In The Wild: Mobile Security Observations from the Check Point Research Team

As security researchers, we see worrisome vulnerabilities on both iOS and Android every day. Cybercriminals know that smartphones and tablets hold massive amounts of data, so they’re using creative techniques to hack into mobile devices and access sensitive information. In fact, two of the more interesting areas where we’ve seen some threat activity over the last few weeks are in the increasing use of advertising SDKs to attack devices and a new trend towards the irremovability of malware. These tactics expose vulnerabilities and introduce malicious threats that often allow cybercriminals to launch full-scale attacks, putting both personal and enterprise data at risk.


Even Advertisements Have Back Doors

On iOS, security researchers found some versions of a Chinese SDK called “mobiSage” to be exploitable as a backdoor which prompted alarmed researchers to dub this vulnerability “iBackdoor.” The vulnerability’s library exposes interfaces to remote execution of commands such as audio recording, screenshots and reading/writing an app’s data container. This lines up with recent reports about the Youmi SDK for iOS which was using private APIs to harvest data like email addresses, device identifiers, and lists of installed apps from devices in complete violation of Apple’s development policy.

On Android, things aren’t looking any brighter. For example, a vulnerability named “Wormhole” was recently discovered in Baidu’s Moplus SDK. Much like “iBackdoor” on iOS, the Wormhole vulnerability exposes backdoor functionalities with potentially grave consequences. When a user activates an app that comes with the vulnerable Moplus SDK, Moplus sets up an HTTP server in the background. This server listens to a TCP port and parses messages sent from remote clients. Not surprisingly, this kind of functionality can be exploited as a command and control server (C&C), due to lack of authentication in the communication process. In fact, one malware that exploits this vulnerability, ANDROIDOS_WORMHOLE.HRXA, has already been encountered in the wild.

Using advertising SDKs as an attack surface seems to be on the rise, so we expect to hear more about such vulnerabilities in advertising frameworks. Backdoors in popular SDKs pose a serious threat since unsuspecting users will gladly grant permission to apps coming from a known developer such as Baidu, not expecting that these apps might pave a hacker’s way into their devices and private data.


Uninstall Me… If You Can!

Another malicious behavior becoming increasingly popular is irremovability. We’re seeing more and more Android malware using root exploits that allow themselves to be written to Android’s system directory, from which the user cannot simply remove apps manually.

We saw this kind of behavior with the “BrainTest” malware family that was discovered roaming freely in Google’s official app store by Check Point researchers.

Brain Test’s orchestrated attack starts with a dropper that’s installed to the data directory (a path that requires no special privileges). Upon installation, the dropper downloads an exploit pack from a remote server to obtain root privilege. When root is obtained, the application downloads a malicious .apk file (The Backdoor) from the server and installs it as a system application. The backdoor, in turn, downloads and executes code from the server without user consent. Other famous threats which demonstrate such abilities are “Kemoge,” “GhostPush,” and “Shedun.”

These malicious apps implement known root exploits that are also used by legitimate rooting tools. However, unlike rooting tools they only leverage root privileges to do their harm, leaving the user helpless when trying to remove them manually.

Check Point Mobile Threat Prevention will warn users about apps with vulnerable SDK libraries in both iOS and Android, and fully protects from irremovable malware such as “Brain Test” and “GhostPush.”


Oren Koriat is a Mobile Information Security Analyst in the Check Point Mobile Threat Prevention Research Group. He is a technology enthusiast and a polyglot, whose expertise is in the field of Asian mobile software markets. Koriat holds a degree in linguistics from Bar Ilan University.