Mobile Security Weekly: Inception Takes Hold, Attack Targets Sony, YikYak is Vulnerable, Apple Leaves Door Open

Ohad Babrov is co-founder and CTO at <a href=

Lacoon Mobile Security.” width=”115″ height=”75″ /> Ohad Bobrov is co-founder and CTO at Lacoon Mobile Security.

Despite the Sony hack being the biggest cyber security issue on the global stage, Inception – a new and sophisticated threat – might give it a run for it’s money. And, in other news, “anonymous” messaging app Yik Yak takes a security hit, and iOS users face issues from app developers, and from Apple itself.

Inception (aka Cloud Atlas): A New and Powerful Multi-Platform Attack

Researchers have uncovered a new international espionage campaign based on sophisticated and comprehensive mobile malware that seems likely to have been developed by a nation state. Inception, first discovered and named by Blue Coat, then subsequently confirmed and named (again) Cloud Atlas by Kaspersky Labs, is designed to target Windows, Android, BlackBerry and jailbroken iOS devices of high-profile individuals within governments and enterprises.

This attack is almost certainly connected to Red October – a previous malware platform that infected hundreds of diplomatic, government, and scientific research organizations around the world in January 2013. The malware was primarily distributed as a fake update to the popular messaging app WhatsApp. However, researchers also uncovered evidence of an MMS phishing campaign designed to work on at least 60 mobile networks in multiple countries in an attempt to infect targeted individuals.

A notable difference between this and other similar attacks is that Inception uses free accounts on Swedish cloud service CloudMe to collect extracted data. Once installed, the malware can record and extract phone calls, messages, user data and perhaps additional types of material stored on the device.—cloud-atlas-malware-infects-windows-and-android-but-cant-exploit-apples-ios-without-jailbreak

Why is this Significant?

Inception is yet another example of a growing trend in mobile cyberattacks to build on and improve on technological and operational capabilities. Affecting victims in America, Europe and Asia, this is definitely an attack we might be hearing about well into 2015.

Did Sony’s Mega-Hack Go Mobile?

The Sony Pictures hack, which experts estimate could cost Sony more than $100M in losses, continues to dominate cyber security headlines. The incident seemed to have hit primarily networked desktop and laptop computers, but it’s clear that Sony became concerned immediately after the attack that mobile devices could be compromised as well.

After the attack was discovered, Sony instructed employees to turn smartphones off, and not to connect mobile devices to the company Wi-Fi networks. This raises serious concerns regarding the mobile aspect of this attack, and about Sony ability to detect and prevent attacks on mobile devices it manages or that connect to its corporate networks.

Could the breach be down to a mobile attack or was Sony just fearful of further exfiltration of either personal of company data? Sony hasn’t commented further on the details of the attack, or how it was perpetrated.

Why is this Significant?

At the end of the day, a large, multi-billion dollar organization was hacked easily, and the hacking may have extended to employee’s mobile devices. Without a security strategy in place that include solutions designed to detect and prevent these sophisticated attacks, no enterprise (or its mobile devices) can be safe.

Apple Fixes Ringtone Issues, But Leaves Security Holes Open

Apple has just released iOS 8.1.2, and amongst other things, Apple says “This release includes bug fixes and addresses a problem where ringtones purchased through the iTunes Store may have been removed from your device.”

Despite this being an improvement, some more severe questions seem left unanswered. In their latest update report, they reveal that it “…includes the security content of iOS 8.1.1.” This means that the jailbreak vulnerabilities that are successfully being used on iOS 8.1.1 will likely still work.

Why is this Significant?

Jailbreaking is the undeniable Achilles heel for iOS security. Although not at the root of all iOS security problems, it definitely is a prerequisite for many attacks. The fact that Apple seems more worried about their income from ringtones than nipping jailbreaking in the bud is a fact worth recognizing.

Vulnerability Discovered in Increasingly Popular Anonymous Social App – Yik Yak

Researchers have uncovered a security issue in the iOS version of anonymous messaging app YikYak, which lets attackers take over a user’s account as long as they are on the same WiFi network.  With Yik Yak being a location based app that is extremely popular in universities and twenty-something dominated workplaces, it’s more than likely that multiple users will share the same network.

The heart of the vulnerability is Yik Yak’s UserID, a string of characters used to authenticate each user to the service as a whole. Because the UserID is Yik Yak’s only form of authentication, once an attacker is in possession of a victim’s ID, they can easily be impersonated. The other source of the problem is 3rd party ads.

Communications between the app and the Yik Yak server are protected over HTTPs, effectively disguising the UserID, but the app also communicates with additional servers for various third-party ads and analytics tools, some of which are less careful about disguising the UserID.

Why is this Significant?

Besides serving as a warning regarding just how (un?)anonymous Yik Yak really is, there’s a wider issue here. In many cases, people trust the app developer, and thus believe their data is safe. This case goes to show that while the developer maybe taking care of security, there are other parties that might be involved that couldn’t care less and even prefer the data to be transparent.