BYOD is now BYOT Current Trends in Mobile APT

Jimmy Shah, Senior Director of Research

All rights reserved to Zimperium, INC.

Who AM I?

Jimmy Shah

• Sr. Director of Reseach at ZIMPERIUM - Enterprise Mobile Security

• Antivirus Researcher(Symantec, McAfee, AVG) • Involved with Mobile Malware and threats

since SymbOS/Cabir(ca. 2004)

Blog: MOBILE MALWARE DETECTION Email: Jimmy.Shah@ZIMPERIUM.com Twitter: @shah_jim

All rights reserved to Zimperium, INC.

Agenda

• Introduction to Advanced Persistent Threats(APT)

• The Real Mobile Threat Landscape

• How is it switching over to Mobile?

• Examples

• Bypassing Mitigations/Security

• Summary

April 24th, 2014

Introduction to Advanced Persistent Threats(APT)

All rights reserved to Zimperium, INC.

Introduction to Advanced Persistent Threats(APT)

All rights reserved to Zimperium, INC.

APT friendly Exploits & Vulnerabilities (PC)

Client Side

Server side: MS08-067 (Conficker), Shellshock, Netbios, SMB, Heartbleed, etc.

April 24th, 2014

The Real Mobile Threat Landscape

All rights reserved to Zimperium, INC.

Next-generation attacks Attackers are targeting mobile devices.

The Changing Threat Landscape

4.3M+ Sensors Reporting daily

All rights reserved to Zimperium, INC.

• Most devices are running outdated OS• Lots of vulnerabilities

• We carry them with us everywhere • Always connected• Contain sensitive data

• Lack of effective security solutions!

The Low Hanging Fruit

April 24th, 2014

How is it switching over to Mobile?

All rights reserved to Zimperium, INC.

APT Friendly Exploits in Mobile

• Widespread

• + Kernel/Root Exploit

• Targeted

• | | + Kernel/Root Exploit, MITM,Push-SMS, etc.

• Cellular Network Attack Vectors • Location Tracking, Call Forwarding, etc

April 24th, 2014

Examples

All rights reserved to Zimperium INC.

Widespread - App Surveillance

All rights reserved to Zimperium, INC.

Targeted - Airport/Hotel Scenario

Intercept Traffic

Scan (IPv4/IPv6)

Target discovery

MITM

Rogue AP

Rogue FemtoCell / Basestation

Modify Traffic

SSL Strip

Browser Attack

Code Injection

Elevation of Privileges

OS / Kernel Exploit

Infected

All rights reserved to Zimperium, INC.

Targeted Attack - Spear-Phishing Scenario

April 24th, 2014

Infection Points

All rights reserved to Zimperium, INC.

Spreading in the Mobile Era

• Rogue AP

• SMS

• Using stolen Email client’s credentials

• Plug & Prey

• Juice Jacking

• Airdrop?

April 24th, 2014

Payloads

All rights reserved to Zimperium, INC.

Payloads

• Two types of payloads observed:• Apps

• Easier to detect

• Processes • Harder to detect

VS

April 24th, 2014

Bypassing Mitigations/Security

All rights reserved to Zimperium, INC.

Methods used in the wild

• Mobile Anti-Virus • Cloud Sandboxing • Sandbox restrictions • MDM / MAM Containers

April 24th, 2014

How to detect?

All rights reserved to Zimperium, INC.

• Persistent filesystem modifications

• Disabling security restrictions

• Spying on other sandboxes: Email App, Facebook, Whatsapp and others

• Spying on information: SMS, Call log

• Active Spying: Camera, Pictures, Call Recording

April 24th, 2014

Summary

All rights reserved to Zimperium, INC.

Mobile

!=PC

Credit: Flickr user - intelfreepress/

All rights reserved to Zimperium, INC.

• Mobile attacks becomes more sophisticated and powerful and can cause a real damage to the corporation’s assets.

• Protecting mobile in BYOD world from various types of attack vectors requires:• Correlation of security events • Anomaly detection techniques • Mobile expert knowledge

• BYOD devices are fragmented to different versions of OS; A true solution must work on all common devices.

ZIMPERIUM’s z9 engine was developed from the ground up for mobile to combat the unique challenges of protecting iOS and Android devices in the organization. Contact us to request a demo

Summary

All rights reserved to Zimperium, INC.

Questions?

Thank you!

All rights reserved to Zimperium LTD.