CNIT 128 5: Mobile malware
1 like630 views
The document discusses the rise of mobile malware, detailing early examples like LibertyCrack and Cabir, and highlighting modern Android threats such as Droiddream and Nickispy that exploit app permissions to steal sensitive information. It contrasts Android's more open app ecosystem with iOS, which has stricter app review processes, resulting in fewer instances of malware. Various malware tactics, including SMS fraud and man-in-the-browser attacks, are analyzed alongside security measures like two-factor authentication.
CNIT 128 5: Mobile malware
- 1. Ch 5: Mobile Malware CNIT 128: Hacking Mobile Devices Updated 3-7-17
- 2. Increase in Mobile Malware • From link Ch 5h
- 3. Early Malware • LibertyCrack (2000) – Trojan masquerading as pirated software for Palm OS – Restored device to factory defaults
- 4. Early Malware • Cabir (2004) – First phone worm – Infected Symbian phones – Spread via Bluetooth • Image from link Ch 5a
- 6. • Link Ch 5i
- 10. • Ch 5j
- 14. DroidDream (2011) • Was primarily distributed by the Google Play store • Legitimate apps were repackaged to include DroidDream and then put back in the Play store
- 15. Excessive Permissions • App trojaned by DroidDream asks for too many permissions
- 16. Information Theft • When it is installed, DroidDream launches a "Setting" service • Steals private information and sends it to a remote server – International Mobile Station Equipment Identity (IMEI) – International Mobile Subscriber Identity (IMSI)
- 17. Botted • DroidDream then roots the device • Hijacks the app downloading and installing code • Makes it a bot under remote control
- 18. Google's Response • Google removed the repackaged apps from the Play Store • But 50,000 – 200,000 users were already infected
- 19. NickiSpy • Packaged into other software • At next reboot, it launches the services shown to the right • Steals IMEI, location, SMS messages and records voice phone calls • Records sound when phone is not in use
- 20. Google's Response to NickiSpy • Android 2.3 removed the ability for an application to change the phone state without user interaction • So an app could no longer turn on the microphone as stealthily
- 21. SMSZombie • Packaged inside live wallpaper apps in a Chinese marketplace named Gfan • Makes fraudulent payments using China Mobile SMS Payment • No permissions are requested during installation, because it starts as a wallpaper app – No clue to warn the user
- 22. Malicious App • It then downloads another app and shows the user a box with only one option "Install" to get "100 points!" • That installs another app that does ask for permissions
- 24. Payload • SMSZombie sends all SMS messages currently on the device to a target phone # • It then scans all SMS messages to stealthily steal and delete ones that are warning the phone user about fraudulent SMS transactions
- 25. Banking Malware
- 26. Man-in-the-Browser (MITB) Attack • A Trojan installed on a PC hooks Windows API networking calls such as HttpSendRequestW • Allows attacker to intercept and modify HTTP and HTTPS traffic sent by the browser • Can steal banking credentials and display false information to the user
- 27. Two-Factor Authentication (2FA) • This was the response by banks to resist MITB attacks • Use an SMS to a phone as the second factor for 2FA – Message contains a mobile transaction authentication number (mTAN) • Customer types mTAN into the banking web app on the PC
- 28. Zeus and Zitmo Defeat 2FA • Zeus malware on the PC – Manipulates HTTPS traffic to encourage user to install fake Trusteer mobile security software – Looks like legitimate security software on the phone – Steals SMS messages from the phone to defeat 2FA
- 29. FakeToken • User is tricked into installing TokenGenerator app • It requests suspicious permissions, including – Install and delete apps • An error by the malware designers: only system apps can have that permission – Send and receive SMS messages
- 30. Payload • TakeToken steals SMS messages to defeat 2FA • Can also steal contact list
- 32. How Bouncer was Hacked • Researchers submitted an app containing a remote shell • When Bouncer ran the app in a virtual machine, it phoned home to the researchers • They explored the VM and exploited Bouncer itself • With a remote shell inside Bouncer, they explored it and found ways to defeat it
- 33. Google Application Verification Service • Launched in 2012 • Tries to detect malicious apps • Much less effective than 3rd-party AV – Link Ch 5e
- 34. Moral: Get Real AV • Avast! won in a review from Feb., 2015 – Link Ch 5g • There are plenty of others, including – Lookout – AVG – Kaspersky – Norton – McAfee
- 35. iOS Malware What iOS malware?
- 36. Risk is Very Small • Very few items of malware, very few users actually infected, no real harm done • An academic exercise in theoretical computer security, not a real risk for users
- 37. Fake Update • "iPhone firmware 1.1.3 prep software" • Only for jailbroken devices • Supposedly written by an 11-year-old • Broke utilities like Doom and SSH • A minor annoyance
- 38. Jailbroken iPhones with Default SSH Password • Dutch teenager scanned for iPhones on T- Mobile's 3G IP range – Pushed ransomware onto phones in Nov. 2009 • Australian teenager wrote the iKee worm to Rickroll iPhones in 2009 – A later version made an iPhone botnet
- 39. iOS Malware in the Apple App Store • "Find and Call" – First seen in 2012 – Also in Google Play – Uploads user's contacts to a Web server – Sends SMS spam to the contacts with install links – Spreads but does no other harm
- 40. Malware Security: Android v. iOS
- 41. Why the Huge Difference? • Market share • App approval process – $25 to register for Google Play • Apps appear within 15-60 min. – $99 to register for Apple's App Store • A week of automated & manual review before app appears in the store • Third-party app stores – Allowed on Android, but not on iOS (unless you jailbreak)