Upload
lamduong
View
215
Download
0
Embed Size (px)
Citation preview
Your mobile device is a gold mine for hackers
ENTERPRISE EMAIL
ENTERPRISE NETWORKVPN, WiFi
ENTERPRISE APPSSaaS, Custom Apps
CREDENTIALSStored, Soft Tokens
PHOTO ALBUMWhiteboard Screenshots, IDs
SENSORSGPS, Microphone, Camera
Lookout 2017 | Confidential and Proprietary
DEVICE NETWORK WEB & CONTENT
PC
Selected, purchased, and managed by user*
Always on cellularUser selected Wi-Fi
Filtered at organizational perimeter
- Secure Web Gateways
Often unfiltered
MOBILE
LAN / corporate Wi-FiVPN when traveling
- On device firewalls- perimeter firewall
Selected, purchased, and managed by organization
- Administered by IT- Managed by SCCM- OS version control- OS integrity monitoring- Behavioral monitoring
Selected, purchased, and managed by organization
- Anti-Virus- DLP- Vulnerability scanning
APPS
Organizational issued,some BYOD
- Partially managed using MDM
How are you protecting your corporate data?
MOBILE
Lookout 2017 | Confidential and Proprietary
THREATS
SOFTWARE VULNERABILITIES
BEHAVIOR & CONFIGURATIONS
VECTORS
CO
MP
ON
ENTS
OF
RIS
K
DEVICE NETWORK WEB & CONTENTAPPS
- Spyware & surveillanceware
- Trojans- Other malicious apps
- Out-of-date apps- Vulnerable SDKs- Poor coding practices
- Apps that leak data- Apps that breach org
security policy- Apps that breach
regulatory compliance
- Privilege escalation- Remote jailbreak/root
- Out-of-date OS- Dead-end hardware- Vulnerable pre-installed
apps
- User initiated jailbreak/root
- No pin code/password*- USB debugging
- Man-in-the-middle- Fake cell towers- Spoofed WiFi APs- Root CA installation
- Network hardwarevulnerabilities
- Protocol stack vulnerabilities
- Proxies, VPNs, root-CAs- Auto-joining unencrypted
networks
- Phishing- Drive-by-download- Malicious websites & files
- Malformed content that triggers OS or app vulnerabilities
- Opening attachments and visiting links to potentially unsafe content
RISK MATRIX
OS Apps
Network
Multiple attack vectors utilized
Malicious apps
Non-compliant apps
App vulnerability exploits
Data leakage
Malicious MitM attacks
Anomalous Root CA
End user jailbreak/root
Malicious jailbreak/root
OS vulnerabilities exploitation
Data on stolen devices
MOBILE
Lookout 2017 | Confidential and Proprietary
THREATS
SOFTWARE VULNERABILITIES
BEHAVIOR & CONFIGURATIONS
VECTORS
CO
MP
ON
ENTS
OF
RIS
K
DEVICE NETWORK WEB & CONTENTAPPS
- Malicious apps- Spy & surveillanceware- Trojans
- Out-of-date apps- Vulnerable SDKs- Poor coding practice
- Apps that breach company security policy
- Apps that breach regulatory compliance
- User initiated jailbreak/root
- Privilege escalation- Remote jailbreak/root
- Out-of-date OS- Dead-end hardware- Vulnerable pre-installed
apps
- No pin code/password- USB debugging
- Man-in-the-middle- Fake cell towers- Root CA installation
- NIC driver vulnerabilities- Protocol stack
vulnerabilities
- Proxies, VPNs, root-CAs- Auto-joining unencrypted
networks
- Phishing- Drive-by-download- Malicious code injection
- Malformed content that triggers OS or app vulnerabilities
- Message attachments and links to content that result in security policy breaches
RISK MATRIX
- Apps that leak data- Apps that breach org
security policy- Apps that breach
regulatory compliance
MOBILE
Lookout 2017 | Confidential and Proprietary
THREATS
SOFTWARE VULNERABILITIES
BEHAVIOR & CONFIGURATIONS
VECTORS
CO
MP
ON
ENTS
OF
RIS
K
DEVICE NETWORK WEB & CONTENTAPPS
- Malicious apps- Spy & surveillance ware- Trojans
- Out-of-date apps- Vulnerable SDKs- Poor coding practice
- Apps that breach company security policy
- Apps that breach regulatory compliance
- User initiated jailbreak/root
- Privilege escalation- Remote jailbreak/root
- Out-of-date OS- Dead-end hardware- Vulnerable pre-installed
apps
- No pin code/password- USB debugging
- Man-in-the-middle- Fake cell towers- Root CA installation
- NIC driver vulnerabilities- Protocol stack
vulnerabilities
- Proxies, VPNs, root-CAs- Auto-joining unencrypted
networks
- Phishing- Drive-by-download- Malicious code injection
- Malformed content that triggers OS or app vulnerabilities
- Message attachments and links to content that result in security policy breaches
RISK MATRIX
- Malicious apps- Spyware &
surveillanceware- Trojans
MOBILE
Lookout 2017 | Confidential and Proprietary
THREATS
SOFTWARE VULNERABILITIES
BEHAVIOR & CONFIGURATIONS
VECTORS
CO
MP
ON
ENTS
OF
RIS
K
DEVICE NETWORK WEB & CONTENTAPPS
- Malicious apps- Spy & surveillance ware- Trojans
- Out-of-date apps- Vulnerable SDKs- Poor coding practice
- Apps that breach company security policy
- Apps that breach regulatory compliance
- User initiated jailbreak/root
- Privilege escalation- Remote jailbreak/root
- Out-of-date OS- Dead-end hardware- Vulnerable pre-installed
apps
- No pin code/password- USB debugging
- Man-in-the-middle- Fake cell towers- Root CA installation
- NIC driver vulnerabilities- Protocol stack
vulnerabilities
- Proxies, VPNs, root-CAs- Auto-joining unencrypted
networks
- Phishing- Drive-by-download- Malicious code injection
