Embed Size (px)
Citation preview
USCC
Quarterly Review & Executive Update
• April 2016
Malware Activity in Mobile Networks Kevin McNamee (Nokia Threat Intelligence Lab)
2
Agenda
• How the data is collected
• Threat Intelligence Report
• Android Malware
• Examples of malware
• How to avoid being a victim
• Conclusion
3
Monitoring the Mobile Network
• Monitor Mobile Network Traffic
Malware C&C
Exploits
DDOS
Hacking
RAN
GGSN/PGW
Malware
Detection
Sensor
Alert
Aggregation &
Analysis
MOBILE NETWORK SECURITY ANALYTICS
Forensic Analysis
SGSN
RNC Recommended
Tap (Gn and
S5/8)
NodeB
eNodeB SGW
Internet
10GE
or GE
4
Monitoring the Mobile Network
RAN
GGSN/PGW
Malware
Detection
Sensor
Alert
Aggregation &
Analysis
MOBILE NETWORK SECURITY ANALYTICS
Forensic Analysis
SGSN
RNC Recommended
Tap (Gn and
S5/8)
NodeB
eNodeB SGW
Internet
10GE
or GE
• Analytics Provides
Raw security alerts
Trigger packets
Infection history by device
Infection history by malware
• Reports
Most active malware
Network impact
Infection rates
5
Detection Rules Development Process
MALWARE
SAMPLES
VIRUS VAULT
• 120K+ ANALYZED
PER DAY
• 30M+ Active samples
SANDBOX
MALWARE
TRAFFIC
LIBRARY
RULES REPOSITORY
QUALITY
TESTING
DEPLOYMENT-SPECIFIC
RULE SETS
RULE ACTIVATION
RULES
DEVELOPMENT RULES LIBRARY
FIELD TESTING IN
LIVE NETWORKS
FEEDBACK
FROM FIELD
TESTS
Third Party
Feeds
Nokia Threat Intelligence Report
7
Threat Intelligence Report
• Published by Nokia Threat Intelligence Lab
• Latest edition available in September 1st
• Data aggregated from mobile networks covering close to 100M devices in:
• North America
• Asia/Pacific
• Europe
• Middle East
https://pages.nokia.com/1937.ThreatIntelligenceReport.html
8
Mobile Device Infection Rate
• Smart phone infections up 96% in 1H2016
• Monthly infection rate averaged 0.66%
• Hit new high of 1.06% in April.
• In April 0.82% of smart phone devices exhibited signs of malware infection.
9
Mobile Infections by Device Type
• 74% are Android devices
• 22% are actually Windows PCs &
Laptops
• 4% are iPhone, Blackberry,
Symbian, etc..
10
Mobile Malware Continues to Grow
• An indicator of Android malware
growth is the increase in the number
of samples in our malware database.
• The chart shows numbers since July
2012.
• The number of Android malware
samples in our malware data base
increased by 75% in the first half of
2016.
11
Top Mobile Malware
• Table shows the top mobile malware in
the first half of 2016.
• More that half are new
• Malware includes:
Malware that roots phone
Ransomware
Spyphone Apps
SMS Trojans
Personal information theft
Aggressive adware.
12
Why Android?
• Open Platform
• Side Loading
• Proliferation of 3rd Party Android Stores
• App Hijacking is trivial
• Market Share
Android vs Apple app security
• Signed with self signed certificates that
are created by the developer.
• Available from a large number of third
party app stores
• Signed with certificates issued by Apple
and linked to the developer registration
information.
• Most consumer apps are only available
from Apple.
• Enterprise development program allows
developers to bypass the Apple store
security provisions.
Android vs Apple OS Software Updates
• Only one version (Apple)
• Distributed by Apple
• Installed by phone owner
• Patches created by Google
• Integrated by phone manufacturers
• Custom builds for individual operators
• Variety of distribution mechanisms
Examples of Mobile Malware
SMS Trojans
17
SMS Trojans
• Sends premium SMS message
Trojan.SMS.FakeInst
Trojan.SMS.Agent
Trojan.SMS.Rufraud
Trojan.SMS.Opfake
Trojan.SMS.Boxer
• SMS Banking Trojans
Intercepts SMS messages
Looking for one-time banking access codes
Send codes to attacker who is also monitoring
banking transactions
Malware that roots the phone
19
Viking Horde
• This malware family gets its name from the Viking Jump
game that was distributed through Google Play.
• Infected apps include:
Viking Jump
Wifi Plus
Memory Booster
Parrot Copter
• Turn the phone into a transparent web proxy used in Ad-
Click Fraud.
• Roots the phone to establish a persistent hold on the
device.
Installs components in the root directory so they are hard to uninstall.
Sets up a watchdog service that reinstalls the malware, if it is removed.
20
Malware Survives Factory Reset
• An Android factory reset operation
does not reset the /system partition.
• So any apps stored in /system/app
directory will survive a factory reset.
• Malware can take advantage of this by
rooting the phone and installing apps in
the /system directory.
• This happened to one our lab phones...
21
Malware Survives Factory Reset
1. Malware from Chinese app store was run on
one of our test phones.
2. It had almost every of permissions possible
3. It included a library with known root exploits.
4. Over time a number of additional “system”
apps appeared in the /system/app directory.
5. We noticed the problem after we did a factory
reset and the phone started reloading apps
from China.
6. Only solution was to root the phone and delete
the apps manually.
Spyphone Apps
23
Mobile Spyware
• Tracks
the phone’s location
monitor ingoing and outgoing calls
monitor and text messages & email
track the victim’s web browsing.
