ONG HOWE SHANGKOH JYE YI ING

Mobile Security - Malwares

Agenda

Current Trends

Threats: Denial of Service to VoIP Bluetooth Hacking SMS viruses Man-in-mobile attacks Mobile eavesdropping Data Theft

Mobile Viruses: Soundminer Zeus Geimini

Solutions

Current Trends

Increasing number of mobile phone user-base

Capabilities of smart phones mCommerce Mobile vouchers, coupons and loyalty cards Mobile marketing and advertising Mobile Browsing mWallets mobile identity

Current Trends

Growth of smartphone market:

Source take from M86 Security Labs: Threat Predictions 2011

Current Trends

More than a million mobile apps available and one billion smartphones in circulation

No mandatory information security regulations

Factors for the increase in mobile malware:Mobile devices becoming gold mines for storing,

collecting and transmitting confidential data. Mobile banking and NFC enabled (online

banking transactions) payments are beginning to be targeted by cybercriminals

Current Trends-

Growth of mobile malware:

Source take from Malware goes Mobile Novemeber 2006

Cases and Incidents

Case 1:

In late September 2010, ZeuS was released to steal financial credentials . The virus can infect the mobile device and sniff all the SMS messages

Case 2: 4th October 2010, a 3rd iteration of “FakePlayer” SMS Trojan was release to Android mobile phones.

Cases and Incidents

Case 3:

Cases and Incidents

Case 4:

End of 6 October, a Firefox plugin name “Firesheep” was released to conduct “sidejacking” to steal session cookies

Critical when users use iPads and mobile to accessed web through public Wi-Fi hotspots

Case 5: Identity theft, stalking and bullying

Cases and Incidents

Story on how the mobile virus spreads

Story on how the mobile virus spreads

Story on how the mobile virus spreads

Story on how the mobile virus spreads

Story on how the mobile virus spreads

Story on how the mobile virus spreads

Story on how the mobile virus spreads

The Changing Threat Environments

Threat: Denial of service to VoIP

Tom Cross - X-Force Researcher , IBM Internet Security Systems) said:

“Criminals know that VoIP can be used in scams to steal personal and financial data so voice spam and voice phishing are not going

away”

Threat: Denial of service to VoIP

People are trained to enter social security numbers, credit card numbers, bank account numbers over the phone

Criminals will exploit this social conditioning to perpetrate voice phishing and identity theft

Customer demand better availability from phone service than they would from an ISP

Threat of a DoS attack might compel carriers to pay out on a blackmail scam.

Threat: SMS Viruses

Known as the ‘SMS of death’ Threatens to disable many Sony Ericsson,

Samsung, Motorola, Micromax and LG mobile phones

It’s payload? A simple malicious text or MMS messages which

it sends What it results in?

crashing of mobile phones Some of the bugs discovered have the potential to

cause problems for entire mobile networks.

Threat: SMS Viruses

iPhone SMS attacka series of malicious SMS messages - a way

to crash the iPhone via SMS, and that he thought that the crash could ultimately lead to working attack code.

Results from a bug in the iPhone iOS software that could let hackers take over the iPhone, just by sending out and SMS message

Threat: Man-in-mobile attacks

Man-in-mobile works by

Threat: Mobile eavesdropping

FBI taps cell phone mic as eavesdropping tool

The technique is called a "roving bug“Use against members of a crime family who

were wary of conventional surveillance techniques such as tailing a suspect or wiretapping him.

"functioned whether the phone was powered on or off."

Threat: Data Theft

Data theft is the leaking out of information on the mobile phones. StolenRemember this story From just now?

Solution lies in TenCube’s WaveSecure

Threat: Mobile Malware

Smart phones are being “attacked” by malicious software which could severely threaten both the users and the usefulness of the phone

Malwares: Cabir:

Infects Symbian OS mobile phones Infected phone displays the message 'Caribe’ The worm attempts to spread to other phones via

wireless Bluetooth signals

Threat: Mobile Malware

Skulls: Infects all types of

mobile phones Trojan virus replaces all

phone desktop icons with images of a skull

Renders all applications

Threat: Mobile Malware

CommWarrior: First worm to use MMS messages in order to

spread to other devices Infects devices running under OS Symbian Series

60 Spreads through Bluetooth

ZeuS Mitmo Steals username and passwords Injecting HTML or adding field using JavaScript

Agenda

Current Trends Cases and Incidences Threats:

Denial of Service to VoIP Bluetooth Hacking SMS viruses Man-in-mobile attacks Mobile eavesdropping Data Theft

Mobile Viruses: Soundminer Zeus Geimini

The difference between Apple and Android’s security model

Solutions

Agenda

Current Trends Cases and Incidences Threats:

Denial of Service to VoIP Bluetooth Hacking SMS viruses Man-in-mobile attacks Mobile eavesdropping Data Theft

Mobile Viruses: Soundminer Zeus Geimini

The difference between Apple and Android’s security model

Solutions

Taking a closer look at the viruses we’ve been

studying

Geimini and ZeuS in the news

Geimini on the news

Geimini

Geinimi is a Trojan affecting Android devicesemerging through third-party application sourcesGeinimi, means “give you rice” (Ghay-knee-mē) in

chinese, which is essentially slang for “give you money”

Geinimi canRead and collect SMS messagesSend and delete selected SMS messagesPull all contact information and send it to a remote

server (number, name, the time they were last contacted)Place a phone callSilently download filesLaunch a web browser with a specific URL

ZeuS

Malicious users weren’t interested in all of the text messages — just the ones that contained authentication codes for online banking transactions

The attack’s set upThis shows that malicious users are constantly

broadening their interests. Prior to this, text message authentication was a reliable form of online banking transactions

Now, malicious users have found a way to bypass even this level of security.

