Mobile Security Weekly – Lacoon Discovers the Xsser mRAT

This week’s global mobile security news has been dominated by a discovery made here at Laccon. Several days ago, we released our findings on what has now become front page news – the Xsser mRAT.  The Chinese government seems to be targeting protesters in Hong Kong with advanced mRATs (Mobile Remote Access Trojans) for both iOS and Android devices.

Researchers at Lacoon discovered a sophisticated Cross-Platform attack that is targeting iOS and Android phones that belong to the protesters in Hong Kong in order to extract their private data and perform several forms of surveillance on them. This campaign is the first example we’ve seen of an operational strain of iOS malware as advanced as this.

More about the attack, which also incorporates methods of social engineering, can be found in our two dedicated blog posts:

• Lacoon Discovers Xsser mRAT, the First Advanced Chinese iOS Trojan
• Chinese Government Targets Hong Kong Protesters With Android mRAT Spyware

In contrast, this edition of Mobile Security Weekly also touches on issues that ‘surround’ the world of mobile security on a daily basis. Issues that aren’t directly related to a new vulnerability, mRAT or exploit can also have a big effect on enterprise security.

FBI takes out StealthGenie

In what has been described as a revelation regarding legal enforcement in the mobile malware arena,  the FBI has arrested consumer spyware StealthGenie’s CEO. StealthGenie is able to monitor calls, texts, videos and other communications on mobile phones without detection or the user’s consent.

According to the FBI, Hammad Akbar allegedly conspired to advertise and sell the spyware app online. The arrest marks the first criminal case specifically concerning the advertisement and sale of a mobile device spyware app.

http://www.independent.co.uk/life-style/gadgets-and-tech/fbi-shuts-down-stealthgenie-the-invisible-stalker-app-9769849.html

Why is this Significant?

This application explicitly equips potential threat actors and criminals with a means to invade the confidential communications of individuals and enterprises. In this case, the developer wanted to make money and was in the US. But many similar apps are being sold in countries with less regulation or even just being uploaded and made available to the public for free. It’s great that the FBI stopped this one, but also hints at just how big a problem this is.

BT Report Finds That Cloud Services Are Being Adopted Despite Decision Makers Anxiety About Their Safety

A BT study covering 11 countries reveals that more than 75% of IT decision makers are “extremely anxious” about the security related issues of using cloud-based services. Yet somehow, just over 79% of U.S. enterprise executives (70% globally) are still adopting cloud storage and web based app within their business.

The most common concern was that cloud promotes sharing of resources at a very large scale. However, many see enterprise-specific cloud apps and services as being too expensive, and therefore stick to public services. These public services are most the economically viable solutions, but their utility in an environment requiring trust and security is limited in scope.

http://www.globalservices.bt.com/uk/en/news/business_trust_in_data_security_in_cloud_at_all_time_low

Why is this Significant?

Improving accessibility and the sharing of resources is becoming critical in many business environments but this also means sharing risk. With several of the most popular public cloud services suffering serious breaches (iCloud springs to mind), this issues is due to pose quite a dilemma to many enterprises in the near future.

Updates on the Shellshock (BASH) Bug

We’d like to reiterate a warning we discussed in a dedicated blog post this week regarding the Shellshock (BASH) bug.

Many Shellshock-based threats have been circulating online over the past few days. The ease of exploitation and the widespread install base of BASH make this bug dangerous. However, as we said in our blog, mobile devices cannot be affected unless they are either rooted (Android) or jailbroken (iOS).

Although an initial patch was released several days ago, it proved entirely ineffective and there seems to be a gradually increasing amount of overtly malicious traffic leveraging BASH (again, on all platforms, not specifically mobile).

Why is this Significant?

Besides the obvious reminder of just how dangerous it can be to jailbreak or root a device (as is also evident with Xsser) It’s critical to keep tabs on events such as Shellshock even when they affect much more than just mobile. The barriers and divides between the worlds of PC and mobile malware are quickly evaporating and this is just another example.