As users are steadily moving away from desktop and favoring mobile devices, it is inevitable that hackers will also switch their tactics. And as an increasing number of sensitive and high-value tasks are carried out on mobile devices, mobile specific threats are fast becoming a major concern. Mobile malware, in its many different forms and distribution platforms, is one of the most dangerous of these threats. Last week we detailed the risk of social engineering malware – what it is, the different types, and how to avoid it. This week, let’s take a deeper look at the other main type of malicious software targeting mobile devices: Advanced Mobile Malware. Unlike social engineering which preys on and manipulates individual users to distribute malicious code or gather information, Advanced Mobile Malware exploits unpatched vulnerabilities in the underlying operating system of the device and allows it to compromise all of its contents and operations. So how has this been done and what can we do to avoid it?
One of the most high-profile Advanced Mobile Malware attacks came to light in 2016 when a targeted spyware attack sent via SMS exploited three zero-day vulnerabilities on iOS devices. The attack began as a simple phishing campaign in which the hacker sent the victim an SMS message containing a link and convincing them to click, following the tactics of a social engineering attack. This malicious link would then take advantage of three vulnerabilities (nicknamed ‘Trident’) found in the iOS software to install malware (dubbed ‘Pegasus’) and jailbreak the device. The attacker would then gain full read/write privileges on the device, enabling them to add surveillance software to access messages, calls, emails, and end-to-end encrypted apps to collect information including passwords and contact lists. Apple were quick to issue patches for all three of the vulnerabilities once they were made aware of the attack, however not before a number of iOS devices had been compromised.
The malware was not completely eradicated however. In May 2019, it was discovered that a vulnerability that leveraged a bug in the audio call feature of the popular messaging app WhatsApp had enabled malicious actors to inject spyware onto mobile devices. It is believed that this spyware was Pegasus, originating from the same Israel-based NSO Group as the 2016 attacks. While WhatsApp issued a warning to all 1.5 billion of its users to update to the latest version of the app soon after the discovery was made, the attack served as a shocking demonstration of the sophistication of modern malware and its ability to compromise even the most popular and most trusted brands, like Apple and WhatsApp.
Another of the most infamous instances of Advanced Mobile Malware is the ZipperDown vulnerability discovered in 2018. It is often widely thought, and advertised, that Apple products are indestructible when it comes to malicious software. This was proven wrong however, when 10% of apps in the App Store tested by Pangu Lab were found to contain a vulnerability which allowed cybercriminals to take advantage of a flaw in Apple’s iOS code.
ZipperDown relies on two key factors to operate: the absence of an app sandbox and a connection to a compromised network. As we mentioned above, sandboxing is a security feature that contains an app’s communication to a specified area. The privileges of a sandboxed app are limited to its intended functionality while access to content is only permitted from pre-approved resources. This greatly increases the difficulty for malicious software to compromise the device, however as it is not a requirement for all apps in the app store, some apps are left less secure than others opening up users to significant risk.
The second factor for a ZipperDown attack is a compromised network – which in this case refers to an unsecured Wi-Fi network that anyone can connect to, such as those commonly found in coffee shops, hotels and airports. Once connected to an unsecured network, the attacker can access the device and look for an app that is not sandboxed. When located, the attacker simply replaces a small .zip file buried in the app’s directory with a malicious file of their own which then gives them the ability to execute any arbitrary code they wish, gaining full access to the iPhone as well as the ability to do whatever they wish with its content. The flaw was believed to reside in almost 16,000 iOS apps that had been downloaded over 100 million times, with popular apps like Instagram, Dropbox, and Amazon all thought to have been affected at the time of discovery.
So what can we do?
Advanced Mobile Malware is a constantly developing threat for mobile devices. As technology improves, so too do the techniques and the attacks used by hackers to infect our devices and steal our data. However, there are a number of steps that we can take to ensure the safety of our devices.
Following the advice of device manufacturers and app developers is a key aspect of securing mobile devices. Such as in the case of Pegasus, updating to the latest OS and app versions can ensure that devices avail of the latest security features and vulnerability patches. It is reported that approximately one third of iOS devices and over half of Android devices are running an old version of their operating system. These out of date versions make users increasingly susceptible to malware attacks.
Similarly to social engineering attacks, education and awareness can greatly improve user defenses from Advanced Mobile Malware. Actions such as downloading apps from unapproved or third party apps stores, clicking on links or files received in unsolicited or suspicious messages, or connecting to unsecured Wi-Fi networks can be extremely risky and it is essential for all employees to understand this. Employee training in recognizing and reacting to trends and cyberattacks such as these has become a crucial element for most modern workplaces.
Finally, the need for external mobile security software has become increasingly clear as malware attacks become more advanced and harder to spot. To avoid the inevitability of human error, solutions like Corrata Security and Control use Machine Learning technology to monitor network traffic, device behavior, and security settings to detect and protect the mobile end-point from malware in real-time. Unlike other solutions, Corrata’s vision is to act as an immune system for mobile, blocking connections to suspicious hosts and preventing malware from ever infecting the device, rather than merely responding to an attack after the fact.
To find out more about how Corrata Security and Control can protect your mobile fleet from Advanced Mobile Malware, Social Engineering and other mobile threats, visit www.corrata.com.