Mobile Security 2014: The Year In Review

It was an eventful year for mobile security, and as 2014 draws to a close, we’re taking a look back to review some high-profile events. We saw several types of mobile security “firsts” last year, none of which bode well for enterprises. Different types of threats, methods of attack, and threat efficiencies all experienced substantial advances that promise to make 2015 even more challenging.

[timeline src=”https://docs.google.com/spreadsheets/d/1eWmPVzuRysf5I4s5GiojtsYINMkQce5-rECxH_hEvfY/pubhtml” width=”690″ height=”725″ font=”PlayfairDisplay-Muli” maptype=”SATELLITE” lang=”en” ]

January

• OldBoot – The first Android bootkit, Oldboot introduced a brand new threat in terms of method of installation, persistence as well as mitigation. Oldboot was the first malware to modify a devices’ boot partition – thus presenting a major problem to Anti Virus solutions (AVs) – both in identification and mitigation.

February

• Careto, “the mask” – This is one of the larger and more advanced mobile attacks in recent history. Careto’s discovery exposed, among other things, an advanced persistent threat campaign toolkit as well as cross platform attacks, including iOS and Android implants.

March

• Dendroid – As mobile malware became more of a business, the tools used for attacking devices needed to become more “user friendly.” Just like the open source Androrat, Dendroid presented a different type of technological advancement by providing non-technical offenders with an easy-to-use mRAT platform.

April

• HeartBleed – A catastrophic bug in OpenSSL. Undoubtedly one of the, if not the most, large scale threat to mobile and desktop security in 2014. Exposed millions of users (apart from Lacoon customers) to multiple threats. Attackers could eavesdrop on communications, steal data directly from and/or impersonate services and users.

May

• Photoalbum worm –  The most effective SMS worm we’d yet seen, the Photoalbum malware was an aggressive and successful mobile worm that took hold of devices worldwide, using simple social engineering tactics.
• Simplocker (koler) Ransomware – Several strains of Android ransomware based from Russia targeted users by means of social engineering. Simplocker went from bad to worse and exhibited improvements in both the ability to encrypt victims’ data and prevent its own removal.

June

• DroidJack platform is released – One of the most advanced easily available (and affordable) mRATs (Mobile Remote Access Trojans). Developed by the same team that brought us SandroRat, DroidJack costs a mere $210 and enables a vast array of surveillance capabilities.
• Towelroot – A vulnerability discovered by George Hotz that existed on almost every popular Android device in the market. Towelroot is a severe security issues that when exploited, can allow any app to escalate it’s privileges to root (administrator) privileges, before extracting various types of data from the device.
• iOS 7.1 Jailbreak – Released in late June, the Pangu jailbreak was first time since iOS 4 that a jailbreaking tool was able to run remotely. By using an Enterprise Certificate, Pangu developed a tool that attackers could, with the aide of social engineering, perform a remote jailbreak and turn iOS devices into serious security hazards.
• Kaspersky and Citizenlab release detailed reports on the use of Hacking Team’s Da Vinci mRAT. Da Vinci essentially enabled almost everyone to perform nation-state level surveillance. By dramatically lowering the entry cost on invasive and hard-to-­trace monitoring, it lowers the cost of targeting political threats.

July

• Android FakeID vulnerability – Another vulnerability that affected almost all existing Android devices (2.1 – 4.4). FakeID enables a threat actor to compromise specific applications or sensitive device data by falsifying its identity while exploiting a bug in a certificate’s chain of trust. As a result, management capabilities can be obtained and app data can be accessed.

August

• Gammagroup was hacked – This re-raised questions regarding the safety of iOS devices. The leak exposed information on the usages of different mobile exploits as well as on the group’s most advanced surveillance tools for sale, predominantly for Android.

September

• Lacoon discovers Xsser mRAT, an advanced Chinese iOS trojan – The Xsser mRAT specifically targets iOS devices, and is closely related to Android spyware already being distributed in Hong Kong. This rare cross-platform attack, and the fact that all servers were taken down almost instantly after the attack was revealed, are indications that the attack was conducted by a very large organization or nation state.

• Apple releases iOS 8 – Several crucial vulnerabilities are patched as well the introduction of Apple Pay, Health Kit and improvements to TouchID.

• The iCloud scandal – hackers allegedly exploited weaknesses in the iCloud service (within the Find My Iphone feature, to be exact) to gain access to the private accounts of stars including Jennifer Lawrence, Kate Upton & Kim Kardashian. Another reminder that almost every service and everyone is vulnerable.

October

• Apple releases the iPhone 6 and millions begin to use iOS 8, which is promptly jailbroken by Pangu – the iPhone 6 was released and immediately was exposed as being susceptible to the same fingerprint hacks as the iPhone 5S. From a jailbreak standpoint, Pangu released it in record time and made a true statement of intent.
• Android 5 , “Lollipop” is released – Google has made an effort to improve security on several different layers. Lollipop put an end to webview libraries, minimized threat surface for apps and even added a built-in ‘kill switch’ functionality.

November

• FakeDebuggered, the first Android malware to implement 4.x exploits in the wild (FramaRoot and TowelRoot) – A serious escalation in Android malware, this is first example in the wild of malware that uses Android 4.x PE (Privilege Escalation) exploit vulnerabilities to run code on an infected device. Besides an advanced method of installation, this malware also uses aggressive tactics to keep itself on the device.
• Masque Attack, a vulnerability worthy of a US Homeland Security warning, is an example of iOS enterprise certificates can be abused to allow installation of a fake app while impersonating a legitimate app, and was used by the malware “WireLurker.”
• Wirelurker deserves a mention of its own.  It’s the first attack to affect both iOS and OSX , and introduces on-the-fly repackaging of apps on iOS devices that have and, more importantly, that have not been jailbroken (something that was later implemented by Masque Attack). Wirelurker is a perfect example of how enterprise certificates can be abused and of how dangerous it is to download apps from unofficial sources.

December

• iOS 8.1.1 and 8.1.2 Jailbreaks are released, but not by Panda – TaiG, a Chinese hacking team, released the new jailbreaks, rendering the Pangu Jailbreak obsolete. TaiG released the jailbreak before Apple officially published the update – meaning Apple, which is known for its long patching cycles for iOS, consciously released a new version of iOS without addressing a critical PE vulnerability (exploited by the jailbreak).
• The “Inception framework” published by BlueCoat: A cross-platform campaign that included iOS, Android and BlackBerry devices, and targeted high-profile victims from at least 37 countries from sectors like government, finance, military and engineering.