FIREEYE ADVANCED THREAT PROTECTION Mobile Phone - Smart Doesn't Equal Safe Matthew WONG -Consulting Engineer of FireEye Hong Kong and Macau
FIREEYE ADVANCED THREAT PROTECTION
Mobile Phone - Smart Doesn't Equal Safe
Matthew WONG - Consulting Engineer of FireEye
Hong Kong and Macau
Numbers Show a Harsh Reality
2/3of U.S. firms
report that
they have been the
victim of cybersecurity
40%of all IT executives expect a major cybersecurity incident
115% CAGR unique malware
since 2009
9,000+malicious websites
identified per day
00.01 Every second 14 adults become a
victim of cyber crime
6.5xNumber of cyber
attacks since 2006
95new vulnerabilities
discovered each week
Mobile Blooming Statistics
• Smartphones adoption
- 10x faster than PC revolution in 1980s
- 2x faster than the 1990s Internet boom
- 3x faster than even today’s social networks
• Average of 52% of workers use their personal mobile device for work, 69% in Asia Pacific
• Mobile Malware growth 614% in 2012-2013
• 2/3 of mobile application in Google play store had at least one vulnerability
Mobile Cyber Security become daily life
Imagine the Mobile Future
Traditional AV are failing
Mobile Security News – Financial Gain
Mobile Security News – Political Hack
Reusable App Libraries Outsourced app Malicious Building Blocks
App Development
10AM Meeting about
Company Acquisition
10AM Meeting about
Company Acquisition
Anatomy of a Mobile Threat
Callback Server
Exfiltration
BattlefieldBattlefield Enterprise IPEnterprise IPTracking executive
location
Tracking executive
location
1 2Calendar Access Microphone Access 3 Exfiltration4 The tip of the
iceberg
Transparent SMSTransparent SMS
Call RecordsCall Records
Video SurveillanceVideo Surveillance
Root AccessRoot AccessFine Grained GPS
Location
Fine Grained GPS
Location
History & BookmarksHistory & Bookmarks
Lateral exploit
spread
Lateral exploit
spread
Exfiltration of
contacts
Exfiltration of
contacts
Hidden Malicious Behavior
Benign
Malware
Vulnerable apps
Adware
Apps with undesired/unintended
Security Consequences
Mobile App Threat Categories
MisoSMS - Malware
Interesting stuff:
http://84udjhtg
SMS
phishing
Uploading
SMS
360.cn mail
service
Server hosting
malicious apk
(attacker's server or
app store)
Download
MisoSMS
First Mobile Botnet Takedown
• Worked with 360.cn to ban attackers’ email accounts
for collecting stolen SMS messages
• From network measurements: almost 200,000 SMS
messages were stolen
● Fake AV apps
● “Anti-Hacker”
– 50,000 downloads
– Less than 800
lines of code
Detected New Malware on Google Play
Adware on App Markets
0.00%
2.00%
4.00%
6.00%
8.00%
10.00%
12.00%
14.00%
lenovo nduo opera anzhi pdassi mumayi appchina slideme hiapk appsapk
Adware
Malware
• 6.7% adware in APKs crawled from Google Play in 8
months
Ad Library Prevalent on Google Play:
Main Method for Monetization
Ad Library Usage Count Percentage
Admob 51176 36.60%
Flurry 15289 10.93%
Millennial Media 7949 5.68%
Chartboost 7517 5.38%
Inmobi 7307 5.23%
Tapjoy 6740 4.82%
Izp 5917 4.23%
Applift 5187 3.71%
Mopub 4209 3.01%
Revmob 2253 1.61%
Data collected on Google Play apps with 100K+ downloads
Common Ad Lib Sensitive Behaviors
• Collect personal information– Name, address, age, gender, email address, etc
• Collect device information– IMEI, MAC, Android ID, Android version, list of installed apps
• Modify bookmark history, calendar, and contacts
• Push ads to the notification tray of the phone even when the app is not running
• Send premium SMS as a form of payment
• Intercept incoming SMS and check for messages from certain phone numbers
Vulnerable Apps - Incorrect use of SSL/TLS
Vulnerabilities– Applications use trust managers that trust all certificates and
open themselves to MITM attacks
– Applications replace hostname verifiers with versions that do not check the hostname of the server the application is connecting to
– Applications that embed web pages ignore SSL errors by doing nothing in onReceiveSslErrors.
Consequences– MITM attacks!
SSL/TLS vulnerabilities
0%
20%
40%
60%
80%
100%
Trust managers that
do not check server
certificates
Hostname verifiers
that do not verify
hostnames
Applications that
ignore SSL errors in
WebKit
Safe
Unsafe
Dataset: The 1000 most downloaded applications from google play
611/1000
use SSL
Uploading contacts in bulk
Truecaller - Caller ID & Block
10,000,000+ downloads
“See who the unknown caller is, block unwanted calls and SMS, and manage your
contacts for FREE.
…NEVER uploads your phonebook to make it searchable or public.”
TeenPatti: Indian Poker
500,000+ downloads
“Teen Patti is the fastest and the most exciting Indian card game, similar to poker.”
Uploads entire contacts list, uploads incoming SMS sender
without user interaction
Uploads entire contacts list
Apps with undesired/unintended
Security Consequences
Risk Type Top AV Vendors Latest Solution
Malware
Adware
Vulnerabilities
Undesired
security
consequences
Latest Solution Covering All App Threat Categories
Live Demo on Mobile Hacking
Demonstration why Anti-Virus technology is not effective on Mobile
Protection
- In-accurate simply base on the security access required on the
phone
- Slow to detect latest attacks
Live Demo on how latest mobile security solution
• 100% detect base on cloud infrastructure, free up
CPU and memory on the phone
• Non-signature based solution which help to detect
latest attacks
• Can detail analysis about mobile threat behavior and
action taken
Uncovering the Threat
Contextual Correlation
2 What kind of behavior
does the app exhibit?
1 Does the app
violate security policies?3 Is the app malicious?
Security Policy
Information
File System
Exploit
Network
Behavior
Secure without extra load on Mobile Devices
https://www2.fireeye.com/OFFER-14Q4-MobileSecurity-APAC-HK_LP---Register-for-Mobile-App.html
1M download
10K download10M Download
THANK YOU!
Questions and Answers