Mobile Security Weekly – Mobile Malware finds new ways to steal from victims

This week’s summary serves as a reminder that mobile malware is developing and advancing on several different fronts. On one front, attacker are finding new ways to target and exploit victims as well as to bypass security measures. In another front, attackers are continuing to find ways to attack the biggest and most established apps on the market.

In both cases, these advancements clearly exemplify the need for more enterprise awareness on the various issues affecting BYOD.

Viber vulnerable to MitM attack, millions of users at risk
Researchers have discovered that almost everything transferred and stored on the Viber service, except the messages themselves is not encrypted either in transit or at rest (this includes doodles, images, location data and videos).

The implication? Viber users are vulnerable to Man in the Middle (MitM) attacks. The MitM attacks can be carried out via a rogue Wifi access point or by anyone that can access the outgoing traffic of a mobile device (via a legitimate but open access point, for instance).

The researchers of this flaw are the same researchers that published details on a similar WhatsApp location bug where the location image is sent unencrypted. Read here about the WhatsApp location bug in last week’s mobile security roundup

Unfortunately, Viber’s problems don’t end there. The researchers also discovered that user data stored on Viber’s Amazon servers is not deleted immediately and can be accessed without going through any authentication mechanism – simply by visiting the intercepted link on a web browser.

Why is this Significant?
This is the second time within two weeks that a major social app has been found lacking in security measures. Consequently, this raises many doubts regarding the security of lesser known apps and services. With the recent target of a 900M dollar takeover, we don’t see a lack of resource as a good excuse for this flaw.

New mobile malware that aims to make the attackers richer – Cardbuyer

Currently undetected by most mobile AV services, Cardbuyer implements a new set of tactics to make money for the attacker. Cardbuyer is quite a bit more advanced than most malware that aim to steal.

It can solve CAPTCHA challenges, emulate user’s behaviors, understand SMS content and react accordingly. It can also deal with the existing multi-factor verification procedures of many popular game platforms or online payment systems, and impersonate the smartphone user in making the purchase.

While previous malwares signed victims up to premium SMS services or stole banking credentials, Cardbuyer specifically targets Chinese video games and mobile platforms by purchasing pre-paid and top-up cards. The attacker can then convert these cards into cash, while the victim’s mobile account is charged for the purchase.

Currently targeting several different Chinese stores and services, it is gaining significant traction.

Why is this Significant?
First and foremost, this item again highlights the lack of efficiency of mobile AVs. Instead of a signature-based solution which requires the tracking of knowing threats, updating the signature database, and updating the endpoint AV, a more efficient and accurate solution would be a behavior based malware detection method. Behaviour based anti-malware software detects anomalies on the device and on the network which signify a compromised device.

Secondly , Cardbuyer proves again that the SMS channel for user authentication in online purchase confirmation is not always the secure channel. In all likelihood, mobile devices and services are eventually going to be exploited, in some cases, almost regardless of the efforts put into security.

Android/Samsapo.A – a strain of Android Malware with worm-like infection techniques

Android.Samsapo is a worm for Android devices that spreads by sending SMS messages to all contacts stored on the compromised device. Over the past few days, it has been spreading like wildfire throughout Russia. It’s undoubtedly new, seeing as the domain that serves as a drop-zone for the malware itself was registered on April 24, 2014.

Android.Samsapo relies on social engineering to convince victims into clicking on a malicious link within an SMS and download the malware. It sends an SMS message with text “Это твои фото?” (which is Russian for “Is this your photo?”) and a link to a malicious APK package to all of the user’s contacts.

If a victim clicks the link (as opposed to just ignoring the text message) the victim is infected by an mRAT that:

  1. Enables the worm to carry on spreading to more devices
  2. Can download other malicious files to a phone, extract personal information and SMS messages and block phone calls
  3. Act as an SMS-trojan – registering the victims phone number to a premium SMS service

Why is this Significant?
This is another example of the growing trend where mobile-targeted attacks are adopting techniques from PC-targeted attacks as this type of threat is usually associated with PCs. When dissecting mobile threats, we usually look carefully at the attackers’ vector of attack. In this case – each infected device becomes a new vector.

Read here to follow our series on social engineering attacks in the mobile world.