A quick guide to mobile malware (part 2)

This is the second article in a 3-part series on mobile malware.

Why (should I be worried)?

Worm:iOS/Ikee.A changed the phone's wallpaper

Last week I gave a brief summary of the kinds of threats a user might encounter on the smartphones of today. This week’s article is supposed to cover the reasons why a user would worry about mobile malware, so let me give the short answer now:

Usually, mobile malware attacks are motivated by: Bragging rights; money; stealing personal information that can be sold for money. For the user that gets hit by the malware, it means: Losing control over your phone; losing your money; someone else might be using your personal details for who-knows-what.

So let’s assume your phone’s been infected. Just how much should you be worried? Well, that kind of depends on your luck and what kind of malware you’re dealing with.

“Hey folks! Look what I can do!”

Like PC-based malware, the first threats to appear on the phone are often the product of some technically-minded person finding a loophole in the phone’s operating system, writing a program to exploit it, then releasing it to the general public to, basically, prove that it can be done. A prank for bragging rights, more or less. There may also be more subtle motivations involved, but if your phone is on the receiving end, you probably wouldn’t care.

Sometimes, if you’re lucky, that first malicious program doesn’t do anything worse than changing the phone’s wallpaper (Worm:iOS/Ikee.A is a good example here). So, for the user, the cost for the malware creator’s bragging rights is: time spent dealing with the problem and probably a massive headache.

Not a good loss, but bearable. Unfortunately, the next two potential losses for a user hit by mobile malware – money and/or personal data – are more serious.

“Give me back my phone!”

As other attackers get hold of that pioneer program and modify it to be more malicious, the next few versions (or variants) of it usually get more ‘risky’ to the user. If the malware is really malicious, it can alter the phone’s functionality to the point that the device is basically ‘bricked’ – it can’t be used for anything other than a paperweight.

Some examples we saw on the Symbian platform – which, by virtue of being the first widely used smartphone platform, also suffered the most threats – were Cardtrap, Skulls, Romride and Locknut. At this point, if the damage isn’t recoverable, the user is also out by the price of the phone and loss of the data stored on the phone itself. Ouch.

SMSes = $$$

Still, not everyone has to be concerned about data loss, if they have their contacts backed up elsewhere and they don’t keep financial or confidential details on their phone. What if you do, though? Say, you do mobile bank transactions, or store your PINs or account log-in details on the phone? Can an attacker find a way to pull confidential data off the phone?

‘Early generation’ smartphones – for the sake of this article, let’s say they’re the ones that sent data out by WAP  – didn’t give crooks a lot of options for getting hold of data they could make money from.  On these phones, the ‘traditional’ way for crooks to make money was through what amounts to SMS fraud (an example is the Redoc trojan family).

In this kind of scheme, the attackers has to plant a trojan on the device that forces it to send SMS messages to a premium phone number, which can wrack up a high phone bill for the user. Though effective, these attacks tend not to be very widespread, as they are limited by the geographical location and size of the telecom networks and target-able users. If you’re not in the target group, the threat is almost nonexistent.

Stealing data

Nowadays though, ‘new generation’ smartphones – as in ones with fast data connections back up by unlimited or cheap data packages from telco providers, making it convenient for a user to just leave the data connection open – offer a crook more options. Instead of bothering with SMS fraud, they can create malware that find and retrieve specific information stored on the device, which could potentially give far greater returns. Case in point is the very next Ikee variant, Ikee.B, which stole financially-sensitive information stored on the phone.

In this case, the loss is hard to estimate as fortunately, this type of malware isn’t common and the risk they pose is highly individual, depending on what details you store on your phone. It would probably also depend on how the attacker would be able to convert the details stolen into hard cash – sell it off in bulk together with details stolen from others? Find a way to log into a compromised account and withdraw the money?

There’s no ‘standard scenario’ here, so it’s hard for a user to realistically evaluate the fallout of having data stolen off their phone. All that can be reliably said is that personal and financial details are major targets on a PC and they’re probably no less attractive on mobile devices; it’s just that up until now, attackers didn’t have a way to scam these details out of someone on a mobile device.

Going straight for the money

As with PC threats, the main motivation for mobile threats seems to have transitioned from bragging rights to making money. And in a totally unscientific personal observation, it sure seems like mobile malware made that transition much faster than PC threats did. As a very rough comparison:

  • Brain, the first PC-based malware, came out in 1986; it was only in the early 2000’s that profit-motivated malwares became prevalent (though there doesn’t seem to be any agreement on which was the first).
  • By comparison, the iOS was launched in early 2007; its first trojan (of the bragging rights variety) came out almost exactly a year later; and shortly thereafter came Ikee.B, which was more malicious (but only on jailbroken iPhones).
  • The Android OS was launched in late 2007; its first trojan was also the first to try an SMS fraud scam, and it appeared in August of 2010.

