Security Timer Display Information Browser Filtering Recording Reset While Locked Email Data Organizer Data Files Security Data© 2010 Veracode, Inc. 28
  29. 29. V5.0.0.328 Untrusted 3rd Party Application Permissions Bluetooth PhoneUSB Connections Location Data Connections Connections Server Network Internet IPC Device Settings Application Media Themes Input Simulation Management Security Timer Display Information Browser Filtering Recording Reset While Locked Email Data Organizer Data Files Security Data© 2010 Veracode, Inc. 29
  30. 30. Potential Effects and Behaviors© 2010 Veracode, Inc. 30
  31. 31. Installation Methods Application Marketplace Over The Air (OTA) •iTunes •Android •Web Sites Marketplace •Carrier •Blackberry Pushed App World Enterprise Distribution PC Loader •User Desktop •Mass Push Distribution •With/Without •Corporate Assitance Targets •Virus© 2010 Veracode, Inc. 31
  32. 32. Technical Methods Data Dumpers Listeners Exfiltration Methods Command and Control© 2010 Veracode, Inc. 32
  33. 33. Logging and Dumping Monitor connected / disconnected calls Monitor PIM added / removed / updated Monitor inbound SMS Monitor outbound SMS Real Time track GPS coordinates Dump all contacts Dump current location Dump phone logs Dump email Dump microphone capture (security prompted)© 2010 Veracode, Inc. 33
  34. 34. Exfiltration and C&C Methods SMS (No CDMA) SMS Datagrams (Supports CDMA) Email HTTP GET HTTP POST TCP Socket UDP Socket DNS Exfiltration Default command and control to inbound SMS TXSPROTO Bidirectional TCP based command and control© 2010 Veracode, Inc. 34
  35. 35. Detecting Malicious Mobile Code© 2010 Veracode, Inc. 35
  36. 36. Detecting Malicious Mobile Code Signature Based Detection – Broken Resource Usage Whitelisting – Semi-broken Sandbox Based Execution Heuristics – Semi-broken Static Decompilation and Analysis – Hard to do, but WORKS!© 2010 Veracode, Inc. 36
  37. 37. Mobile Malicious Code Detection© 2010 Veracode, Inc. 37
  38. 38. Defense in Depth Do all of the above! Implement and enforce strong IT policies Implement and enforce additional application policies as required Implement a best of breed anti-virus solution – If only for thoroughness of deployed options Utilize static decompilation and analysis of applications considered for deployment© 2010 Veracode, Inc. 38
  39. 39. Demonstration© 2010 Veracode, Inc. 39
  40. 40. Conclusion We are currently trusting the vendor application store provider for the majority of our mobile device security Minimal methods of real time eradication or detection of spyware type activities exists When the do exist they are not configured correctly (or at all) No easy/automated way to confirm for ourselves what the applications are actually doing Automate the decompilation and static analysis of applications that are required for the ongoing functioning of your business© 2010 Veracode, Inc. 40
  41. 41. The Monkey Steals the Berries! Questions?© 2010 Veracode, Inc. 41
  42. 42. Questions?

×