1.
Mobile Threats
Things Your Smartphone Does When Nobody is Looking

2.
Agenda
The “What”
The Problem Mobile Ecosystem
1 2 3 4
Threat The Fix
Landscape

3.
The Problem
1

4.
What Are The Risks
Define the Threats

5.
Moving Into The Enterprise
Bring Your Own Device
Security Compliance Privacy

6.
Mobile Crossroads
The Inflection Point
63%
Do you trust the security of your mobile device…
Have yet to make up their minds

7.
Threat Landscape
2

8.
The Mobile Threat Landscape

9.
Mobile Malware
Mobile Networks
Decentralized
Interconnected
Mobile
Quick Content Retrieval
Perfect Malware
Decentralized
Interconnected
Mobile
Quick Content Retrieval

10.
Statistics

11.
Malware Timeline
2011
July August September October November
Early to Malware Wave Exponential
the Game Begins Growth

12.
Primary Target
Android Most Targeted (65%)
iOS Absent (<1%)
WHY • Closed Technology
1%
• Harder to Reverse Engineer
7%
• Stronger OS Security
65%
27% • Better App Store Security
• No Fragmentation Issue
Android
J2ME
Symbian
Windows Mobile
Distribution of Mobile Threats by Platform 2011

13.
Mobile Malware
86% 7%
Repackaging Update
•Choose popular app •Similar to repackaging
•Disassemble •Does not add full
•Add malicious payloads payload
•Re-assemble •Adds small downloader
•Submit new app to •Payload downloaded at
public market runtime
Drive-By Standalone
•Entice users to •Commercial spyware
download malware •Non functional fake apps
<1% 14%
•Distributed via malicious (Fake Netflix)
websites •Functional Trojan code
•May or may not contain •Apps with root exploits
a browser exploit

14.
Mobile Malware
37% Privilege Escalation
•Attempts root exploits
•Small number of platform
vulnerabilities
Remote Control
•Similar to PC bots
•Most use HTTP based web
traffic as C&C
93%
•May use more than one •Advanced C&C models
exploit for attack translating from PC world
•Advanced obfuscation seen
in the wild
Financial Charges Information Collection
45%
•Premium rate SMS
•Both hard-coded and
runtime updated numbers
•Employ SMS filtering
•Harvests personal
information and data
•User accounts
•GPS location
45%
SMS •SMS and emails
•Phone call tapping
•Ad Libraries
Phone
Number

15.
Application Behaviors
Previous Code Web Sources
Your Code
Binary 3rd Party Source 3rd Party
Libraries Libraries

16.
Case studies
… !

17.
Vulnerabilities
• Sensitive data leakage
(inadvertent or side channel)
• Unsafe sensitive data storage
• Unsafe sensitive data
transmission
• Hardcoded password/keys

18.
Vulnerabilities
• Layered APIs on common
languages
• Blackberry and Android
use Java as a base
• Non-issue for Objective-C
(it’s own language)

19.
Mobile Ecosystem
3

20.
The Mobile Ecosystem
The Players of the Game
Consumer

21.
MDM Vendors
The Enterprise Choke Point
Enterprise Control Point
What They Provide
Device Enrollment and Management
Security Management
Device Configuration
Device Monitoring
Software Management
Security Components
Passcode Enforcement
Encryption
Feature Restriction
Compliance
Locate and Wipe
Certificate Management

22.
Mobile Anti-Virus
Old Methods Rehashed
Old Methods Rehashed
What They Provide
Quarantine and Eradicate Malware
Signature Based Analysis
Security Components
Locate, Lock, and Wipe
Cloud Analysis
Spam Filtering
Email Attachment Scanning
Data Backup

23.
Application Markets
The Distributor
The Distributor
What They Provide
Marketplace for Applications
User Ratings
Application Updates
Security Components
Application Approval Process
Android Bouncer
iOS Scanning

24.
Developers
The Source
The Source
What They Provide
Enterprise Application Development
Consumer Application Development
Cross-platform Expertise
Security Components
Variable on Developer Capabilities

25.
The Fix
4

26.
The Fix
Securing Against Multiple Threats
Capabilities Mapping
Malware Detection
Vulnerability Analysis

27.
Capabilities Mapping
Features and Permissions
Data Sources Data Sinks Mapping
• Location Data • HTTP Requests
User Facing
• Contacts • Outbound SMS
• Email • Outbound Email • Trace Sources to Sinks
• SMS Data • DNS Requests • Application “Intent”
• SQL Access • TCP • Permission Mapping
• File System • UDP • Human Intelligence
• Photos • Vulnerable Code
• Phone ID Values
Code Flow Data Flow

28.
Malware Detection
Learn From Previous Mistakes
Static
Signatures Analysis
Signatures Human
Signatures
Intelligence
Dynamic
Basic Heuristics Analysis

29.
Vulnerability Analysis
Find the Flaws
Environmental
Flaws
Application
Flaws

30.
Strategic Control Points
Security and Power
Application Markets
Enterprise Developers
MDM Consumer Developers
Outsourced Developers
Anti-Virus COTS Developers
… Developers
Enterprise

31.
Enterprise Fixes
De-Risk B.Y.O.D
Policy
Process
Technical
Controls

32.
Consumer Fixes
Will Users Learn?
Security Awareness
• Read EULAs & prompts..
• Understand permissions
• Know what jail breaking
does to the security
posture of the device
• Recognizing phishing and
social engineering
• Practice practice practice

33.
Permissions
*SCOFF*
Just Let Me Fling Birds at Pigs Already!

34.
Vendor Fixes
It Takes a Village
Verification
Process and Policy
User Facing
Platform Security

35.
Developer Fixes
Secure Coding
TRAINING
SDLC
AWARENESS

36.
The Road Ahead
Where do we go from here?
Capabilities Malware Vulnerability A Safer
+ + =
Mapping Detection Analysis Mobile Path

37.
Sources
Show me the data
• http://www.juniper.net/us/en/local/pdf/additional-resources/7100155-en.pdf
Juniper Network Trusted Mobility Index
• http://countermeasures.trendmicro.eu/wp-content/uploads/2012/02/History-of-Mobile-Malware.pdf
A History of Malware – Trend Micro
• http://www.cs.berkeley.edu/~afelt/felt-mobilemalware-spsm.pdf
A Survey of Mobile Malware In The Wild – UC Berkeley
• http://www.securelist.com/en/analysis/204792222/Mobile_Malware_Evolution_Part_5
Mobile Malware Evolution Part 5 – Kaspersky Labs
• http://www.csc.ncsu.edu/faculty/jiang/pubs/OAKLAND12.pdf
Dissecting Android Malware: Characterization and Evolution – Yajin Zhou and Xuxian Jiang
• http://www.fiercemobilecontent.com/story/apples-new-ios-6-adds-deep-facebook-integration-dumps-google-
maps/2012-06-11
Apple's new iOS 6 adds deep Facebook integration, dumps Google Maps
• http://www.net-security.org/secworld.php?id=13050
LinkedIn Privacy Fail
• http://www.trailofbits.com/resources/mobile_eip_2.pdf
Mobile Exploit Intelligence Project – Trail of Bits
• http://www.net-security.org/secworld.php?id=12418
Social Mobile Apps Found Storing User’s Content Without Permission
• And More…. Contact me if you need something specific I may have left out…