As 2017 comes to a close, let’s take a look back at some of the notable moments in mobile security.
Ransomware made big news in 2017 with headline worthy attacks such as WannaCry and NotPetya. An extremely malicious type of malware, ransomware is designed to hold your data ransom. Techniques include locking access to the victim’s data, encrypting the victim’s data thus denying access until ransom is paid to provide the decryption key; while others may threaten to publish the data unless a ransom is paid. WannaCry made headlines in May after infecting PC’s inside many government and corporate offices including the United Kingdom’s National Health Service, FedEx and Telefónica among others, encrypting files and demanding ransom to be paid via BitCoin. Inevitably ransomware malware migrated to mobile devices with notable headline grabbing Android Ransomware DoubleLocker. DoubleLocker was based on the foundations of a banking trojan and is the first ransomware to misuse the Android accessibility services.
Cryptocurrency made significant headlines in 2017. BitCoin, Ethereum, LiteCoin and other cryptocurrencies saw an incredible surge in demand, hitting all-time record high prices. High-Tech Bridge’s report on the top cryptocurrency apps in the Google Play Store showed that 90% contained security vulnerabilities or privacy risks. Additionally, crypto-mining malware made the rounds on Android devices, hijacking the processing power of millions of devices to mine cryptocurrencies for bad actors.
Devices being sold with RootKits and BootKits
Bootkits and rootkits on mobile devices have been around for the last 5 years. Designed to hide their presence and the existence of their malicious payload, bootkits are a stealth malware. Re-flashing your mobile OS cannot remove it. This past year saw re-emergence of bootkits being shipped on devices, as recently as August 2017, Amazon halted the sales of Blu Phone because of privacy and security concerns using the Adups firmware updating technology, a bootkit level malware that leaked users private data off the device.
Another piece of malware reared its head again inside the Google Play store this year. The malware was a variant of BankBot, a mobile banking trojan designed to steal user credentials from apps of large banks including WellsFargo, Chase, DiBa and Citibank. This malware would overlay a similar looking login screen in front of the banking app, tricking users into entering their account credentials. BankBot is an especially nasty piece of malware because it can listen for inbound SMS messages that contain the 2-factor authcode and then send it to the criminals along with account credentials.
Remotely Activated Trojans - xRAT
xRAT, as the name suggests, is a "RAT", or Remote Access Tool. Some may also refer to this as a Remotely Activated Trojan. xRAT was a piece of Android malware that can exfiltrate data off of a device, execute remote code and be controlled remotely with sophisticated evasion techniques. It appeared to target political groups and is an example of extremely sophisticated malware and how data can be compromised off a mobile device.
No year in review could be complete without touching on Equifax. Equifax, as a reminder, is one of the three largest credit reporting agencies in the US, collecting confidential information on more than 800 million consumers and 88 million businesses worldwide. Equifax experienced a high profile breach of some 183 million records including Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers from its systems. Not only was Equifax breached, they were also found to be offering an insecure mobile app. While the authentication for the app used HTTPS, other functions used clear-text HTTP in a way that left it exposed to an attacker intercepting and modifying traffic. After being informed of the problem, Equifax yanked the app from the App Store and Google Play.
MI3 Introduces CAST - Contextually Aware Security Testing
Contextually Aware Security Testing is MI3 Security’s answer to the limitations of one time application specific scans. By crawling the application markets, using Open Source Intelligence and machine learning, Mi3 RECON can determine how an application fits into The Wild of the ecosystem and if those relationships impact the risk profile of the app. Certificates or classes and libraries used by known malicious actors can be indicators of RISK if found in an application you are deploying. Websites that an application is attempting to contact can also create RISK indicators. With AppVisualizer, you can visually see and explore the six-degrees-of-separation between assets in your application and how they are related to other applications. Those relationships can identify assets used by malware; a risk indicator for your app.
CAST also extends beyond single one-time scanning. By deploying a network of crawlers, Mi3 RECON can identify suspected fraudulent use of brand assets or repackaged apps and notify you automatically. The continuous monitoring and notification capabilities mean that not only do you not need to continuously rescan your application, you also do not need to manually monitor the multitude of application markets as well.
As we look towards 2018, we believe that security, particularly mobile application security, will be more than ever dependant on sophisticated techniques such as CAST and machine-learning to build more complete security, privacy and risk profiles based on how applications are related and interconnected to the broader ecosystem.