Free Trial

Understanding Malware Part 2 – What is Advanced Mobile Malware?

By Colm 7th July 2019

Mobile Malware is becoming more prevalent and dangerous as hackers switch tactics

As users are steadily moving away from desktop for mobile devices, it makes sense that hackers will also switch tactics. More and more people are beginning to carry out sensitive tasks on mobile. Therefore, mobile specific threats are becoming a major concern. Mobile malware, in its many different forms and distribution platforms, is one of the most dangerous of these threats. Last week we detailed the risk of social engineering malware – what it is, the different types, and how to avoid it.

Now, let’s take a deeper look at the other main type of malicious software targeting mobile devices: Advanced Mobile Malware. Social engineering preys on and manipulates individual users to distribute malicious code or gather information. Advanced Mobile Malware exploits unpatched vulnerabilities in the underlying operating system of the device. This allows it to compromise all of the mobile device’s contents and operations. So, how do cyber attackers penetrate devices and what can we do to prevent them?

Trident/Pegasus

One of the most high-profile Advanced Mobile Malware attacks came to light in 2016 when a targeted spyware attack sent via SMS exploited three zero-day vulnerabilities on iOS devices. The attack began as a simple phishing campaign. The hacker sent the victim an SMS message containing a link and convinced them to click. This malicious link would then take advantage of three vulnerabilities (nicknamed ‘Trident’) found in the iOS software to install malware (dubbed ‘Pegasus’) and jailbreak the device. The attacker would then gain full read/write privileges on the device. They would add surveillance software to access messages, calls, emails, and end-to-end encrypted apps to collect sensitive information. Apple were quick to issue patches for all three of the vulnerabilities once they noticed the attack. However, the hackers had been successful in compromising a number of  iOS devices in that short time frame.

In May 2019, it was discovered that a vulnerability that leveraged a bug in the audio call feature of the popular messaging app WhatsApp had enabled malicious actors to inject spyware onto mobile devices. People speculate that the spyware was Pegasus, originating from the same Israel-based NSO Group as the 2016 attacks. Afterwards, WhatsApp issued a warning to all 1.5 billion users to update to the latest version of the app. This attack served as a shocking demonstration of the dangers of modern malware. It also emphazies that hackers can compromise even the most popular and most trusted brands, like Apple and WhatsApp.

ZipperDown 

Another of the most infamous instances of Advanced Mobile Malware is the ZipperDown vulnerability discovered in 2018. People assume that Apple products are indestructible when it comes to malicious software. This was proven wrong however, when 10% of apps in the App Store tested by Pangu Lab were found to contain a vulnerability which allowed cyber criminals to take advantage of a flaw in Apple’s iOS code. 

ZipperDown relies on two key factors to operate: the absence of an app sandbox and a connection to a compromised network. As we mentioned above, sandboxing is a security feature that contains an app’s communication to a specified area. Sandboxed apps only permit content from pre-approved resources. This greatly increases the difficulty for malicious software to compromise the device. However, as it is not a requirement in the app store, some apps are less secure than others putting users at significant risk. 

The second factor for a ZipperDown attack is a compromised network. This refers to an unsecured Wi-Fi network such as those commonly found in coffee shops, hotels and airports. Once connected to an unsecured network, the attacker can access the device and look for an app that is not sandboxed. When located, the attacker simply replaces a small .zip file in the app’s directory with their malicious file. This gives them the ability to execute any arbitrary code they wish, gaining full access to the iPhone as well as the ability to do whatever they wish with its content. The flaw was believed to reside in almost 16,000 iOS apps that had been downloaded over 100 million times, with popular apps like Instagram, Dropbox, and Amazon all thought to have been affected at the time of discovery. 

So what can we do?

Advanced Mobile Malware is a constantly developing threat for mobile devices. As technology improves, so too do the techniques and the attacks used by hackers to infect our devices. However, there are a number of steps that we can take to ensure the safety of our devices. 

Following the advice of device and app developers is a key aspect of securing mobile devices. Updating to the latest OS and app versions can ensure that devices have the latest security features and vulnerability patches. Reports suggest that one third of iOS devices and over half of Android devices are running an old version of their operating system. These out of date versions make users increasingly susceptible to malware attacks. 

Similarly to social engineering attacks, education and awareness can greatly improve user defenses from Advanced Mobile Malware. Actions such as downloading apps from unapproved or third party apps stores, clicking on links or files received in suspicious messages, or connecting to unsecured Wi-Fi networks can be extremely risky and it is essential for all employees to understand this. Therefore, employee training in recognizing and reacting to trends and cyberattacks is crucial.

Finally, the need for external mobile security software is evident as malware attacks become more advanced and harder to spot. To safeguard against human error, solutions like Corrata Security and Control use Machine Learning technology. This allows Corrata to protect the mobile end-point from malware in real-time. Corrata acts as an immune system for mobile, blocking connections to suspicious hosts and preventing malware from infecting the device.

 

To find out more about Corrata Security and Control visit www.corrata.com.

For more industry news, insights and analysis – follow us on Twitter and LinkedIn!