FIREEYE ADVANCED THREAT PROTECTION

Mobile Phone - Smart Doesn't Equal Safe

Matthew WONG - Consulting Engineer of FireEye

Hong Kong and Macau

Numbers Show a Harsh Reality

2/3of U.S. firms

report that

they have been the

victim of cybersecurity

40%of all IT executives expect a major cybersecurity incident

115% CAGR unique malware

since 2009

9,000+malicious websites

identified per day

00.01 Every second 14 adults become a

victim of cyber crime

6.5xNumber of cyber

attacks since 2006

95new vulnerabilities

discovered each week

Mobile Blooming Statistics

• Smartphones adoption

- 10x faster than PC revolution in 1980s

- 2x faster than the 1990s Internet boom

- 3x faster than even today’s social networks

• Average of 52% of workers use their personal mobile device for work, 69% in Asia Pacific

• Mobile Malware growth 614% in 2012-2013

• 2/3 of mobile application in Google play store had at least one vulnerability

Mobile Cyber Security become daily life

Imagine the Mobile Future

Traditional AV are failing

Mobile Security News – Financial Gain

Mobile Security News – Political Hack

Reusable App Libraries Outsourced app Malicious Building Blocks

App Development

10AM Meeting about

Company Acquisition

10AM Meeting about

Company Acquisition

Anatomy of a Mobile Threat

Callback Server

Exfiltration

BattlefieldBattlefield Enterprise IPEnterprise IPTracking executive

location

Tracking executive

location

1 2Calendar Access Microphone Access 3 Exfiltration4 The tip of the

iceberg

Transparent SMSTransparent SMS

Call RecordsCall Records

Video SurveillanceVideo Surveillance

Root AccessRoot AccessFine Grained GPS

Location

Fine Grained GPS

Location

History & BookmarksHistory & Bookmarks

Lateral exploit

spread

Lateral exploit

spread

Exfiltration of

contacts

Exfiltration of

contacts

Hidden Malicious Behavior

Benign

Malware

Vulnerable apps

Adware

Apps with undesired/unintended

Security Consequences

Mobile App Threat Categories

MisoSMS - Malware

Interesting stuff:

http://84udjhtg

SMS

phishing

Uploading

SMS

360.cn mail

service

Server hosting

malicious apk

(attacker's server or

app store)

Download

MisoSMS

First Mobile Botnet Takedown

• Worked with 360.cn to ban attackers’ email accounts

for collecting stolen SMS messages

• From network measurements: almost 200,000 SMS

messages were stolen

● Fake AV apps

● “Anti-Hacker”

– 50,000 downloads

– Less than 800

lines of code

Detected New Malware on Google Play

Adware on App Markets

0.00%

2.00%

4.00%

6.00%

8.00%

10.00%

12.00%

14.00%

lenovo nduo opera anzhi pdassi mumayi appchina slideme hiapk appsapk

Adware

Malware

• 6.7% adware in APKs crawled from Google Play in 8

months

Ad Library Prevalent on Google Play:

Main Method for Monetization

Ad Library Usage Count Percentage

Admob 51176 36.60%

Flurry 15289 10.93%

Millennial Media 7949 5.68%

Chartboost 7517 5.38%

Inmobi 7307 5.23%

Tapjoy 6740 4.82%

Izp 5917 4.23%

Applift 5187 3.71%

Mopub 4209 3.01%

Revmob 2253 1.61%

Data collected on Google Play apps with 100K+ downloads

Common Ad Lib Sensitive Behaviors

• Collect personal information– Name, address, age, gender, email address, etc

• Collect device information– IMEI, MAC, Android ID, Android version, list of installed apps

• Modify bookmark history, calendar, and contacts

• Push ads to the notification tray of the phone even when the app is not running

• Send premium SMS as a form of payment

• Intercept incoming SMS and check for messages from certain phone numbers

Vulnerable Apps - Incorrect use of SSL/TLS

Vulnerabilities– Applications use trust managers that trust all certificates and

open themselves to MITM attacks

– Applications replace hostname verifiers with versions that do not check the hostname of the server the application is connecting to

– Applications that embed web pages ignore SSL errors by doing nothing in onReceiveSslErrors.

Consequences– MITM attacks!

SSL/TLS vulnerabilities

0%

20%

40%

60%

80%

100%

Trust managers that

do not check server

certificates

Hostname verifiers

that do not verify

hostnames

Applications that

ignore SSL errors in

WebKit

Safe

Unsafe

Dataset: The 1000 most downloaded applications from google play

611/1000

use SSL

Uploading contacts in bulk

Truecaller - Caller ID & Block

10,000,000+ downloads

“See who the unknown caller is, block unwanted calls and SMS, and manage your

contacts for FREE.

…NEVER uploads your phonebook to make it searchable or public.”

TeenPatti: Indian Poker

500,000+ downloads

“Teen Patti is the fastest and the most exciting Indian card game, similar to poker.”

Uploads entire contacts list, uploads incoming SMS sender

without user interaction

Uploads entire contacts list

Apps with undesired/unintended

Security Consequences

Risk Type Top AV Vendors Latest Solution

Malware

Adware

Vulnerabilities

Undesired

security

consequences

Latest Solution Covering All App Threat Categories

Live Demo on Mobile Hacking

Demonstration why Anti-Virus technology is not effective on Mobile

Protection

- In-accurate simply base on the security access required on the

phone

- Slow to detect latest attacks

Live Demo on how latest mobile security solution

• 100% detect base on cloud infrastructure, free up

CPU and memory on the phone

• Non-signature based solution which help to detect

latest attacks

• Can detail analysis about mobile threat behavior and

action taken

Uncovering the Threat

Contextual Correlation

2 What kind of behavior

does the app exhibit?

1 Does the app

violate security policies?3 Is the app malicious?

Security Policy

Information

File System

Exploit

Network

Behavior

Secure without extra load on Mobile Devices

https://www2.fireeye.com/OFFER-14Q4-MobileSecurity-APAC-HK_LP---Register-for-Mobile-App.html

1M download

10K download10M Download

THANK YOU!

Questions and Answers