Threat Lands

Protecting the irreplaceable | f-secure.com

THREAT LANDS

Presented by Goh, Su GimSecurity Advisor, Asia

F-Secure Response Labs

About me

• 10 years in the IT Security industry

• IT network security infrastructure design

• Assessment and penetration testing

• Standards and Compliance

• Security Operation Center / Incident Response

• Born and Raised in Malaysia

• Spent 12 years in Hawaii, USA

• Joined F-Secure about 9 months ago, now based in F-Secure Response Labs, Kuala Lumpur

April 10, 20232

Agenda

• About F-Secure

• The Threat Landscape today

• Social Media Networking

• More than just $$

• The un-tethered world

• Malware for the mobile world

•10 April 2023

© F-Secure / PublicApril 10, 2023

6

F-Secure - Summary

1988 Founded

Today

2007

1999 IPO (Helsinki Stock Exchange)

• “Protecting the irreplaceable”• Enabling the safe use of computers and smartphones

• Strong solution portfolio covering both consumers and business

• The leading Software as a Service (SaaS) partner for operators globally• Over 200 operator partnerships in more than 40 countries

• Strong market presence in Europe, North America and Asia

• Distributors/resellers in more than 100 countries

• 20 offices globally and over 800 professionals worldwide

F-Secure in Malaysia

April 10, 2023

8

• Operations started 2006

• KL Sentral office opened 2006

• Moved to Bangsar South May 2009

• Today, 2011, 25% of the employees in Asia

2005 2006 2007 2008 2009 2011

The Virus Eras


9

FLOPPY

LAN

EMAIL

WEB

FACEBOOK, MYSPACE, TWITTER, LINKEDIN?

MOBILE MALWARE???

http://campaigns.f-secure.com/brain/index.html


10

Malware Attacks 1986 - 2011

• 1986 -Hobbyist attacks

• 2002 - Financial attacks

• 2005 - Spying / Espionage

• 2010 -Cyber Sabotage

© F-Secure CorporationApril 28, 2010

11


17


18

Hmm.. Is that my ex-girlfriend viewing my profile?


19


20


21

FB’s FAQ


22

LIKE JACKING


23


24


25


26

Critical Infrastructure

Stuxnet

STUXNET

Windows

Worm Uses 5

Vulnerabilities*

Spreads via

USB sticks

* 4 zero-days

Signed component – the stolen certificate

Stuxnet is big

AverageMalware50-100 KB

Stuxnet1,5 MB

Siemens Simatic Step7 WinCC PLC

6es7-417

Bushehr / Natanz

CASE: hosting.ua – the Ukrainian Datacenter


40

Spring cleaning gone bad…


42

UNTETHERED


45

The big brother aka 大哥大

April 10, 202346

The battlefield today..

April 10, 202347

The ever growing Smartphone…

April 10, 202348

“53% of Chinese citizens in key urban centres own a smartphone,

well ahead of countries like the US, where penetration stands at

around 30%, and Japan, on 10%” Consultancy Accenture

“Smartphones to break 100 million shipment mark in Asia/Pacific (Excluding Japan) by 2011” - IDC

“IDC expects 137 million units in 2011,

double the units in 2010”

Smartphone market share: Today and Tomorrow

April 10, 202349

Android overtakes BlackBerry as Top US Smartphone platform

April 10, 202350

WHAT CAN MOBILE MALWARE DO???

• PERSONAL DATA DISCLOSURE

• PHISHING

• SPYWARE

• DIALERWARE

• FINANCIAL MALWARE

April 10, 202351

Huike.cn serving Windows Mobile apps

April 10, 202352

3D Anti-Terrorist

April 10, 202353

Windows Mobile Trojan

• Poses as 3D Anti-Terrorist Action War Game

• Developed by Beijing Huike Technology in China

• Distributed in windows freeware download sites

• Packaged with virus written in Russia

• Malicious code initiate silently international calls to Premium Numbers

April 10, 202354

A Dialerware example

April 10, 202355

Dialerware continued..

