View
113
Download
0
Category
Tags:
Preview:
DESCRIPTION
Citation preview
ONG HOWE SHANGKOH JYE YI ING
Mobile Security - Malwares
Agenda
Current Trends
Threats: Denial of Service to VoIP Bluetooth Hacking SMS viruses Man-in-mobile attacks Mobile eavesdropping Data Theft
Mobile Viruses: Soundminer Zeus Geimini
Solutions
Current Trends
Increasing number of mobile phone user-base
Capabilities of smart phones mCommerce Mobile vouchers, coupons and loyalty cards Mobile marketing and advertising Mobile Browsing mWallets mobile identity
Current Trends
Growth of smartphone market:
Source take from M86 Security Labs: Threat Predictions 2011
Current Trends
More than a million mobile apps available and one billion smartphones in circulation
No mandatory information security regulations
Factors for the increase in mobile malware:Mobile devices becoming gold mines for storing,
collecting and transmitting confidential data. Mobile banking and NFC enabled (online
banking transactions) payments are beginning to be targeted by cybercriminals
Current Trends-
Growth of mobile malware:
Source take from Malware goes Mobile Novemeber 2006
Cases and Incidents
Case 1:
In late September 2010, ZeuS was released to steal financial credentials . The virus can infect the mobile device and sniff all the SMS messages
Case 2: 4th October 2010, a 3rd iteration of “FakePlayer” SMS Trojan was release to Android mobile phones.
Cases and Incidents
Case 3:
Cases and Incidents
Case 4:
End of 6 October, a Firefox plugin name “Firesheep” was released to conduct “sidejacking” to steal session cookies
Critical when users use iPads and mobile to accessed web through public Wi-Fi hotspots
Case 5: Identity theft, stalking and bullying
Cases and Incidents
Story on how the mobile virus spreads
Story on how the mobile virus spreads
Story on how the mobile virus spreads
Story on how the mobile virus spreads
Story on how the mobile virus spreads
Story on how the mobile virus spreads
Story on how the mobile virus spreads
The Changing Threat Environments
Threat: Denial of service to VoIP
Tom Cross - X-Force Researcher , IBM Internet Security Systems) said:
“Criminals know that VoIP can be used in scams to steal personal and financial data so voice spam and voice phishing are not going
away”
Threat: Denial of service to VoIP
People are trained to enter social security numbers, credit card numbers, bank account numbers over the phone
Criminals will exploit this social conditioning to perpetrate voice phishing and identity theft
Customer demand better availability from phone service than they would from an ISP
Threat of a DoS attack might compel carriers to pay out on a blackmail scam.
Threat: SMS Viruses
Known as the ‘SMS of death’ Threatens to disable many Sony Ericsson,
Samsung, Motorola, Micromax and LG mobile phones
It’s payload? A simple malicious text or MMS messages which
it sends What it results in?
crashing of mobile phones Some of the bugs discovered have the potential to
cause problems for entire mobile networks.
Threat: SMS Viruses
iPhone SMS attacka series of malicious SMS messages - a way
to crash the iPhone via SMS, and that he thought that the crash could ultimately lead to working attack code.
Results from a bug in the iPhone iOS software that could let hackers take over the iPhone, just by sending out and SMS message
Threat: Man-in-mobile attacks
Man-in-mobile works by
Threat: Mobile eavesdropping
FBI taps cell phone mic as eavesdropping tool
The technique is called a "roving bug“Use against members of a crime family who
were wary of conventional surveillance techniques such as tailing a suspect or wiretapping him.
"functioned whether the phone was powered on or off."
Threat: Data Theft
Data theft is the leaking out of information on the mobile phones. StolenRemember this story From just now?
Solution lies in TenCube’s WaveSecure
Threat: Mobile Malware
Smart phones are being “attacked” by malicious software which could severely threaten both the users and the usefulness of the phone
Malwares: Cabir:
Infects Symbian OS mobile phones Infected phone displays the message 'Caribe’ The worm attempts to spread to other phones via
wireless Bluetooth signals
Threat: Mobile Malware
Skulls: Infects all types of
mobile phones Trojan virus replaces all
phone desktop icons with images of a skull
Renders all applications
Threat: Mobile Malware
CommWarrior: First worm to use MMS messages in order to
spread to other devices Infects devices running under OS Symbian Series
60 Spreads through Bluetooth
ZeuS Mitmo Steals username and passwords Injecting HTML or adding field using JavaScript
Agenda
Current Trends Cases and Incidences Threats:
Denial of Service to VoIP Bluetooth Hacking SMS viruses Man-in-mobile attacks Mobile eavesdropping Data Theft
Mobile Viruses: Soundminer Zeus Geimini
The difference between Apple and Android’s security model
Solutions
Agenda
Current Trends Cases and Incidences Threats:
Denial of Service to VoIP Bluetooth Hacking SMS viruses Man-in-mobile attacks Mobile eavesdropping Data Theft
Mobile Viruses: Soundminer Zeus Geimini
The difference between Apple and Android’s security model
Solutions
Taking a closer look at the viruses we’ve been
studying
Geimini and ZeuS in the news
Geimini on the news
Geimini
Geinimi is a Trojan affecting Android devicesemerging through third-party application sourcesGeinimi, means “give you rice” (Ghay-knee-mē) in
chinese, which is essentially slang for “give you money”
Geinimi canRead and collect SMS messagesSend and delete selected SMS messagesPull all contact information and send it to a remote
server (number, name, the time they were last contacted)Place a phone callSilently download filesLaunch a web browser with a specific URL
ZeuS
Malicious users weren’t interested in all of the text messages — just the ones that contained authentication codes for online banking transactions
The attack’s set upThis shows that malicious users are constantly
broadening their interests. Prior to this, text message authentication was a reliable form of online banking transactions
Now, malicious users have found a way to bypass even this level of security.
