Mobile Malware Attacks and Defense

Mobile Malware Attacks and Defense

Syngress Publishing, Inc.

Chapter One

Solutions in this chapter:

* Understanding Why Mobile Malware Matters Today

* An Introduction to MM Threats

* An Introduction to Mobile Security Terminology

•   Summary

•   Solutions Fast Track

•   Frequently Asked Questions

Introduction

Explosive growth in the mobile market of smartphones, personal digital assistants (PDA), and similar integrated devices like an iPhone has become evident since the turn of the century. Concurrent with this emergent growth in the mobile media market is the development of mature cyber-criminal fraud operations and the spread of the first mobile malware (MM) in the wild.

Since at least 2000, select security experts have predicted gloom and doom about pending future attacks against smartphones and other mobile devices. In large part, they were wrong, not understanding all of the elements necessary to create the perfect storm for malicious attacks against mobile media. It takes more than technology vulnerabilities to result in exploitation—criminals testify to this fact on the Windows platform today! With a global explosion of mobile solutions and services, assets are increasingly integrated into this emergent medium. Criminals are already exploiting it for financial gain. The problem will certainly get worse before it gets better as this new market matures for an increasingly mobile society globally.

This is the first book of its kind addressing malicious attacks against mobile devices. Some conferences now focus significantly on new devices and how to exploit, analyze, and manage these new solutions. With the rapid change of technology, continually strained technology staff capabilities, and a very mature global criminal market, the time is now to act upon mobile security. This book takes you through the foundational aspects of mobile security and mobile malware and equips you with the necessary knowledge and techniques to successfully lower risk against emergent mobile threats.

This book has been organized with a technical content flow that progresses from easy to more difficult. The first five chapters are easier to read for the nontechnical individual. Chapter 6 introduces higher mathematical models for working with phishing identification and mitigation and more complicated vishing attacks. Chapter 7 onwards dives into a wide range of technologies, exploits, and deep analysis of mobile malware (MM). Most importantly, each chapter is somewhat modular in design to support the geek in you, particularly when you need to look up reference material quickly in the book.

Understanding Why Mobile Malware Matters Today

The advent of mobility and consumer convenience cannot be denied. Historic days of talking about a network perimeter are seriously antiquated and no longer applicable to an increasingly networked world utilizing multiple operating systems, devices, and mobile solutions.

Risk, a function of the likelihood of a given threat and the ability for it to exercise damage or losses related to assets, has never been higher for the mobile market. Take, for example, an executive on the go who requires a BlackBerry for corporate calls, Web surfing, e-mail access, and even the ability to view e-mail attachments. If his device is attacked, his ever-important black book of contacts may be compromised or used in targeted attacks against individuals known to him. Corporate e-mails may be leaked and company data used by competitors or hackers looking to sell that data for a price. Ongoing monitoring of a compromised device could also lead to additional problems and data loss. For a busy executive on the go, security for the mobile device has now become mission critical for daily security operations. Any of the preceding security breaches could result in significant drops in consumer confidence and public stock values, significant lawsuits over identity theft or data loss, or competitors gaining the edge by leveraging stolen data from the executive.

Consumer security also matters to large enterprise networks. Financial institutions are working hard to gain the trust of consumers to perform mobile banking and similar services through their mobile solutions. Their work is paying off, with some surveys revealing nearly double the adoption and use rate by younger adults under the age of 35. In Asian and European locations, cell phones are starting to replace traditional landlines, and in some locations, such as Italy, the mobile device penetration rate is of over 90 percent. As each consumer begins to perform mobile banking, purchase multimedia for entertainment interests, and use mobile devices for productivity, a suite of products and services are quickly being implemented to cash in on the opportunities. Significant global assets now exist within the mobile market, ripe for the picking by a mature criminal underworld already adept at fraud in a traditional Windows operating system.

System administrators and forensic experts now face the need to be trained in, and properly implement, maintain, and respond to mobile security products within an enterprise environment. Several notable cases have already emerged where executives and others have been investigated for illegal actions performed through mobile devices. Forensic analysts need to know how to properly maintain chain of custody in order to investigate and analyze mobile device content. With a surge of new devices and solutions on the market, this is no easy task.

Many administrators are generally familiar with malicious code but are unaware of the details regarding MM. Understanding the history of MM to date, and the general capabilities of each primary family, is an essential element in preparing system administrators in their management of security for such products, in addition to assisting forensic analysts. The advent of Cabir source code spread by a group called 29A significantly changed the landscape of MM development as we know it today. Symbian is now the most widely targeted operating system by MM in the wild. Developments and attention paid to newer operating systems, such as the iPhone, are now on the front burner for many in whitehat, grayhat, and blackhat communities.

Traditional attacks like phishing, and newer twists like vishing, also impact mobile security. Mobile media adoption is huge when it comes to "texting" with others, not to mention brief phone calls and e-mails to friends and family. Devices and the communication systems they involve are becoming highly trusted, and are a lifeline of communication for many users globally. Criminals seeking to financially defraud such users will certainly leverage social engineering to exploit consumers and their core elements of trust in the mobile market for maximum financial gain.

