Upload
duongnhu
View
219
Download
0
Embed Size (px)
Citation preview
FIREEYE ADVANCED THREAT PROTECTION
BYOM: Bring Your Own Malware Matthew WONG - Consulting Engineer of FireEye
Hong Kong and Macau
Numbers Show a Harsh Reality
2/3 of U.S. firms
report that
they have been the
victim of cybersecurity
40% ALL IT executives expect a major cybersecurity incident
115% CAGR unique malware
since 2009 9,000+
00.01 Every second 14 adults become a victim of cyber crime
6.5x Number of cyber attacks since 2006 95
new vulnerabilities discovered each week
HKCERT Cyber Incident
Mobile Blooming Statistics
• Smartphones adoption - 10x faster than PC revolution in 1980s - 2x faster than the 1990s Internet boom - 3x faster than even today’s social networks • Average of 52% of workers use their personal mobile device
for work, 69% in Asia Pacific • Mobile Malware growth 614% in 2012-2013 • 2/3 of mobile application in Google play store had at least one
vulnerability
Mobile Cyber Security become daily life
Cyber Crime is focus on Mobile
Further incident after mobile hacked
Cybercrime is focus on Mobile
Fake Banking App
Other Security Concerns
Use Android Smart Lock Use Android Encryption DO NOT USE FINGERPRINT AUTH
Hacker become Creative
Step into the future hacking
Imagine the Mobile Future
Traditional AV are failing
Mobile Security News – Political Hack
Mobile Security News – Financial Gain
Reusable App Libraries Outsourced app Malicious Building Blocks
App Development
10AM Meeting about Company Acquisition
Anatomy of a Mobile Threat
Callback Server
Exfiltration
Battlefield Enterprise IP Tracking executive
location
1 2 Calendar Access Microphone Access 3 Exfiltration 4 The tip of the iceberg
Transparent SMS
Call Records
Video Surveillance
Root Access Fine Grained GPS
Location
History & Bookmarks
Lateral exploit spread
Exfiltration of contacts
Hidden Malicious Behavior
Benign
Malware
Vulnerable apps
Adware
Apps with undesired/unintended Security Consequences
Mobile App Threat Categories
MisoSMS - Malware
Interesting stuff: http://84udjhtg
SMS phishing
UploadingSMS
360.cn mail service
Server hosting malicious apk
(attacker's server or app store)
Download MisoSMS
First Mobile Botnet Takedown
• Worked with 360.cn to ban attackers’ email accounts for collecting stolen SMS messages
• From network measurements: almost 200,000 SMS messages were stolen
● Fake AV apps
● “Anti-Hacker”
– 50,000 downloads
– Less than 800
lines of code
Fake Anti-virus / Scam-ware on Google Play
Adware on App Markets
0.00%
2.00%
4.00%
6.00%
8.00%
10.00%
12.00%
14.00%
lenovo nduo opera anzhi pdassi mumayi appchina slideme hiapk appsapk
Adware
Malware
• 6.7% adware in APKs crawled from Google Play in 8 months
Ad Library Prevalent on Google Play: Main Method for Monetization
Ad Library Usage Count Percentage
Admob 51176 36.60%
Flurry 15289 10.93%
Millennial Media 7949 5.68%
Chartboost 7517 5.38%
Inmobi 7307 5.23%
Tapjoy 6740 4.82%
Izp 5917 4.23%
Applift 5187 3.71%
Mopub 4209 3.01%
Revmob 2253 1.61%
Data collected on Google Play apps with 100K+ downloads
Common Ad Lib Sensitive Behaviors
• Collect personal information – Name, address, age, gender, email address, etc
• Collect device information – IMEI, MAC, Android ID, Android version, list of installed apps
• Modify bookmark history, calendar, and contacts
• Push ads to the notification tray of the phone even when the app is not running
• Send premium SMS as a form of payment
• Intercept incoming SMS and check for messages from certain phone numbers
Vulnerable Apps - Incorrect use of SSL/TLS
Vulnerabilities – Applications use trust managers that trust all certificates and
open themselves to MITM attacks – Applications replace hostname verifiers with versions that do
not check the hostname of the server the application is connecting to
– Applications that embed web pages ignore SSL errors by doing nothing in onReceiveSslErrors.
Consequences – MITM attacks!
SSL/TLS vulnerabilities
0%
20%
40%
60%
80%
100%
Trust managers thatdo not check server
certificates
Hostname verifiersthat do not verify
hostnames
Applications thatignore SSL errors in
WebKit
Safe
Unsafe
Dataset: The 1000 most downloaded applications from google play
611/1000use SSL
Uploading contacts in bulk
Truecaller - Caller ID & Block 10,000,000+ downloads “See who the unknown caller is, block unwanted calls and SMS, and manage your contacts for FREE. …NEVER uploads your phonebook to make it searchable or public.”
TeenPatti: Indian Poker 500,000+ downloads
“Teen Patti is the fastest and the most exciting Indian card game, similar to poker.”
Uploads entire contacts list, uploads incoming SMS sender without user interaction
Uploads entire contacts list
Apps with undesired/unintended Security Consequences
Risk Type Top AV Vendors Latest Solution
Malware
Adware
Vulnerabilities
Undesired security consequences
Latest Solution Covering All App Threat Categories
Latest Solution detects previously unknown malware with
signature-less detection, unlike AV
Latest Solution detects double number of ad libraries for adware detection than traditional AV
Latest Solution provides the most comprehensive detection of different classes of vulnerabilities in apps
Latest Solution provides the most comprehensive detection of sensitive/undesired behaviors in apps
Live Demo on how latest mobile security solution
• 100% detect base on cloud infrastructure, free up CPU and memory on the phone
• Non-signature based solution which help to detect latest attacks
• Can detail analysis about mobile threat behavior and action taken
Uncovering the Threat
Contextual Correlation
2 What kind of behavior
does the app exhibit?
1 Does the app
violate security policies? 3 Is the app malicious?
Security Policy
Information
File System
Exploit
Network
Behavior
IOS 8.3 Vulnerability
Discover by FireEye
Secure without extra load on Mobile Devices
1M download
10K download 10M Download
LEAVE A NAME CARD on FIREEYE BOOTH AND We will have a DEMO After the Session
THANK YOU!
Questions and Answers