ZeuS SymbOS/Zitmo.A = SMS Viruses

SMS viruses are part of the Zeus Trojan’s payloadCalled the SymbOS/Zitmo.AImplemented for gathering information from

victimsSo it could send a targeted download link to themSend an mTAN SMS messages sent from an

infected user’s bank to an attackerThe attacker could then change what numbers

were monitored by the spyware to go after specific banks

SymbOS/Zitmo.A

What we find interesting is that the SymbOS/Zitmo.A virus is great at avoiding detection!

Symbos/Zitmo.B process running on a Symbian phone. The spyware does not show a GUI.

MSIL/Zitmo.B running on device. The spyware does not show a GUI.

The bank (account) robbers have not stopped at their first mobile spyware attempt.  This time around the thieves went after bank accounts in Poland.

They created the latest update: MSIL/Zitmo.BWorks for Windows Mobile or other .Net

Compact Framework and SymbOS/Zitmo.B

Latest news on SymbOS/Zitmo.A

How ZeuS SymbOS/Zitmo.A works? (1)

1. Trojan ask for new details in website: mobile vendor, model, phone number

2. Send SMS to mobile device with a link to download

http://securityblog.s21sec.com/2010/09/zeus-mitmo-man-in-mobile-i.html

How ZeuS SymbOS/Zitmo.A works? (2)

3. Backdoor installed to receive commands via SMS

4. Send commands for SMS attacks for own profit (SMS charges)

Now to watch the Soundminer demo

Soundminer (1)

Low-profile Trojan horse virus for Android OSSteals data => unlikely to be detectedSoundminer

Monitors phone calls Records credit card number

Uses various analysis techniquesTrims the extraneous recorded information

down to essential credit card numberSend information back to the attacker over

the network

Soundminer (2)

Designed to ask for as few permissions as possible

Soundminer is paired with a separate Trojan, Deliverer => responsible for sending the information

Android OS security mechanisms could prevent communication between applications

Communicates via “covert channels” vibration settings

Soundminer (3)

Code sensitive data in a form of vibration settings

Unlikely to raise suspicionTwo antivirus programs, VirusGuard and

AntiVirus, both failed to identify Soundminer as malware

Study by Kehuan Zhang, Xiaoyong Zhou, Mehool Intwala, Apu Kapadia, XiaoFeng Wang called Soundminer: A Stealthy and Context-Aware Sound Trojan for Smartphones

iOS and Android’s Security Models

Security Models: iOS vs Android

iPhone security Android•lack of application choice•All applications loaded through the App Store•Uses human review, static and dynamic analysis

•Allow users to load software from untrusted sources •Can't rely on external review processes

Runs Code Signing Enforcement

You can simply execute the injected shell code

Security Models: iOS vs Android

iPhone security Android•Runs all applications as the same user•utilizes a kernel-level access control called "SeatBelt”

•Security model is "collapsed" onto the phone•Application request permissions to perform tasks•iPhone ‘kill switch’ •Over-air general kill switch

•Non-jailbroken iPhone is safer from malicious software due to the rigorous screening processes

•will be exposed to malicious software

•the iPhone is probably the softer target

•It is more difficult to break a fully patched Android phone

•Takes on the “Prevention is better than cure”•Like a “kia-su” overly concern parent of a very young baby

•Security model is more catered to geeks as a whole as it •Like a parent of a teenager, giving them the freedom to make their own choices and mistakes

Security Models: iOS vs Android

Trend Micro believes the iOS security model is better

Security Models: iOS vs Android

Many believe the iOS security model is better just because Android’s model is receiving a lot of bad press.

Solutions we believe to be useful for Android

Solutions (1)

Either create a strict app filtering process like how Apple’s AppStore does it or create a market crawling tool to look for potential malicious apps

With more granular permissions All the viruses could be prevented Or at least disclosed to user at install time

Sandboxing to the rescue Browser → still a big deal Media player → not catastrophic

Crowd-sourcing -> getting people to report

Solutions (2)

Protection is system-level, not app-level Bad considering proliferation of rooted phones Combined with 24 hour refund Likely to see pirated apps distributed in near future

Third-party protection available Eg. SlideLock and Lookout

Back to the iPhone vs Android’s security model

Mobile security is a delicate balancerestricted vs. open platforms

Allow self-signed apps? Allow non-official app repositories? Allow free interaction between apps? Allow users to override security settings? Allow users to modify system/firmware?

Financial motivations

Some Simple Tips And Tricks

1. Do not use any device inflected with malware for exchanging data.

2. De-activate after using blue tooth.3. De-activate your infrared function.4. After registering, in few sites then those sites send

you confirmation or verification to your mobile phone. Always check the backgroundbefore registering on any web sites is safe or not then click ok.

5. While saving the data, check it with Antivirus Software.

6. Ignore SMS, if you don’t know the sender.7. Use mobile antivirus.

Future Concerns?

Attack during mobile firmware updateFirmware loaded into phone

A “preloaded” virus Crackers -> hack the source servers or use a

man-in-mobile attack

Future Concerns?

"THERE IS NO SECURITY ON THIS EARTH, THERE IS

ONLY OPPORTUNITY" - GENERAL DOUGLAS MACARTHUR (1880-

1964)

Both Jye Yiing and myself would like to thank you for

listening!

Thank you for listening! Any Questions?