It’s early days yet for mobile threats so we really don’t know how they are going to evolve.

It would probably be a safe bet to say that there are going to be more new threats though, and not all of them are going to be as benign as a plastering on a Rick Astley wallpaper.

Next week, the last in this series – How (can I protect myself)?

More posts from this topic

5830110963_bc3631fa37_b

Hacks in the Headlines: Two Huge Breaches That Could Have Been Detected

The Sony hack of late 2014 sent shock waves through Hollywood that rippled out into the rest of the world for months. The ironic hack of the dubious surveillance software company Hacking Team last summer showed no one is immune to a data breach - not even a company that specializes in breaking into systems. After a big hack, some of the first questions asked are how the attacker got in, and whether it could have been prevented. But today we're asking a different question: whether, once the attacker was already in the network, the breach could have been detected. And stopped. Here's why: Advanced attacks like the ones that hit Sony and Hacking Team are carried out by highly skilled attackers who specifically target a certain organization. Preventive measures block the great majority of threats out there, but advanced attackers know how to get around a company's defenses. The better preventive security a company has in place, the harder it will be to get in…but the most highly skilled, highly motivated attackers will still find a way in somehow. That's where detection comes in. Thinking like an attacker If an attacker does get through a company's defensive walls, it's critical to be able detect their presence as early as possible, to limit the damage they can do. There has been no official confirmation of when Sony's actual breach first took place, but some reports say the company had been breached for a year before the attackers froze up Sony's systems and began leaking volumes of juicy info about the studio's inner workings. That's a long time for someone to be roaming around in a network, harvesting data. So how does one detect an attacker inside a network? By thinking like an attacker. And thinking like an attacker requires having a thorough knowledge of how attackers work, to be able to spot their telltale traces and distinguish them from legitimate users. Advanced or APT (Advanced Persistent Threat) attacks differ depending on the situation and the goals of the attacker, but in general their attacks tend to follow a pattern. Once they've chosen a target company and performed reconnaissance to find out more about the company and how to best compromise it, their attacks generally cover the following phases: 1. Gain a foothold. The first step is to infect a machine within the organization. This is typically done by exploiting software vulnerabilities on servers or endpoints, or by using social engineering tactics such as phishing, spear-phishing, watering holes, or man-in-the-middle attacks. 2. Achieve persistence. The initial step must also perform some action that lets the attacker access the system later at will. This means a persistent component that creates a backdoor the attacker can re-enter through later. 3. Perform network reconnaissance. Gather information about the initial compromised system and the whole network to figure out where and how to advance in the network. 4. Lateral movement. Gain access to further systems as needed, depending on what the goal of the attack is. Steps 2-4 are then repeated as needed to gain access to the target data or system. 5. Collect target data. Identify and collect files, credentials, emails, and other forms of intercepted communications. 6. Exfiltrate target data. Copy data to the attackers via network. Steps 5 and 6 can also happen in small increments over time. In some cases these steps are augmented with sabotaging data or systems. 7. Cover tracks. Evidence of what was done and how it was done is easily erased by deleting and modifying logs and file access times. This can happen throughout the attack, not just at the end. For each phase, there are various tactics, techniques and procedures attackers use to accomplish the task as covertly as possible. Combined with an awareness and visibility of what is happening throughout the network, knowledge of these tools and techniques is what will enable companies to detect attackers in their networks and stop them in their tracks. Following the signs Sony may have been breached for a year, but signs of the attack were there all along. Perhaps these signs just weren't being watched for - or perhaps they were missed. The attackers tried to cover their tracks (step 7) with two specific tools that forged logs and file access and creation times - tools that could have been detected as being suspicious. These tools were used throughout the attack, not just at the end, so detection would have happened well before all the damage was done, saving Sony and its executives much embarrassment, difficult PR, lost productivity, and untold millions of dollars. In the case of Hacking Team, the hacker known as Phineas Fisher used a network scanner called nmap, a common network scanning tool, to gather information about the organization’s internal network and figure out how to advance the attack (step 3). Nmap activity on a company internal network should be flagged as a suspicious activity. For moving inside the network, step 4, he used methods based on the built-in Windows management framework, PowerShell, and the well-known tool psexec from SysInternals. These techniques could also potentially have been picked up on from the way they were used that would differ from a legitimate user. These are just a few examples of how a knowledge of how attackers work can be used to detect and stop them. In practice, F-Secure does this with a new service we've just launched called Rapid Detection Service. The service uses a combination of human and machine intelligence to monitor what's going on inside a company network and detect suspicious behavior. Our promise is that once we've detected a breach, we'll alert the company within 30 minutes. They'll find out about it first from us, not from the headlines. One F-Secure analyst sums it up nicely: "The goal is to make it impossible for an attacker to wiggle his way from an initial breach to his eventual goal." After all, breaches do happen. The next step, then, is to be prepared.   Photo licensed under CC BY 2.0:  Breach photo by Jim Champion