By 2008, the market for vulnerability research is also mature, with many capable analysts looking into possible vulnerabilities and exploits for mobile devices like iPhones and others. As the mobile market matures, an increased diversity in devices, software, and operating systems provide multiple vectors for default settings abuse and the exploit of vulnerabilities. Some devices like the famed iPhone that debuted in 2008 are targeted by some to claim the glory of being the first to successfully exploit such hardware.

In a different case in 2008, iPhones became vulnerable to DNS (domain name server) cache poisoning because Apple Computers did not immediately apply a patch issued in July 2008. Naturally, management of core servers can take days or weeks in larger organizations as patches are evaluated and integrated into a patch cycle. Meanwhile hackers and criminals work concurrently to exploit the narrow windows of opportunity that sometimes present themselves during vulnerability and exploit research and disclosure.

Mitigation of MM crosses many layers. It's not just the hardening of a device and software, and the use of mobile antivirus software. A thorough understanding of best practices is essential for this emergent market. This book documents for the first time detailed mitigation measures and solutions to aid system administrators in fighting the good fight against MM.

An Introduction to MM Threats

MM has steadily increased since 2000. Figure 1.1 from F-Secure Corp. reveals a significant increase from 2004 onward, when the source code for Cabir was widely disseminated in the wild.

MM existed in the wild since 2000 but didn't take off in terms of total variants until 2004 due to the source code of Cabir being spread, and the popularization of MM within the virus authoring underground. Symbian has been the top targeted system for many years as a result—something that is evident in Figure 1.2.

New platforms are being added, such as iPhone, as technology develops for this emergent field. While only a few threats exist for other platforms, such as J2ME, they can be notable and significant in relationship to cyber-crime and the motives of individuals targeting mobile media fraud opportunities. RedBrowser is one such example, dialing premium lines after infection to financially remunerate the bad actor. The vast majority of MM types to date are Trojans, not worms. It remains to be seen if development of MM variants in the wild will mimic historical Windows malicious code development.

Vectors for spreading MM mark important capability changes over the years. Initially, MM threats were limited to spam sent to devices and codes received over Bluetooth. Now MM may spread through multiple media, including Bluetooth, MMS (multimedia messaging service), MMC (MultiMediaCard), and user installations (see Figure 1.3).

What is interesting about this pie chart is that it shows a significantly different set of data for what is seen in MM itself versus what users report. Users cite a much higher rate of MMS, and a lower rate of user install vectors (see Figure 1.4).

An Introduction to Mobile Security Terminology

Because there is no international standard for naming conventions of malicious code, and a wealth of emergent security terms exist that are not well defined to date, an introduction to terms used in this book may help you better approach these chapters as you read them. Additional terms exist in the glossary for reference as needed.

Vectors for Spreading MM

Vectors refer to the path that MM uses to spread to another computer, such as spreading over Bluetooth. It can also be broken down into traditional malicious code categories, such as user-interaction, Trojan, worm, and similar terms. The focus for this section is on how MM is able to technically spread to a device, and the protocols used in spreading routines.

Bluetooth

A wireless communication protocol utilizing short-range radio transmissions at 2.4GHz, and is designed for communications within the local area, ten meters or less (about 30 yards or closer). The name is derived from the Viking King who unified Denmark.

MMC

MMC stands for MutliMediaCard.

Multimedia Messaging Service (MMS)

A communication protocol extension of SMS providing support for transfer of multimedia, including images, audio, and video. MMS is global, whereas other protocols like Bluetooth are only local to the device (within a short range). MMS messages can also be transferred between handheld devices and computers via e-mail.

HTTP

Also known as Hypertext Transfer Protocol, it is used to browse the Internet.

SMS

A communication protocol enabling short text messaging between mobile telephone devices. More commonly known as text messaging or "texting."

Attack Types

The following content is primarily related to attacks that are launched against mobile devices rather than those used to audit them. In general, you'll notice many terms with the term "blue" attached, helping identify it as a Bluetooth type attack.

Hacking Defaults

A technique used to hack into devices or software that utilizes knowledge of default passwords, settings, and/or configurations.

Denial-of-Service (DoS)

An attack designed to disrupt and/or deny use of a device, service, or network.

Exploit

Software or actions taken that leverage a vulnerability to perform unintended actions. For example, a bad actor may create an exploit to execute arbitrary code on a vulnerable operating system that requires a patch to fix a flaw in the code.

Bloover/II

A proof-of-concept application that runs on Java and is used as a phone auditing tool (snarfs phonebooks). It is also called the "Bluetooth Wireless Technology Hoover" because of how it can "vacuum" phone details. Runs on J2ME-enabled cell phones.

(Continues...)

---

Excerpted from Mobile Malware Attacks and Defense by Saeed Abu-Nimeh Michael Becher Seth Fogie Brian Hernacki Jose Andre Morales Craig Wright Copyright © 2009 by Elsevier, Inc.. Excerpted by permission of Syngress Publishing, Inc.. All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.

---