ZeuS SymbOS/Zitmo.A = SMS Viruses
SMS viruses are part of the Zeus Trojan’s payloadCalled the SymbOS/Zitmo.AImplemented for gathering information from
victimsSo it could send a targeted download link to themSend an mTAN SMS messages sent from an
infected user’s bank to an attackerThe attacker could then change what numbers
were monitored by the spyware to go after specific banks
SymbOS/Zitmo.A
What we find interesting is that the SymbOS/Zitmo.A virus is great at avoiding detection!
Symbos/Zitmo.B process running on a Symbian phone. The spyware does not show a GUI.
MSIL/Zitmo.B running on device. The spyware does not show a GUI.
The bank (account) robbers have not stopped at their first mobile spyware attempt. This time around the thieves went after bank accounts in Poland.
They created the latest update: MSIL/Zitmo.BWorks for Windows Mobile or other .Net
Compact Framework and SymbOS/Zitmo.B
Latest news on SymbOS/Zitmo.A
How ZeuS SymbOS/Zitmo.A works? (1)
1. Trojan ask for new details in website: mobile vendor, model, phone number
2. Send SMS to mobile device with a link to download
http://securityblog.s21sec.com/2010/09/zeus-mitmo-man-in-mobile-i.html
How ZeuS SymbOS/Zitmo.A works? (2)
3. Backdoor installed to receive commands via SMS
4. Send commands for SMS attacks for own profit (SMS charges)
Now to watch the Soundminer demo
Soundminer (1)
Low-profile Trojan horse virus for Android OSSteals data => unlikely to be detectedSoundminer
Monitors phone calls Records credit card number
Uses various analysis techniquesTrims the extraneous recorded information
down to essential credit card numberSend information back to the attacker over
the network
Soundminer (2)
Designed to ask for as few permissions as possible
Soundminer is paired with a separate Trojan, Deliverer => responsible for sending the information
Android OS security mechanisms could prevent communication between applications
Communicates via “covert channels” vibration settings
Soundminer (3)
Code sensitive data in a form of vibration settings
Unlikely to raise suspicionTwo antivirus programs, VirusGuard and
AntiVirus, both failed to identify Soundminer as malware
Study by Kehuan Zhang, Xiaoyong Zhou, Mehool Intwala, Apu Kapadia, XiaoFeng Wang called Soundminer: A Stealthy and Context-Aware Sound Trojan for Smartphones
iOS and Android’s Security Models
Security Models: iOS vs Android
iPhone security Android•lack of application choice•All applications loaded through the App Store•Uses human review, static and dynamic analysis
•Allow users to load software from untrusted sources •Can't rely on external review processes
Runs Code Signing Enforcement
You can simply execute the injected shell code
Security Models: iOS vs Android
iPhone security Android•Runs all applications as the same user•utilizes a kernel-level access control called "SeatBelt”
•Security model is "collapsed" onto the phone•Application request permissions to perform tasks•iPhone ‘kill switch’ •Over-air general kill switch
•Non-jailbroken iPhone is safer from malicious software due to the rigorous screening processes
•will be exposed to malicious software
•the iPhone is probably the softer target
•It is more difficult to break a fully patched Android phone
•Takes on the “Prevention is better than cure”•Like a “kia-su” overly concern parent of a very young baby
•Security model is more catered to geeks as a whole as it •Like a parent of a teenager, giving them the freedom to make their own choices and mistakes
Security Models: iOS vs Android
Trend Micro believes the iOS security model is better
Security Models: iOS vs Android
Many believe the iOS security model is better just because Android’s model is receiving a lot of bad press.
Solutions we believe to be useful for Android
Solutions (1)
Either create a strict app filtering process like how Apple’s AppStore does it or create a market crawling tool to look for potential malicious apps
With more granular permissions All the viruses could be prevented Or at least disclosed to user at install time
Sandboxing to the rescue Browser → still a big deal Media player → not catastrophic
Crowd-sourcing -> getting people to report
Solutions (2)
Protection is system-level, not app-level Bad considering proliferation of rooted phones Combined with 24 hour refund Likely to see pirated apps distributed in near future
Third-party protection available Eg. SlideLock and Lookout
Back to the iPhone vs Android’s security model
Mobile security is a delicate balancerestricted vs. open platforms
Allow self-signed apps? Allow non-official app repositories? Allow free interaction between apps? Allow users to override security settings? Allow users to modify system/firmware?
Financial motivations
Some Simple Tips And Tricks
1. Do not use any device inflected with malware for exchanging data.
2. De-activate after using blue tooth.3. De-activate your infrared function.4. After registering, in few sites then those sites send
you confirmation or verification to your mobile phone. Always check the backgroundbefore registering on any web sites is safe or not then click ok.
5. While saving the data, check it with Antivirus Software.
6. Ignore SMS, if you don’t know the sender.7. Use mobile antivirus.
Future Concerns?
Attack during mobile firmware updateFirmware loaded into phone
A “preloaded” virus Crackers -> hack the source servers or use a
man-in-mobile attack
Future Concerns?
"THERE IS NO SECURITY ON THIS EARTH, THERE IS
ONLY OPPORTUNITY" - GENERAL DOUGLAS MACARTHUR (1880-
1964)
Both Jye Yiing and myself would like to thank you for
listening!
Thank you for listening! Any Questions?
Recommended