In The Wild: Mobile Cybercrime Goes Big in 2015

Cybercriminals made significant advances in the sophistication and number of attacks on mobile devices in 2015. As we head into a new year — and into new uncertainties for mobile security — let’s remember a few of the most spectacular attacks to help us better understand what to be aware of in the months to come.

Hacking Team Hacked

The Italian-based hacker group “hacking team,” which claimed to develop surveillance tools for law enforcement and governmental organizations around the globe, was hacked on July 5, exposing 400 gigabytes of data to the public eye. Among the hacking tools discovered in the data breach was an iOS malware that exploits a vulnerability that performs Masque attacks.

The discovery was significant as this was the first time a targeted attack on non-jailbroken iOS devices was exposed. The vulnerability stemmed from iOS not enforcing matching certificates for apps with the same bundle identifier and was fixed by Apple in iOS 8.1.3 and iOS 8.4. Instances of this malware were repackaged versions of popular apps such as Facebook, Whatsapp, and its Chinese equivalent WeChat. By using the same bundle identifier as their corresponding original apps, they could utilize the vulnerability to replace the legitimate apps.

The Devil is in the Unencrypted Details

This year it was clearer than ever that safe encryption is highly susceptible to vulnerabilities stemming from bad practices. An example of such vulnerability, uncovered by Check Point researchers, was “Certifi-gate.” Our researchers found that Android pre-installed RSTs (remote support tools) implemented certificate verification in a faulty, non-cryptographic way, exposing a vulnerability that enabled rogue apps to craft fake certificates that made Android identify them as legitimate plugins. These, in turn, will pave the app to puppeteer the RST app with system privileges, exposing private user data to the rogue app’s developer.

Cryptographic systems have a way of striking layman and even software developers with awe, and it’s a common misconception that any encryption is good enough unless you’re dealing with the NSA and their massive cracking arrays. But bad practices and straying from known standards of implementation can make the difference between a virtually uncrackable certificate and something you could crack with the computational power of an old smartphone.

The Ghost in the Apple Machine

XcodeGhost was arguably the highest profile iOS security events this year. An infected version of Apple’s development tool for iOS called “Xcode” was available for download in Chinese third-party websites. Since downloading Xcode from iTunes was slow in China, many developers were tempted to download the third-party version with a faster connection.

As it turns out this version of “Xcode” had an additional malicious functionality – it compiled every app with extra code that collected device information such as current time, infected app’s name and bundle identifier (package name), the system’s language and country and current device’s UUID. The malware would then encrypt the data using the relatively weak DES algorithm and send it to a remote Command & Control (C&C) server. The out of date encryption scheme also made this communication susceptible to MITM attacks.

This security event was interesting because the nature of the infection was such that the developers did not know they were creating trojanized apps when using the infected xCode compiler. Legendary Unix developer Ken Thompson was the first to describe the possibility of compiler-infections, and XcodeGhost was the first instance of such a threat in the mobile landscape. Novel and stealthy as it was, this threat could have easily been avoided by sticking to the good old policy of downloading software only from an official source.

Adware Developers Stepped Up Their Game

If you’ve ever left the wrong checkbox checked in an installation process, you know adware on PCs is no joke. The notorious “download valley” developers create adware bundled with legit software, hoping users will install them, and after they get installed they’re practically non-removable.

This year we saw a shift in the mobile threat landscape towards more sophisticated adnet bots that encompass rootkits and that achieve persistency. One such malicious adnet scheme was encountered by Check Point researchers in the Google Play store. The adware, a trojanized game called “Brain Test,” offered unsuspecting users IQ evaluation games and puzzles.

After being installed, Brain Test downloads an exploit pack of known root exploits and utilizes them to get privilege escalations. After acquiring root privilege, Brain Test downloads its adware components and installs them in the system directory where they cannot be removed unless the user roots the device or flashes a new ROM. Among its persistency methods, Brain test uses two system apps: It installs as a watchdog that monitors the removal of one of its components and, if it’s removed, reinstalls it.

Another interesting persistent adware threat discovered by Cheetah Mobile researchers used similar techniques to obtain root privilege and to write some of its payload to the system directory. But “GhostPush” went even further, infecting the recovery script in the user’s ROM to make sure its annoying advertisement components are reinstalled, even if the user flashes a new ROM.