- Malformed content that triggers OS or app vulnerabilities
- Message attachments and links to content that result in security policy breaches
RISK MATRIX
- Privilege escalation- Remote jailbreak/root
- Man-in-the-middle- Fake cell towers- Spoofed WiFi APs- Root CA installation
- User initiated jailbreak/root
- No pin code/password*- USB debugging
MOBILE
Lookout 2017 | Confidential and Proprietary
THREATS
SOFTWARE VULNERABILITIES
BEHAVIOR & CONFIGURATIONS
VECTORS
CO
MP
ON
ENTS
OF
RIS
K
DEVICE NETWORK WEB & CONTENTAPPS
- Malicious apps- Spy & surveillance ware- Trojans
- Out-of-date apps- Vulnerable SDKs- Poor coding practice
- Apps that breach company security policy
- Apps that breach regulatory compliance
- User initiated jailbreak/root
- Privilege escalation- Remote jailbreak/root
- Out-of-date OS- Dead-end hardware- Vulnerable pre-installed
apps
- No pin code/password- USB debugging
- Man-in-the-middle- Fake cell towers- Root CA installation
- NIC driver vulnerabilities- Protocol stack
vulnerabilities
- Proxies, VPNs, root-CAs- Auto-joining unencrypted
networks
- Phishing- Drive-by-download- Malicious code injection
- Malformed content that triggers OS or app vulnerabilities
- Message attachments and links to content that result in security policy breaches
RISK MATRIX
- Out-of-date OS- Dead-end hardware- Vulnerable pre-installed
apps
ANDROID
https://source.android.com/security/bulletin/2017-06-01
• 101 patched CVEs in Jun
• 76 high or critical
• 120 patched CVEs in May
• 88 high or critical
• Android Security Advisory 2016-03-18
• Rooting app – Kernel vuln
• Deployment challenges
• Older devices not getting updates
Android Patches
IOS
iOS Status
• iOS version 10.3.2 released 15 May
• 49 CVEs patched
• iOS version 10.3.1 released 3 Apr
• WiFi chip vulnerability patch
• iOS version 10.3 released 27 Mar
• 91 CVEs patched
• Scareware for Ransom
• Safari browser pop-ups loop
• Need employees to update…
https://support.apple.com/en-us/HT207617
iOS Patches
• Alternative App stores
• Fraudulent/Fake Apps
• Pegasus and Trident
• MilkyDoor
• ViperRAT–surveillanceware
• App take downs
MOBILE RISK HIGHLIGHTS…
• A professionally developed and highly
advanced threat leveraging, zero-day
vulnerabilities, code obfuscation, and
encryption and sophisticated function
hooking to subvert app controls.
• Describes a trifecta of three related zero-day
vulnerabilities in iOS, that collectively
allowed the attacker to automatically
jailbreak the device and install far-reaching
spyware.
Pegasus and Trident
Trident: The Three VulnerabilitiesPegasus: The Threat
• All encrypted data from any
apps on the device
• User passwords from the
keychain
• All wifi passwords for every
network the device has been
on
• All passwords from any
connected Apple router /
Airport / Time Capsule
• GPS / User location
• All calls audio and history
• All data from calendar
including meetings
• Sensitive conversations
recorded via microphone
conversations
• All contacts on the device
• And more…
Pegasus causes catastrophic data compromise
MilkyDoor
• Covertly grants attackers access to enterprise's services• web, FTP, SMTP in the internal network
• Repackaged Android Apps
• 200 unique apps on Play
• Communicates to C&C over SSH
• Android.process.s
Provides access to internal networks
ViperRAT
• Social media for targeting
• Fake Profile as young women
• Build trust
• Install app for easier communication
• Multi-stage malware
• Dropper for profiling
• 2nd stage is more capable
• Extract files and Photos
Surveillanceware
BouncerBounce
Malware that works
around Google’s review
process to plant
malicious apps in Play
Store.
Spyware targeting
foreign travelers
searching for Embassy
locations. Steals contact
and location data
OverSeer DressCode
Can make the device
a proxy for network
traffic on corporate
networks.
DressCode
We discovered more
apps on Play injected
with this trojan.
TcemuiPhoto Uploader
Lookout discovered
this malware family in
fake versions of
popular apps on Play.
WakefulApp Download
Malware hidden in
"File Explorer" app
that had gotten into
Play, downloads and
launches additional
apps.
XRanger
167 apps in Play
infected with this
app dropper.
210 Lookout-discovered threats in the Google Play Store (2016)
1 4 13 3 1 2 167
October 19July 15 August 4 September 7 September 30 October-November November 25
= Discovered by Lookout in Play Store and subsequently removed by Google.
Gartner Market Guide for Mobile Threat Defense Solutions
”It is becoming increasingly important that security leaders look at the anti-malware, mobile threat defense solutions market, the products available and how they should be used.”*
Source: Gartner Market Guide for Mobile Threat Defense Solutions, John Girard and Dionisio Zumerle, July 2016
*Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
This Gartner report is available upon request from Lookout
Behavioral Anomaly Detection
Vulnerability Assessment
Network Security
App Scan
Lookout Mobile Endpoint Security meets all four functional capabilities, including: