DIY Attribution, Classification, and In-depth Analysis of Mobile Malware

The security research community has been dealing with malware attribution and classification for decades. The benefits of this process for PC-based malware are myriad and well known. Check Point has followed the same process for multiple malware campaigns during the last year, including Volatile Cedar, Rocket-Kitten, and the Nuclear Exploit Kit.

In fact, the PC malware research field is so mature that many security-savvy enterprises now have their own internal teams of cyberanalysts. These teams conduct in-depth malware research as part of their incident response and threat intelligence duties with a focus on their organization’s specific needs, domains, and adversaries.

However, the tools, skills and knowledge used in the world of PC malware haven’t fully evolved to serve these analysts when it comes to mobile malware. This puts them and the organizations they serve at a disadvantage. Classifying, attributing, and performing in-depth analysis of mobile malware is more critical than for PC malware because:

  • The mobile ecosystem is far more dynamic, so cybercriminals are constantly evolving the tools they use to keep up. They’re also looking for sustainable, scalable business models that generate revenue through fraud while defeating security enhancements introduced by Apple and Google on a regular basis.
  • Attribution and malware family categorization reveals trends in the broader cybercriminal community. This helps enterprises deploy appropriate defenses before a trend turns into an epidemic. ElevenPaths details an excellent example of how it was able to categorize and attribute two malware campaigns discovered by Check Point – BrainTest and HummingBad. It explains how rooting and placing a backdoor on Android devices is a technique now used by multiple distinct malware families authored by at least two distinct groups of Chinese cybercriminals.
  • Proper malware risk categorization is of particular importance for mobile threat defense in Bring Your Own Device (BYOD) deployments. If an employee installs aggressive adware on a device, would that be enough to block access to corporate email on its own? What if the adware roots and places a backdoor on a device? What if the adware doesn’t root the device but provides access to a group that generates rootkits? These are difficult questions to answer without the proper context and categorization.

While Check Point’s  Mobile Threat Prevention Advanced Response Team (ART) addresses concerns like these on a daily basis as part of the service it provides, many customers would like to have these capabilities in-house to run their own investigations in parallel or off-line.

Enter the world of Tacyt

Tacyt is an intelligence-led tool for the monitoring and analysis of mobile threats. Developed by ElevenPaths, a Telefónica company, Tacyt provides professionals and security experts with big data technology for easy mobile app environment investigation. It is the first off-the-shelf, enterprise-grade service that cyber analysts can use to conduct full investigations, including mobile malware research, attribution, categorization, and monitoring.

This innovative tool allows analysts to search, match, and investigate different parameters (metadata) of iOS and Android apps that Tacyt obtains thanks to its powerful cross-market and cross-platform search engine. The solution enables the analyst to identify potential “singularities,” a concept which refers to whatever data – technical or circumstantial – that makes the app or its developer – as a person – singular or unique from others within a reasonable margin of error. Additionally, it comprises indicators of compromise (IoCs), properties, and identifiers from the app, building up a unique app big data set with a historical record of over 6 million current and past versions.

Tacyt is easy to use, provides a sleek interface, and has an extensive set of APIs for automation. Also, reports can trigger alerts on specific app properties, extending the use-cases to brand protection and campaign monitoring.

Check Point Mobile Threat Prevention and Tacyt

Check Point Mobile Threat Prevention and Tacyt complement each other. Mobile Threat Prevention provides the highest level of security for iOS and Android smartphones and tablets. It scores mobile threat risks and feeds this information into mobile device management (MDM) compliance engines in real-time. Using this information, an MDM can automatically trigger appropriate reactive security measures like blocking a device’s access to corporate email or other sensitive systems.

When combined with Tacyt, the joint solution allows customers to conduct in-depth research into any incidents Mobile Threat Prevention detects. This provides full context and a better understanding of the exposure to cyberthreats on mobile devices supported by the enterprise. Telefonica, which chose Check Point Mobile Threat Prevention as its mobile security offering for its enterprise customers, offers this joint solution today.

For more information, check out ElevenPaths and schedule a demo of Check Point Mobile Threat Prevention today.

Michael Shaulov is Head of Mobility Product Management at Check Point Software Technologies.