In The Wild: Mobile Security Observations from the Check Point Research Team
We saw last week just how fast the mobile world is advancing at the Mobile World Congress. Unfortunately, though, alongside all the shiny new devices comes new malware. This week we will review a few extremely interesting new malware, both in iOS and Android. In addition, we’ll take a look at a newly exposed proof of concept exploiting a known vulnerability.
ZergHelper is No Help At All
iOS is a secure environment, strictly controlled by Apple. Any developer’s application published on the official App Store must first be reviewed by Apple. However, Apple provides two avenues through which the review can be bypassed: Developer and Enterprise certificates. Originally, these were intended to allow enterprises and developers to develop and experiment apps on their own.
Be that as it may, these certificates are also commonly used by third party stores to sidestep Apple’s security. Third party stores are not alone in utilizing this architecture flaw in iOS. Mobile malware has taken advantage of it several times in the past. Yispecter and Masque attack are good examples for such malware.
This time, ZergHelper uses a new technique to spread its components. The main application managed to pass Apple’s scrutiny undetected. The application displays different behaviors according to the device’s location in the world. It will show its true nature only if it detects it is located in China.
Once installed on a device in China, the app uses social engineering to install two configuration profiles. Using these profiles alongside developer and enterprise certificates, the app installs additional apps. These apps did not go through Apple’s review, and can easily contain malicious code.
What’s the big deal?
The fact that ZergHelper infiltrated the official App Store, despite Apple’s review, is alarming by itself. In addition, ZergHelper can be used to install malware on non-jailbroken devices. This is yet another reminder of how sophisticated malware has become. Following best practices and installing apps only from trusted sources is important, but is not enough. If you wish to keep your organization clean from mobile malware you must have additional protections.
Android Accessibility Serves Malware
A new proof of concept for an alarming threat to Android users was found recently. The proof of concept involves two factors we have already discussed in the past. The first is the Android Accessibility service. This service is meant to help users with disabilities, but as we have seen in the past when it’s abused it can grant attackers extensive permissions. The second factor in this proof of concept is Clickjacking, just as we have seen in a recent Banker clickjacker.
Just like many other advancements, no new innovative technology was introduced here. The researchers simply put together two known vulnerabilities, creating a whole new threat. They have managed to prove that an application could clickjack you into allowing it to gain access to your most sensitive information (Gmail, Facebook etc.).
This is another reminder that not only the new and innovative advancements are dangerous. It is important to properly understand existing threats and their possible implementations. Attackers often manage to surpass security by changing a small characteristic in their operation.
Last But Definitely Not Least
Every once in a while a really extraordinary malware shows up. Researchers have recently discovered such a malware in the wild. This malware has shown a major leap in complexity. Called Triada, this Android malware is the first of its kind, but more will surely follow.
Triada begins with rooting the device, using a privilege escalation vulnerability. Once it achieves root, it places itself in the zygote system process. This process is the parent process for all user application processes running on an Android device. Infecting this system process allows the malware to contaminate by proxy all other apps on the devices.
Triada piggybacks legitimate applications which use SMS messages for in-app purchases. To do so, it detects which apps allow in-app purchases. Once a purchase is made, Triada leverages its system level malicious compromise to highjack the raw SMS data (PDU) and send it directly to its C&C servers to gain profit for the attackers (unlike less sophisticated info stealers that have to rely on Android permissions to request the SMS from the system).
But that’s not all!Triada uses a variety of cutting-edge evasive methods. It has the ability to overrun requests for process and services lists and provide an alternate version, excluding itself. In addition, the malware downloads many of its malicious modules from its C&C. Once downloaded, it copies the malicious libraries to the zygote process and then removes the modules from
Triada uses a variety of cutting-edge evasive methods. It has the ability to overrun requests for process and services lists and provide an alternate version, excluding itself. In addition, the malware downloads many of its malicious modules from its C&C. Once downloaded, it copies the malicious libraries to the zygote process and then removes the modules from hard-memory. If the device is inspected, these malicious components will not extradite the malware’s existence.
Malware continues to invent new methods of operation. They constantly develop new ways to infiltrate and abuse devices, as well as evade detection. Organizations must use security technologies that can protect them against zero-day malware. Check Point’s Mobile Threat Prevention solution offers the most advanced and effective technology, with the highest rate of catching zero-day threats.
Learn more:
Check Point Mobile Threat Prevention
See it in action:
Schedule a demo of Mobile Threat Prevention
Oren Koriat is a Mobile Information Security Analyst in the Check Point Mobile Threat Prevention Research Group. He is a technology enthusiast and a polyglot, whose expertise is in the field of Asian mobile software markets. Koriat holds a degree in linguistics from Bar Ilan University.