Anti-virus, Mobile Device Management and Mobile Threat Defense wouldn’t have helped against the recent iOS and WhatsApp hacks – so where should you look for protection ?
On May 13th the Financial Times reported that a recently discovered vulnerability in the hugely popular messaging app WhatsApp had allowed attackers to inject commercial spyware onto mobile devices. The hack involved the installation of a sophisticated and powerful spyware known as Pegasus, developed by the Israel-based NSO Group. The attack, which exploited a previously unknown software vulnerability in the WhatsApp mobile application, enabled the attacker to instal spyware via a WhatsApp voice call. Once installed, the spyware could collect sensitive information that was then fed back to the attacker.
This is the second high profile security incident in involve Pegasus. The previous attack was revealed by the human rights and technology organization Citizen’s Lab in August 2016 and exploited a trio of vulnerabilities, dubbed Trident, in the iOS operating system. In that case, despite the fact that the attempted spying was ultimately thwarted, future research identified evidence of the spyware in operation in at least 45 countries.
iOS and WhatsApp hacks…targeting mobile phones
It is no surprise that these kind of attacks are today targeting mobile phones. We expect that our mobile conversations are secure to use them for even the most sensitive secrets. Attacks like this against WhatsApp give pause and beg the question – what do I need to do to keep my organization’s mobile devices secure?
While company have a range of tools aimed at thwarting mobile phone hacks at their disposal, people are questioning their effectiveness against the latest cyber attacks. So let’s examine how today’s tools would have worked when confronted by a modern threat such as the iOS and WhatsApp hacks.
We are all familiar with anti-virus (AV) programs from the PC world. Such programs are also available for mobile devices. However because of the way Apple and Google have designed their operating systems, AV programs can often do little to detect malware. Apple bans AV programs from its app store and while Google, with a more open attitude, allows AV programs for Android, its efforts are focused on its in-house virus scanning efforts known as Google Play Protect.
How mobile anti-virus works
Anti-Virus software checks all apps on your phone against a list of known malware. If it finds a previously unseen app it will copy and analyze it to see if it has suspicious code.
Why anti-virus wouldn’t have protected you from the iOS and WhatsApp hack
Anti-virus protection would have been ineffective against the iOS and WhatsApp hacks for three reasons. Firstly, an anti-virus program is only effective if the malware is contained within an app. Secondly, the program can’t stop you from installing the malware; neither can it remove it. Finally, it is easy for malware developers to trick anti-virus programs into thinking their code is benign – if they detect that the app is being analyzed, the malware changes its behavior to look benign, leaving the anti-virus virtually useless.
Mobile Device Management
Companies use Mobile Device Management (MDM) systems to configure and manage their employees’ mobile devices. They enable IT departments to do things such as distribute applications to employees’ devices over the air. MDM’s can also enforce basic security rules such as requiring a device to be encrypted and to have a strong password. They do not secure devices against cyber-attacks and would have offered no defense against Pegasus.
Mobile Threat Defense
In the early years of this decade, a range of startups launched products to address the limitations of mobile anti-virus. Leading IT analysts Gartner call this product category “Mobile Threat Defense” or MTD for short. MTD is typically deployed alongside a Mobile Device Management system.
How MTD works
MTD products collect information about devices, apps and networks to identify potential risks. Businesses can then use their MDM systems to block high risk devices from accessing corporate applications and data. However, MTD products suffer from two severe limitations: (i) they have a very limited view of device network traffic and, (ii) they have no way to instantly disable malware. The first makes it difficult for them to detect malware infection and the second limitation means they cannot prevent its operation once installed.
Would MTD have protected you from the iOS and WhatsApp hacks?
The short answer is no. None of the settings that MTD monitors would have disclosed that devices contained Pegasus malware. Therefore, the malware would have been free to operate without any interference from the MTD solution.
At Corrata we have pioneered a different approach to securing mobile devices against cyber threats. Our approach is about protecting the device rather than simply monitoring it. Our vision is to act like an immune system for your mobile device that protects against attacks.
How Corrata’s solution works
Corrata’s solution is based on our patented SafePathML technology. SafePathML creates the equivalent of an enterprise grade firewall installed on each device. Once installed, the firewall has complete visibility and control over all network traffic to and from the device. Corrata reviews every server in real time that a device attempts to connect to. Using dynamic rules (we call this Smart Policy Protection), Corrata blocks connections to suspicious hosts. This stops devices connecting to malware download servers. Corrata will detect well disguised malware once it attempts to communicate with its command and control infrastructure. Corrata instantly blocks connection attempts which prevents the malware from sending any data back to its owners.
How Corrata would have countered the iOS and WhatsApp hacks
In the WhatsApp case, hackers disguised the Pegasus malware as an inbound VOIP call. Corrata’s solution detects these connection attempts and blocks them. Corrata’s software would then flag these connection attempts as suspicious and report them instantly to information security teams. This means that Corrata detects the infection and disables its operations.
NSO, like others who operate malware, constantly change their server infrastructure and make significant efforts to avoid detection. Security solutions which rely on lists of known malicious domains and IP addresses don’t work against such actors. In contrast, Corrata uses its Smart Policy Protection feature to spot these suspicious connections. Smart Policy Protection uses a combination of device traffic analysis, global internet categorization data, and information about domain registrations to identify newly created malware servers.
These hacks have raised awareness of the vulnerability of mobile devices and helped to dispel complacency around the threats. For those of us involved in providing tools to secure devices, the important issue is to make sure that our software offers the best possible protection against the most determined attackers. The alternative of simply bombarding info sec teams with more dashboards to explore and alerts to triage is not an approach which is sustainable. In contrast, Corrata’s mission is to provide protection which evolves in response to changes in the threat environment. Or in simpler terms an immune system for mobile.