FIREEYE ADVANCED THREAT PROTECTION

BYOM: Bring Your Own Malware Matthew WONG - Consulting Engineer of FireEye

Hong Kong and Macau

Numbers Show a Harsh Reality

2/3 of U.S. firms

report that

they have been the

victim of cybersecurity

40% ALL IT executives expect a major cybersecurity incident

115% CAGR unique malware

since 2009 9,000+

00.01 Every second 14 adults become a victim of cyber crime

6.5x Number of cyber attacks since 2006 95

new vulnerabilities discovered each week

HKCERT Cyber Incident

Mobile Blooming Statistics

• Smartphones adoption - 10x faster than PC revolution in 1980s - 2x faster than the 1990s Internet boom - 3x faster than even today’s social networks • Average of 52% of workers use their personal mobile device

for work, 69% in Asia Pacific • Mobile Malware growth 614% in 2012-2013 • 2/3 of mobile application in Google play store had at least one

vulnerability

Mobile Cyber Security become daily life

Cyber Crime is focus on Mobile

Further incident after mobile hacked

Cybercrime is focus on Mobile

Fake Banking App

Other Security Concerns

Use Android Smart Lock Use Android Encryption DO NOT USE FINGERPRINT AUTH

Hacker become Creative

Step into the future hacking

Imagine the Mobile Future

Traditional AV are failing

Mobile Security News – Political Hack

Mobile Security News – Financial Gain

Reusable App Libraries Outsourced app Malicious Building Blocks

App Development

10AM Meeting about Company Acquisition

Anatomy of a Mobile Threat

Callback Server

Exfiltration

Battlefield Enterprise IP Tracking executive

location

1 2 Calendar Access Microphone Access 3 Exfiltration 4 The tip of the iceberg

Transparent SMS

Call Records

Video Surveillance

Root Access Fine Grained GPS

Location

History & Bookmarks

Lateral exploit spread

Exfiltration of contacts

Hidden Malicious Behavior

Benign

Malware

Vulnerable apps

Adware

Apps with undesired/unintended Security Consequences

Mobile App Threat Categories

MisoSMS - Malware

Interesting stuff: http://84udjhtg

SMS phishing

UploadingSMS

360.cn mail service

Server hosting malicious apk

(attacker's server or app store)

Download MisoSMS

First Mobile Botnet Takedown

• Worked with 360.cn to ban attackers’ email accounts for collecting stolen SMS messages

• From network measurements: almost 200,000 SMS messages were stolen

● Fake AV apps

● “Anti-Hacker”

– 50,000 downloads

– Less than 800

lines of code

Fake Anti-virus / Scam-ware on Google Play

Adware on App Markets

0.00%

2.00%

4.00%

6.00%

8.00%

10.00%

12.00%

14.00%

lenovo nduo opera anzhi pdassi mumayi appchina slideme hiapk appsapk

Adware

Malware

• 6.7% adware in APKs crawled from Google Play in 8 months

Ad Library Prevalent on Google Play: Main Method for Monetization

Ad Library Usage Count Percentage

Admob 51176 36.60%

Flurry 15289 10.93%

Millennial Media 7949 5.68%

Chartboost 7517 5.38%

Inmobi 7307 5.23%

Tapjoy 6740 4.82%

Izp 5917 4.23%

Applift 5187 3.71%

Mopub 4209 3.01%

Revmob 2253 1.61%

Data collected on Google Play apps with 100K+ downloads

Common Ad Lib Sensitive Behaviors

• Collect personal information – Name, address, age, gender, email address, etc

• Collect device information – IMEI, MAC, Android ID, Android version, list of installed apps

• Modify bookmark history, calendar, and contacts

• Push ads to the notification tray of the phone even when the app is not running

• Send premium SMS as a form of payment

• Intercept incoming SMS and check for messages from certain phone numbers

Vulnerable Apps - Incorrect use of SSL/TLS

Vulnerabilities – Applications use trust managers that trust all certificates and

open themselves to MITM attacks – Applications replace hostname verifiers with versions that do

not check the hostname of the server the application is connecting to

– Applications that embed web pages ignore SSL errors by doing nothing in onReceiveSslErrors.

Consequences – MITM attacks!

SSL/TLS vulnerabilities

0%

20%

40%

60%

80%

100%

Trust managers thatdo not check server

certificates

Hostname verifiersthat do not verify

hostnames

Applications thatignore SSL errors in

WebKit

Safe

Unsafe

Dataset: The 1000 most downloaded applications from google play

611/1000use SSL

Uploading contacts in bulk

Truecaller - Caller ID & Block 10,000,000+ downloads “See who the unknown caller is, block unwanted calls and SMS, and manage your contacts for FREE. …NEVER uploads your phonebook to make it searchable or public.”

TeenPatti: Indian Poker 500,000+ downloads

“Teen Patti is the fastest and the most exciting Indian card game, similar to poker.”

Uploads entire contacts list, uploads incoming SMS sender without user interaction

Uploads entire contacts list

Apps with undesired/unintended Security Consequences

Risk Type Top AV Vendors Latest Solution

Malware

Adware

Vulnerabilities

Undesired security consequences

Latest Solution Covering All App Threat Categories

Latest Solution detects previously unknown malware with

signature-less detection, unlike AV

Latest Solution detects double number of ad libraries for adware detection than traditional AV

Latest Solution provides the most comprehensive detection of different classes of vulnerabilities in apps

Latest Solution provides the most comprehensive detection of sensitive/undesired behaviors in apps

Live Demo on how latest mobile security solution

• 100% detect base on cloud infrastructure, free up CPU and memory on the phone

• Non-signature based solution which help to detect latest attacks

• Can detail analysis about mobile threat behavior and action taken

Uncovering the Threat

Contextual Correlation

2 What kind of behavior

does the app exhibit?

1 Does the app

violate security policies? 3 Is the app malicious?

Security Policy

Information

File System

Exploit

Network

Behavior

IOS 8.3 Vulnerability

Discover by FireEye

Secure without extra load on Mobile Devices

1M download

10K download 10M Download

LEAVE A NAME CARD on FIREEYE BOOTH AND We will have a DEMO After the Session

THANK YOU!

Questions and Answers