The main purpose of any business is to grow and be more successful – and that applies to criminal organizations just as much as it does to legitimate companies. Cybercriminals have found that attacks specifically targeting smartphones and tablets, particularly those that incorporate a ransomware payload, are effective and profitable – which is why the volume of malware targeting users of mobile devices trebled during 2015.
Nevertheless, the actual structure of mobile attacks has, until recently, tended to be very simple.
A malicious app is delivered to the mobile device, sometimes as an attachment or as a download from a compromised web link. From there the app does its damage, either by using the default system permissions it’s given, by trying to elevate its permissions nefariously, or by implementing an exploit and, from there, using native code for harmful behaviour. From there the package does its damage either by using default system application program interfaces (APIs) with its given permissions, or by trying to implement an exploit and finally leveraging native code to perform harmful behavior.
Today, however, things are changing. The tactics used by criminals to target mobile devices are now more sophisticated and stealthier, with the aim of successfully infecting and persisting on more devices than earlier, cruder malware ever could. These are known as ‘chain attacks,’ formed of several malware components or ‘links,’ each of which has a different objective and a separate function in the scheme of an attack.
The links in the chain
A well-organized chain attack would be expected to incorporate the following:
- A dropper, which may seem fairly benign in itself. Its role is to launch the attack by downloading or unpacking the next link in the chain. For example, the Brain Test mobile chain attack, the dropper is disguised as a legitimate game app available for download on Google Play.
- An exploit pack. This enables code execution with higher privileges, typically root privileges. In turn, this means that malware can access sensitive resources such as hardware and system files. If successful, the next link in the chain is downloaded.
- The malicious payload can vary enormously. Many are ransomware variants, which encrypt the data on the device and demand payment in return for decrypting it. Other payloads are information-stealing apps. In the Brain Test attack, the payload downloads further fraudulent apps for financial gain.
- Some chain attacks contain persistency watchdogs, which prevent the installed malicious app or its background services from being removed. If a malicious component crucial to the attack is removed, the watchdog will automatically trigger its reinstallation. The Brain Test malware used these anti-uninstall techniques, making it very difficult for users to remove.
- A backdoor component may also be used. This exposes an interface for remote code execution, making it possible for cybercriminals to control their victims’ devices in real time. Brain Test establishes a rootkit on each compromised device, allowing it to download and execute any code a cybercriminal wants to run on that device.
Why chain attacks?
Chain attacks can be hugely damaging, but why are they becoming such a popular attack method for cybercriminals? It all goes back to those multiple links. Because a chain attack is formed of several components, any successful attack identification or hindrance is likely to apply to just a limited part of the overall attack. Each file that makes up a chain attack generates just a fraction of the attack’s overall malicious activity, which is far harder to detect than a complete malware variant generating a large volume of malicious behaviors.
This means that individual chain attacks are more likely to be successful, but also that cybercriminals can easily tweak or upgrade an attack that has only been partially identified and understood. Chain attack link structures lend themselves to being built with a more modular code, which makes it simpler for the malware to later evolve and accustom itself to new systems, targets and geographic regions. It is a very adaptable attack form.
Additionally, chain attacks allow attackers to handpick their targets, using initial information and continuing to install the crucial components only if the victim is deemed worthy. This increases the efficacy of each individual attack, but also avoids unnecessary spreading of the malware, which makes it harder to security vendors to obtain samples in order to fight it.
Breaking the chain
So how can businesses guard against chain attacks? Once again, we have to go back to the link structure. It is crucial that the security solutions used are able to detect and halt any and all of the components in the chain separately from each other. This includes any attempts to escalate privileges, to execute commands without user consent and to download suspicious files.
Of course, ‘suspicious files’ is a subjective term, and the Brain Test attack example shows just how innocuous the ‘dropper’ stage of a chain attack can appear. One potential answer to this is to implement a security solution that automatically quarantines all attempted downloads – whether apps or attachments emailed to the device – and inspects them in the cloud for possible malicious behaviors. Indeed, checking for general malicious behavior rather than matching against a database of known malware is particularly important in the agile, ever-changing world of chain attacks where criminals are able to tweak existing malware easily.
Clearly, this kind of monitoring requires continual analysis of mobile devices, rather than isolated periods of inspection. All downloaded apps should also be inspected, not just for the unique binary signatures of known malware, but also reverse-engineered for code-flow analysis. As so many chain attacks attempt to gain root privileges, monitoring configuration and behavior analysis can help to pinpoint when and how these attempts are made.
The crucial point to remember is that mobile chain attacks are the sum of separate, sophisticated parts – and mobile security processes need to treat them as such.