• Used by
individuals
private investigators
cyber espionage
24 http://www.top10spysoftware.com/
Ransomware
26
Ransomware & Lockers
• This malware claims to
have locked your phone
and/or encrypted your
data.
• It demands a ransom to
restore it.
• Often data is not really
encrypted
27
Permissions used by Lockers
• SYSTEM_ALERT_WINDOW
Allows app to display a window on top of everything else
You can’t interact with the phone
Usually combined with auto start on BOOT
Effectively locks the phone
• Device Administration
Provides additional permissions
Must be activated by user
Can block “Settings” app until user OKs the activation
Can’t uninstall an app with the permission
Also combined with auto start on BOOT
Solution: Start Phone in “safe mode” and delete the app.
28
Android.Locker.B
• This looks like an Norton AntiVirus app
• Finds problems with your phone
• Asks to activate “device admin”
• Gives you the bad news
• Tells you how to fix it
29
Android.SLocker.A
• Looks like the Adobe Flash Player
• Immediately asks for Device Admin
• Disappears from APPS screen
• Can’t be stopped or uninstalled
• Has all sorts of permissions
• Communicates with C&C
• Uses “alert window” to:
Lock phone
Ask for Google Wallet credentials
Ask for credit card credentials
• Goal is to get your credit card info
Infected Games
31
Pokimon Go Infected
• Originally released in only US, Australia, New Zealand
markets.
• Gaming web sites provided instructions on how users in
other locations could side load bootleg copies.
• This provided an unprecedented opportunity for hackers.
• Within hours, Nokia Threat Intelligence Lab found copies
of the game that had been injected with malware and
made available for download from third-party sites.
32
Pokimon Go Infected
• One sample was infected with a Remote Access Trojan called
DroidJack.
• This allows the attacker to:
track the phone’s location
record calls
take pictures
steal information and files from the phone.
• To the user, it is identical to the Pokemon Go game except that
the first time you run it, it asks for permissions.
Remote Access Trojans (RATs)
34
DroidJack
• Inject DroidJack into
Pokemon
• Fill in name of C&C
• Select Pokemon APK
• Select “Bind”
• APK built…
35
DroidJack Operation
• Trick user into installing
the infected game…
• Device pops up in GUI
• Right click for features
Browse files
Browser History
Location
Contacts
Audio
Video
iPhone Malware
37
iPhone not immune
• KeyRaider steals over 225,000 Apple accounts
• xCodeGhost infiltrates Chinese app
development
• AceDeceiver exploits iOS DRM to install
malware on iPhones
• Yispector malware exploits Apple sandboxing
on non-jail broken phones.
Install other malware
Conceal its presence
KeyRaider Apps on Cydia
YiSpector
38
iPhone – Pegasus Spyware
• Professional spyware from NSO Group costing $25000 per target.
• Uses three (Trident) exploits to get into phone
Phishing leads to exploit web link
CVE-2016-4655 exploit against Safari WebKit gets remote execution
CVE-2016-4556 & CVE-2026-4657 jailbreak the device
Spyware has complete control of the device
• Spys on social media and communication apps
Gmail, Facetime, Facebook, Skype, WhatsApp, etc
• Monitors
Phone calls, SMS messages, call logs
• Allows remote audio and video recording
• Has stealth protection and a built in self-destruct mechanism
DDOS
• Attacks impact any carrier
network where public Internet IP
addresses are used.
• Attacks typically leverage mobile
WiFi devices that act as DNS
resolvers.
• Spark’s network (major carrier in
New Zealand) was crippled for
two days in 2014 by this.
• Attacks have Internet wide
impact (see following slide)
DNS-DDOS
40
1. Attacker tells Internet based botnet to launch attack. 2. Bots send spoofed DNS request to mobile devices. 3. Mobile devices forward DNS requests to the carriers
DNS servers for resolution. 4. DNS servers respond with amplified response traffic. 5. Mobile devices flood the victim server with this
response traffic.
Coordinated Attack Impacts the Internet
41
Customer in Asia
Customer in North America
65K spoofed IP addresses from a Russian subnet send DNS request to 3000 mobile devices in carrier’s network generating over
100 million security events per day.
42
Mirai Botnet (IoT devices)
• Responsible for 600Gbps attach against Brian Krebs web
site (Sept 2016)
• Responsible for 1.5Tbps attack against French web hosting
provider (Oct 2016)
• Reponsible for Friday Oct 21st attack on DYNDNS that
caused impacted Spotify, Twitter & Netfix.
• Operation Phase 1:
Bot scans for vulnerable devices (Mifi & IoT)
Brute force login against open Telnet & SSH ports
• Operation Phase 2:
Infected device joins botnet and scans for other victims
Reported to have created a 130K device botnet in one day
• Operation Phase 3:
Botnet attacks victim
Remote exploits
44
StageFright
• Vulnerabilities in Android’s media display software
announced July 2015 with a proof of concept
exploit via MMS message preview.
• Forced a serious look at how to improve getting
Android patches deployed in the field.
• No known exploits seen in the wild (July 2016)
• New exploit available for Metasploit can exploit
the vulnerability through the phone’s browser on
29 different device/firmware versions (Aug 2016)
45
Conclusion
• Android and iPhone malware focuses on things that work well in the mobile
environment.
Spyphone Apps & Trojans
SMS Trojans
Scareware
Adware
• However we are starting to see:
Systematic rooting of the device
Hooking into privileged apps
Advanced persistence
Stealth
Sophisticated C&C
Remote exploits
Questions ?
