Mobile Security Weekly – Trust Issues

Three items populate this week’s news summary. The one thing they have in common is the element of trust. Apple is in danger of losing users’ trust – it seems to be intentionally hiding things that might put them in danger. Users are also being made aware that they need to think long and hard before trusting the sites and services they use – whether it’s a banking site or a message from the “F.B.I”.

Apple confirms “backdoors” exist in iOS. Following a knowledge base article discussing hidden services that run on iOS, Apple have essentially admitted that they have left what can only be described as backdoors in iOS for their own use.

After the original post by Jonathan Zdziarski created quite a bit of excitement, Apple had no choice but to supply the public with a bit more information. It’s important to stress, no one is accusing Apple of working with the NSA (or anyone else for that matter), however these and similar backdoors can and have been exploited by governments in the past and could potentially be used by private threat actors in the future.

In general, Apple claims that the whole issue should be filed under “diagnostic data that Apple needs access to”. When dissecting what can actually be extracted, one finds the user’s complete photo album, their SMS, Notes, Address Book, GeoLocation data, screenshots of the last thing they were looking at, and more personal data including OAuth tokens (which is just as good as  having the password to your accounts).

Why is this Significant?
The obvious issues here are privacy and security. iOS (up to and including iOS 6) leaves users and enterprises at risk. This saga once again highlights just how much trust consumers put in their mobile and what the mobile operating system manufacturers are doing it.

Attackers suspected of residing in Russia are targeting Swiss bank accounts with a multi-pronged attack that intercepts SMS tokens and changes DNS settings.

The attacks are based on a devious but quite simple implementation of malware that points users to replica phishing banking sites when they attempt to access their accounts without triggering any warnings.

Users who fall for the email campaign and subsequently install the malware are prompted to install an Android app to purportedly secure their banking transactions. This in turn serves to steal second factor SMS tokens and extract them to a remote server. The malware manipulates a victims’ DNS settings and installs an SSL certificate for the phishing sites before wiping itself clean – removing evidence of infection.

In some cases, the Android app also steals a victim’s mobile transaction authentication number, used for second factor authentication by European banks including those operating in Australia and New Zealand.

Article in The Register

Why is this Significant?
This is a very efficient attack that is almost certainly being run by individuals (as opposed to larger organizations of governments). The attacks leaves the threat actor with almost “full control” of a victims bank accounts, with little chance of being detected (especially as most devices are still running without even basic malware detection software).

A new Android ransomware is targeting users in Eastern Europe
The newest variant of Android/Simplocker (which we first discussed a while ago) displays the ransom note in English (in a past variant, the message used to be only in Russian) and asks for a ransom of $300 (it used to be only 20-30$) to be paid through a payment service called MoneyPak. Like the old version, encrypting the victims’ files is part of the attack, but there is now a much larger range of files that can be encrypted.

As before, victims are falsely accused of “viewing and distributing child pornography, zoophilia and other perversions”, and are led to believe that their device has been locked by the U.S. Federal Bureau of Investigation as a result of their perverse viewing habits. The malware initially poses as a Flash video player and requests to be granted device administrator permissions.

This makes the new Simplocker much harder to remove once installed. Furthermore, another “improvement” means that depening on which backup tool they use, victims might not only lose access to their documents and pictures, but they will be unable to restore them from backups.

Article in PC World.

Why is this Significant?
This is one more example of the evolution of mobile malware. In the space of a few months, Simplocker has evolved from a small, unsophisticated method of extorting victims in Russia to an advanced method of extortion than can now target users around the world. It now demands more money and can cause more destruction. Mobile malware is constantly moving onwards and upwards.

photo credit: