In some ways, this week’s summary somewhat highlights the polarity of the mobile security world. With the year’s biggest security conference in the form of RSA finishing today, we can see that while awareness to the severity and size of the issue of mobile security is growing and evolving, so are the threats.
- A brand new mRAT (Mobile Remote Access Trojan), based on Tor, that targets Android devices has been discovered. The first of its kind, a Tor network client, Orbot, has been modified to act as a malicious bot. It uses the Tor network’s .onion proxy servers to disguise the origin and location of its Command and Control (C&C) center. This method has been popular in the PC realm for a while but is new to the mobile world.The mRAT enables several forms of espionage:
- Interception and concealment of incoming and outgoing messages;
- The prevention and theft of outgoing messages;
- Retrieving telephone data including model, OS version, country, app installation list and IMEI;
- Remote Execution of malicious code.
Why is this significant?
Using Tor makes tracking the C&C extremely difficult. This is potentially a massive step forward in attacker anonymity. The only potential upside, is that these concealment methods require a lot more code, and so if an infected mobile device suddenly has an increase in data usage caused by the large and difficult to download bundle, a user is more likely to realize something is wrong.
- Background monitoring possible on non-Jailbroken iOS 7 Devices
Background monitoring apps have existed for Jailbroken phones for quite a while now. Once a phone is Jailbroken an mRAT can be installed to basically track all user activity. This is the first discovery, however, of a vulnerability that enables monitoring on a clean, non-Jailbroken iOS device.The vulnerability, which seems to exist in all versions of iOS 7, allows a monitoring app to record all the user touch/press events in the background, including touches on the screen, home button press, volume button TouchID press. The app can then send all user events to a remote server.Currently, mitigation can be performed by a slightly lopsided, but efficient method. By using the iOS task manager to stop Apps from running in the background – users can press the Home button twice to enter the task manager and then close any suspicious Apps.
Why is this significant?
Until now, many severe threats to iOS required the phone to be Jailbroken in order to work. This, along with several other similar advances in malware and mRATs, proves that attacks on non-Jailbroken devices are just a matter of time.
- Android users under attack through malicious ads in Facebook.One of the most common ways attackers attempt to access their targets is by drawing their attention to an ad or banner. It’s not that much of a surprise that hackers have now found a way of combining Facebook, WhatsApp (the leading text messaging program for smartphones, recently acquired by Facebook) and Android to defraud users.
Once the ad is clicked, the user is directed to a fake (but remarkably well built) Google Play Store. The user still has to select install. In what has become a recurring modus operandi, the malware acquires the user’s number via WhatsApp and signs up to a Premium SMS service.http://www.theregister.co.uk/2014/02/14/fake_ssl_cert_peril/
Why is significant?
Firstly, this a major example of Malware going after the biggest players of the Mobile world. With dating App Tinder also suffering an embarrassing failure this week(http://zd.net/1d8CDsd), this issue silences any views that present the more established Apps and companies as being more immune. In this case, the payload currently seems to be more of a financial bother that anything else. It could just have easily be an mRAT instead of an SMS service. - Apple release iOS 7.0.6 to fix SSL issue. It immediately gets Jailbroken.
Earlier this week, we tweeted that iOS 7.0.6 had been Jailbroken less than 24 hours after being released. Apart from that being a serious issue in itself, we should take a closer look at why 7.0.6 was released in the first place.Apple weren’t too vocal about the fact that the update patches a serious SSL connection verification issue that could have affected both iOS and OSX users and exposed them to MiTM attacks.http://www.idownloadblog.com/2014/02/22/evasi0n7-1-0-6-for-ios-7-06/
http://nakedsecurity.sophos.com/2014/02/24/anatomy-of-a-goto-fail-apples-ssl-bug-explained-plus-an-unofficial-patch/Why this is significant?
Besides the speed of the Jailbreak, which says a lot about the implications of BYOD, we’d rather highlight the SSL verification. Due to the error the process of validating the certificate was skipped, meaning that if it looked like the certificate was valid it would trust whatever you sent after that. - Metasploit Module Targets Old Android Vulnerability. Before addressing the vulnerability itself, it’s worth mentioning the platform it’s based on. Metasploit is a penetration testing tool – meaning it’s aimed at companies trying to improve their security. This is another interesting and perhaps worrying turn in the world of Malware platforms.
Android devices prior to version 4.2.1 of the operating system – 70 % of the phones and tablets in circulation – have been vulnerable to a serious and simple remote code execution vulnerability in the Android browser for more than 93 weeks. Although patched in 4.2.2 (released just over a year ago), with carriers and device makers reticent to be quick with updates and security patches, close to 75% of Android users are at risk. Comparatively, reports show that KitKat, the latest version of Android, has yet to hit 2% adoption.
The exploit module, can enable access to the device camera, location data, information stored on a SD card and even the user’s address book. Metasploit presents a simple attack process, which can be triggered by a malicious QR code the victim scans with their device and opens a command shell for the attacker.
http://threatpost.com/70-percent-of-android-devices-exposed-for-93-weeks-to-simple-attack/104359
Why is significant?
Many devices are still running 4.2.1, so this doesn’t need much explaining. Reading between the lines shows that attackers are adopting new ways of accessing the targets, both to initially acquire and then infect the device.