Anti-virus, Mobile Device Management and Mobile Threat Defense won’t help against today’s attacks – so where should you look for protection ?
On May 13th the Financial Times reported that a recently discovered vulnerability in the hugely popular messaging app WhatsApp had allowed attackers to inject commercial spyware onto mobile devices. The hack involved the installation of a sophisticated and powerful spyware known as Pegasus, developed by the Israel-based NSO Group. The attack, which exploited a previously unknown software vulnerability in the WhatsApp mobile application, enabled the installation of the spyware to be initiated by the attacker via a WhatsApp voice call. Once installed, the spyware could collect sensitive information that was then communicated back to the attacker.
This is the second high profile security incident in involve Pegasus. The previous attack was revealed by the human rights and technology organization Citizen’s Lab in August 2016 and exploited a trio of vulnerabilities, dubbed Trident, in the iOS operating system. In that case, despite the fact that the attempted spying was ultimately thwarted, future research identified evidence of the spyware in operation in at least 45 countries.
It is no surprise that these kind of sophisticated attacks are today targeting mobile phones. Smartphones are the most powerful communication tools ever invented. We expect that our mobile communications are secure and are comfortable to use them for even the most sensitive secrets. Attacks like this against WhatsApp give pause and beg the question however – what do I need to do to keep my organization’s mobile devices secure?
While there are a range of tools aimed at thwarting mobile phone hacks available, their effectiveness against the latest cyber attacks is questionable. So let’s examine how today’s tools would have worked when confronted by a modern threat such as the WhatsApp hack.
We are all familiar with anti-virus (AV) programs from the PC world. Such programs are also available for mobile devices. However because of the way Apple and Google have designed their operating systems, AV programs can often do little to detect malware. Apple bans AV programs from its app store and while Google, with a more open attitude, allows AV programs for Android its efforts are focused on its in-house virus scanning efforts known as Google Play Protect.
How mobile anti-virus works
Anti-Virus software checks all apps on your phone against a list of known malware. If it finds a previously unseen app it will take a copy and analyze it to see if it has suspicious code.
Why anti-virus wouldn’t have protected you from the WhatsApp hack
Anti-virus protection would have been ineffective against the WhatsApp hack for three reasons. Firstly, an anti-virus program is only effective if the malware is contained within an app. Secondly, the program can’t stop you from installing the malware; neither can it remove it. Finally, it is easy for malware developers to trick anti-virus programs into thinking their code is benign – if they detect that the app is being analyzed, the malware changes its behavior to look benign, leaving the anti-virus virtually useless.
Mobile Device Management
Mobile Device Management (MDM) systems are used by organizations to configure and manage their employees’ mobile devices. They enable IT departments to do things such as distribute applications and email configurations to employees’ devices over the air. They can also be used to enforce basic security rules such as requiring a device to be encrypted and to have a strong password. They are not designed to secure devices against cyber-attacks and would have offered no defense against Pegasus.
Mobile Threat Defense
In the early years of this decade, a range of startups launched products to address the limitations of mobile anti-virus. Leading IT analysts Gartner call this product category “Mobile Threat Defense” or MTD for short. MTD is typically deployed alongside a Mobile Device Management system.
How MTD works
MTD products collect information about device configurations, apps and networks to identify potential risks. Organizations can then use their MDM systems to block high risk devices from accessing corporate applications and data. However, MTD products suffer from two severe limitations: (i) they have very limited visibility of device network traffic and, (ii) they have no way to automatically disable malware. The first makes it difficult for them to detect malware infection and the second limitation means they cannot prevent its operation once installed.
Would MTD have protected you from the WhatsApp hack?
The short answer is no. None of the settings that MTD monitors would have disclosed that the Pegasus malware had been installed. Therefore, the malware would have been free to operate without any interference from the MTD solution.
At Corrata we have pioneered a different approach to securing mobile devices against cyber threats. Our approach is about protecting the device rather than simply monitoring it. Our vision is to act like an immune system for your mobile device – protecting against attacks and fighting back against those that occur.
How Corrata’s solution works
Corrata’s solution is based on our patent pending SafePathML technology. SafePathML creates the equivalent of an enterprise grade firewall installed on each device. Once installed, the firewall has complete visibility and control over all network traffic to and from the device. Every server to which a device attempts to connect is reviewed in real-time no matter what protocol is being used. Using dynamic rules (we call this Smart Policy Protection), connections to suspicious hosts are blocked. This stops devices connecting to malware download servers. Where the malware download is well disguised (such as looks to have been the case of the WhatsApp hack) Corrata will detect it once it attempts to communicate with its command and control infrastructure. Such connection attempts are immediately blocked which has the impact of preventing the malware from sending any data back to its owners.
How Corrata would have countered the WhatsApp hack
In the WhatsApp case, the Pegasus malware was disguised as an inbound VOIP call. Once installed, the Pegasus spyware is known to communicate to servers controlled by its owners NSO. Corrata’s solution detects these connection attempts and blocks them. Corrata’s software would then flag these connection attempts as suspicious and report them automatically to information security teams. This means that the infection by Pegasus is identified and its operations are disabled.
NSO, like others who operate malware, constantly change their server infrastructure and make significant efforts to avoid detection. Security solutions which rely on lists of known malicious domains and IP addresses don’t work against sophisticated actors. In contrast, Corrata uses its Smart Policy Protection feature to spot these suspicious connections. Smart Policy Protection uses a combination of device traffic analysis, global internet categorization data, and information about domain registrations to identify newly created malware servers.
The WhatsApp hack has raised awareness of the vulnerability of mobile devices and helped to dispel a level of complacency about the threats. For those of us involved in providing tools to secure devices, the important issue is to make sure that our software offers the best possible protection against the most determined attackers. The alternative of simply bombarding info sec teams with more dashboards to explore and alerts to triage is not an approach which is sustainable. In contrast, Corrata’s mission is to provide protection which evolves dynamically in response to changes in the threat environment. Or in simpler terms an immune system for mobile.