May 31, 2016
BY 
brain floppy, scanning engines, malware scanning

5 Ways We Stop Cyber Attacks In Their Tracks

See that floppy disc? That's how F-Secure Labs used to get malware to analyze. Nowadays, of course, it's much different, Andy Patel from the Labs explained in a recent post, "What's The Deal with Scanning Engines?" In just a few hundred words, Andy lays out what makes modern protection so different from the anti-virus that you remember from the 80s, 90s or even the early 00s. And it's not just that floppy disks the Labs once analyzed have been replaced by almost any sort of digital input, down to a piece of memory or a network stream. The whole post is worth checking out if you're interested in how relentless modern internet security must be to keep up with the panoply of online threats we face. But here's a quick look at five of the key components of endpoint protection that work in tandem to stop attacks in their tracks, as described by Andy: Scanning engines. Today’s detections are really just complex computer programs, designed to perform intricate sample analysis directly on the client. Modern detections are designed to catch thousands, or even hundreds of thousands of samples. URL blocking. Preventing a user from being exposed to a site hosting an exploit kit or other malicious content negates the need for any further protection measures. We do this largely via URL and IP reputation cloud queries. Spam blocking and email filtering also happen here. Exploit detection. If a user does manage to visit a site hosting an exploit kit, and that user is running vulnerable software, any attempt to exploit that vulnerable software will be blocked by our behavioral monitoring engine. Network and on-access scanning. If a user receives a malicious file via email or download, it will be scanned on the network or when it is written to disk. If the file is found to be malicious, it will be removed from the user’s system. Behavioral blocking. Assuming no file-based detection existed for the object, the user may then go on to open or execute the document, script, or program. At this point, malicious behavior will be blocked by our behavioral engine and again, the file will be removed. The fact is, a majority of malware delivery mechanisms are easily blocked behaviorally. In most cases, when we find new threats, we also discover that we had, in the distant past, already added logic addressing the mechanisms it uses.If you're interested in knowing more about behavioral engines, check out this post in which Andy makes then easy to understand by comparing the technology to securing an office building. So you must be wondering, does this all work? Is it enough? Well, our experts and our computers are always learning. But in all the tests this year run by independent analysts AV-Comparatives, we’ve blocked 100% of the real-world threats thrown at us. Cheers, Jason  

May 24, 2016
BY 
Customer Day F-Secure

Customer Day at F-Secure: Technology Enables, Feelings Live

The Internet is pretty cool. You can use it to learn about things happening all over the world. You can start your own blog or social media account to share your views and speak up about the things you care about. You can stay in touch with people that live far away. It’s really all about connecting people, and it’s changed how people live their lives. The odd thing about all this connecting is that it's surprisingly easy to become disconnected from actual people. Spending time in front of a computer screen, especially when working in roles that involve lots of engineering or programming, can put people out of the picture. All too often, things get reduced to bits and pieces of information. People are what’s important to companies. Not just employees, but all the people involved with a business. And many companies say that the customer is #1, but they’ll have employees who never interact with the people they’re serving. So in this era of hyper connectivity, it’s easy for companies and employees to lose touch with the people that are actually paying their salaries. So Donal Crotty, F-Secure’s Director of Customer Advocacy, started a new tradition in 2015 to celebrate how we feel about customers, give them an opportunity to candidly share their views on the company with the Fellows that work here, and learn more about the company and the people that help make it a success. It’s called Customer Day. “Not everyone at F-Secure has the pleasure of actually meeting the people they’re trying to help,” says Donal. “It’s just the nature of some jobs. But it’s a real shame, because all the metrics and analytical tools companies use to gauge how happy or unhappy customers actually are simply aren’t enough. Numbers and data are no replacement for people, and that’s what Customer Day is for.” So today is the 2nd annual Customer Day at F-Secure (#fscustomerday16 on Twitter). And here at our Helsinki headquarters, as well as several of our regional offices around the world, Fellows and customers are coming together to connect with each other and learn more about the people and products. And have a bit of fun too. “IT companies will often say that they’re about people and not technology. But I’m not sure how many of them actually make the effort to put the people that build products and provide behind the scenes services in front of customers” says Donal. “We, as in people in companies, talk about customer experience, but it takes something more than just talking about it to make it meaningful. I like to think of it as a type of feeling. Our technology enables, but the feeling we give to customers is what we want them to live with.” Images provided by Bret Pulkka-Stone.

May 13, 2016
BY