April 10, 202356

The numbers

• +882346077 Antarctica

• +17675033611 Dominican republic

• +88213213214 EMSAT satellite prefix

• +25240221601 Somalia

• +2392283261 São Tomé and Príncipe

• +881842011123 Globalstar satellite prefix

www.keyzone-telemedia.com

April 10, 202358

www.premium-rates.com

April 10, 202359

Geinimi, Aka 給你米• Android BOT

• Opens a backdoor and calls home

• Calls home to various servers:

April 10, 202361

www.frijd.comwww.aiucr.com www.uisoa.comwww.islpast.comwww.piajesj.comwww.qoewsl.comwww.weolir.comwww.riusdu.comwww.widifu.comwww.udaore.com

The Variants… HongTouTou 紅頭頭 / ADRD

• Targeting users in China

• Distributed on free file sharing websites as wallpaper apps

• Gather IMEI/IMSI - encrypted

• Search as a mobile user

• Emulate clicks as a mobile user

• Monitor SMS conversations

April 10, 202362

Do Androids Dream? [THE MOTHER OF THEM ALL]

• Root your phone (Admin access)

• Sends IMEI/IMSI to remote server

• Steals sensitive data

• More than 50 applications infected

• Repackaged by app developer by

• Myournet

• Kingmail2010

• we20090202

• Hosted on Android Market

• 50,000 to 200,000 downloads in 4 days

April 10, 202363

DroidDream

Trojanised apps by Myournet

April 10, 202364

Falling DownSuper Guitar SoloSuper History EraserPhoto EditorSuper Ringtone MakerSuper Sex PositionsHot Sexy VideosChess下坠滚球 _FalldownHilton Sex SoundScreaming Sexy Japanese GirlsFalling Ball DodgeScientific CalculatorDice Roller躲避弹球Advanced Currency ConverterApp Uninstaller几何战机 _PewPewFunny PaintSpider Man蜘蛛侠

Real App on left and virused-up version (Myournet)

April 10, 202365

In case of emergency, press this:

April 10, 202366

The KILL SWITCH

• On March 1st 2011, Google yanked 58 apps in Android Market

• March 6th, Google created the Android Market Security Tool to REMOTELY remove the malicious apps and the DroidDream trojan from hundreds of thousands of devices

• Gives me a mixed feeling…

April 10, 202367

The Google KILL SWITCH

April 10, 202368

Fake Google Security Patch4 days later..

Hijacked and retooled Google’s Android Market Security Tool

Distributed by an unregulated Chinese app market

Detected by Symantec as BgService running on infected devicesTrojan sends SMS to a command and control server

And so it was nice and dandy...

Multiple Sources for App Downloading “SIDELOADING”

© F-Secure / ConfidentialApril 10, 202369

Yingyonghui.com

© F-Secure ConfidentialApril 10, 202370

© F-Secure ConfidentialApril 10, 202371

“SIDELOADING” : Androiddownloadz.com

April 10, 202372

April 10, 202373

Eventually, virus writerswill realize it's easier to makemoney by infecting phonesthan by infecting computers

April 10, 202374

So how do I protect myself?

April 10, 202375

(1) TRUSTED & REPUTABLE SOURCES

• Download from reputable app markets

• Avoid third party app stores (Sideloading)

• Review developer name, reviews and star ratings

• If it is too good to be true.. IT IS

• There is NO FREE LUNCH

April 10, 202376

(2) Scrutinize permissions

• Check on permissions when installing an app

• Ensure the permissions match the features it provides

April 10, 202377

(3) Auto-locking, reset and wipe (Housekeeping)

• Automatic locking after a few minutes of no activity

• Reset and wipe when disposing or recycling your phone

April 10, 202378

(4) Install a mobile security app

• Install an Anti-virus for your SmartPhone against trojans/viruses/malware

• Other security vendor features (Anti Theft) include

• Remote Wipe, Lock & Alarm

• Remote Alarm

• GPS Locator

• Remote backup

April 10, 202379

Keeping yourself posted…

• www.f-secure.com/weblog

• Twitter

• F-Secure

• mikkohypponen

• sugimgoh

http://www.f-secure.com/weblog

April 10, 202380

THE END

Q&A?