Malware Comes Through the Back Door

Illegitimate adware wasn’t alone in compromising users’ private data. Some legitimate advertisement Software Development Kits (SDK) became targets of malware themselves. Baidu’s Moplus SDK for Android implemented an HTTP server for advertisement purposes with no proper authentication, making it vulnerable to Man in the Middle (MiTM) attacks from malicious agents.  

On iOS, a different SDK named mobiSage was found by security researchers to be exploitable as a backdoor. The vulnerable advertisement library processed commands from a high-level JavaScript context and dispatches them to an Objective-C class. This interface exposed the library to potential abuse as a backdoor. If abused the library could enable data-leakage such as audio and screenshots capture and device location information, it could also enable side-loading of non-App Store apps.

These vulnerabilities are subtle in nature and leave even the more security-savvy users exposed to some specially crafted attacks. While it’s our duty as security researchers to leave an eye open for vulnerabilities of the kind in popular software, users should also make sure they update their apps to versions where dangerous security loopholes are regarded and fixed.

Mobile Malware Made Bank

Financial info-stealers or “bankers” are very straightforward in their money-making motives. However, their technological nuances can be quite stealthy. We saw a rise in the use of such banker malware this year, including the mysterious “Singaporean Banker” – an info-stealer that started infecting users of mobile banking apps in Singapore.

After further investigation and reverse engineering of a few samples of the malware, researchers determined this info-stealing bot is, in fact, a tweaked version of GM-bot – a well-known financial-bot for Android that most probably originated in Russia. Interestingly enough, the Singaporean version of the malware checked that its locale is not .RU as part of its execution flow. Less fortunate for Russian mobile users was the uprise in occurrences of zbot that targeted Russian-speaking users with fake apps under names like “Установка 1.0” (installation 1.0) which silently attacked existing mobile banking apps on the target device.

Both these malware families and many others were discovered to work in a very similar manner: They scan the device’s list of existing apps for banking apps (and other financially sensitive apps such as Google Play), and send the retrieved data to a remote C&C server. The remote server responds with an updated pack of resources suitable for UI hijacking of the particular login windows of the target financial apps. After getting all the needed resources, they keep lurking undetectable in the background, waiting for the users to initiate a login session with their financial app. At just the right time they will cover the UI with a fake replacement window under the cybercriminals’ control and leak the credentials to a malicious server.

The financial gain from such malware is a good reason to believe we’ll keep seeing this kind of threats getting ever more sophisticated with advanced stealth and obfuscation methods.

What can you expect in 2016?

Looking ahead to 2016, Android will continue to be a security concern, but I expect we’ll experience more attacks on iOS. That’s because iPhones and iPads continue to gain popularly globally, making them prime, high-value targets for cybercriminals.

Apple takes device security seriously and makes every iOS version harder to jailbreak. However, acclaimed jailbreaking teams Pangu and  TaiG continue to get most of the security buzz in the iOS community. In fact, since iPhone 4 we’ve seen the time gap between the release of iOS updates and successful jailbreaks become smaller and smaller.

This fact can only be attributed to the extremely high motivation for jailbreaking on the hacking groups’ side. It’s only a matter of time before cybercriminals climb over the App Store’s walled garden with APTs that utilize exploit packs to achieve privilege escalations, gaining full control over the attacked device.

Android malware will also become even more evasive. We’ll start seeing stenographic methods being used in the wild, like decoding executable payloads from strings hidden in image files. I expect stealth methods like this (in combination with obfuscation capabilities of off-the-shelf packers and custom encryption) will get much more complicated in 2016 as detection methods get smarter and become more accurate.

On top of these risks, I expect we’ll experience a trend of cybercriminals using advanced techniques to not only take over and control individual devices but groups of multiple devices. Controlling one device is fun, but controlling an army of devices is a real money-maker. Botnets are getting bigger and more well-orchestrated, giving hackers a range of malicious capabilities from massive spamming schemes and heavy DDOS attacks to cryptocurrency mining.

Oren Koriat is a Mobile Information Security Analyst in the Check Point Mobile Threat Prevention Research Group. He is a technology enthusiast and a polyglot, whose expertise is in the field of Asian mobile software markets. Koriat holds a degree in linguistics from Bar Ilan University.