Mobile Security Observations from the Check Point Research Team
Mobile malware is still a growing phenomenon and, in many cases, follows the lead set by predecessors in the PC world. This week the Check Point research team encountered different mobile malware that adopted techniques previously known only in the PC world. This is not a new trend, and our team expects it will grow even further.
Drive-by Attacks Go Mobile
Drive-by attacks using exploit kits have been around for a long time and are among the most common ways to infect PCs. In mobile, they are much less common, but there’s a new mobile ransomware campaign that uses a combination of two known exploits to infect mobile devices.
The first exploit is the infamous Hacking Team’s lbxslt exploit, which was used to serve users with another Android exploit called Towelroot. Once infected, the ransomware locks the device and demands $200 in iTunes gift cards to release it. This is a strange choice of currency since unlike bitcoin, which is the payment method of choice for ransomware developers, iTunes gift cards are inherently simple to track. This campaign can target users who have Android versions between 4.0.3 and 4.4.4, which is roughly 50% of all Android devices.
This emphasizes once again the importance of maintaining software updates, and the risks of growing Android fragmentation. According to Google’s report, over 30% of Android devices do not receive security patches, so clearly, this is a widespread security compromise.
Mobile AVs Receive an Update: You’re Terminated!
Another tactic learned from PC malware has been adopted by mobile malware lately. Malware disguised as a Chrome update terminates Antivirus processes to evade detection. The malware’s process flow is more disturbing still because once installed, it requests administrative access which enables it to act on its malicious objectives.
The malware then steals SMS messages, call information, and attempts to steal credit card information by spoofing a fake login page. All of the data is then sent to a Russian phone number.
Creeps Have Their Waze
Researchers found an exploit that allows an intruder to track your location in real-time using Waze, a popular navigation app, with more the 100 million installs. After reverse engineering Waze’s protocol, researchers found they can create thousands of ghost drivers (using device emulators) that monitor the real drivers around them.
This is another reminder that even high reputation apps can be dangerous for users. We have previously addressed this issue, discussing the dangers of leaky apps. According to research conducted by our research team of more than 1,500,000 different apps, up to 43% of iOS and 46% of Android apps leak information. Such leakages can end up in malicious hands, even if the app developers did not intend it.
Google Play – Never a Boring Moment
It seems that Google Play is under constant attack. Unfortunately, too many apps succeed in finding their way onto Play so they can infect users. This time, 11 mobile applications published on Google Play targeted customers of popular payment card companies and online payment sites. These were lightweight apps, typically containing only a primary activity that incorporates a WebView containing the phishing site’s URL.
The main takeaway from this story, as from many others, is that users cannot rely on official app store security measures to stay protected. Users must implement comprehensive security solutions capable of protecting them against the full spectrum of attacks, and as we saw only in the past week, this is a very broad range.
Learn more: Check Point Mobile Threat Prevention
See it in action: Schedule a demo of Mobile Threat Prevention
Oren Koriat is a Mobile Information Security Analyst in the Check Point Mobile Threat Prevention Research Group. He is a technology enthusiast and a polyglot, whose expertise is in the field of Asian mobile software markets. Koriat holds a degree in linguistics from Bar Ilan University.