In The Wild: Mobile Security Observations from the Check Point Research Team

In the last two weeks, we have seen malware bypass Google Play once again, and others leap over the 2FA obstacle. In addition, new reports show that even the most guarded vendors’ security designs can allow malware to infect them through built-in flaws. Let’s review the top stories:

Blackphone: A Bleak Vulnerability Found

Researchers discovered a vulnerability in Blackphone, which is supposedly one of the most secure phones on the market. The vulnerability was found in the phone’s NVIDIA Icera modem which communicates with an open socket with elevated privileges. This port could potentially receive commands from other applications installed on the phone. If exploited, the vulnerability allows the attacker to completely take over the device. For full info here is the Securityweek’s report.

Why is this significant?

Such vulnerabilities in various devices, including secure-by-design devices, point out the need for a new kind of mobile security. Security measures must be able to detect zero-days and other malware trying to take control of your device. This is especially true for Android devices due to fragmentation issues and constant delays in patches that block possible vulnerabilities.

BrainTest Causes More Headaches

This malicious app family discovered by Check Point in September has reappeared on Google Play. Google subsequently removed 13 apps belonging to the same family from the store. Just like previous versions, these apps managed to bypass Google’s protection by becoming embedded into seemingly legitimate apps that were allowed into Google Play. Once on a device, these apps root the device and download more apps without permission.

Why is this significant?

Even the known mobile threats can continue to be dangerous. New threats though are on the rise and continue to adapt to security changes to infect devices. Malicious apps manage to get into Google Play over and over. They achieve this by using permutation and obfuscation techniques that bypass regular AVs and protections. Therefore – the solution is to use a threat emulation and prevention solution that can detect such variants of malware.

Turkish Clicker Keeps On Clicking

The Check Point research team discovered an extensive ad network malware campaign on the Google Play store. The malware is embedded in various apps, which activate a malicious JS to click on as many ads as possible. Read our full blog post for further details.

Why is this significant?

Although this malware was only intended to generate ad revenue, the next attack could easily target corporate or personal information on infected devices. That could put personal financial data, business records, and other sensitive information at risk. The discovery of previously unknown malware emphasizes the importance of implementing security solutions that can detect and mitigate threats.

2FA: More Is No Longer Better

Two-factor authentication measures were devised after numerous cases of credential theft from users. The idea is that once a user wants to access an account, he receives an SMS containing a temporary passcode from the service provider. Due to concerns that a potential attacker could gain access to SMSs, the method was changed by some vendors to an automated phone call. This was thought to be much harder for a potential attacker to intercept, until a development of known malware called Bankosy was found.

This is a tweak of the malware framework “GMbot” also used by the Singaporea banker malware analyzed by Check Point. The modified malware can now redirect calls containing temporary passcodes to the attackers. Assuming the attackers also managed to obtain the user’s credentials, this new ability making two-factor authentication security methods useless.

Why is this significant?

Two-factor authentication methods are used by various services, including banking, education and even social networks. (Click here for a full list.) This security measure was considered to be very safe up until now, especially when it included voice calls as the second part authentication. This is a natural yet disturbing development on the cyber criminal’s side that requires the use of additional security precautions.

Oren Koriat is a Mobile Information Security Analyst in the Check Point Mobile Threat Prevention Research Group. He is a technology enthusiast and a polyglot, whose expertise is in the field of Asian mobile software markets. Koriat holds a degree in linguistics from Bar Ilan University.