Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

Black Hat Keynote: Mobile Platforms ‘Actively Obstructing’ Zero-Day Malware Hunters

Prominent security practitioner Matt Tait kicked off the annual Black Hat security conference Wednesday with a call for platform vendors to make major technology changes to help cope with the surge in mobile zero-days and supply chain attacks.

Prominent security practitioner Matt Tait kicked off the annual Black Hat security conference Wednesday with a call for platform vendors to make major technology changes to help cope with the surge in mobile zero-days and supply chain attacks.

Tait, an outspoken researcher who has held stints at Google’s Project Zero and the U.K.’s GCHQ intelligence agency, said mobile platforms must immediately start providing improved “on-device observability” to help defenders cope with ongoing in-the-wild zero-day attacks.

“There’s an enormous amount of exploited zero-day being detected in the wild and no device observability. This should be a wake-up call to all of the platform vendors.  It’s deeply disturbing that we know that there’s massive amounts of zero-day being exploited against mobile platforms and we have no forensics on devices in order to collect this data,” Tait said.

[ Related: Secretive Israeli Exploit Company Behind Wave of Zero-Day Exploits ]

The Corellium COO explained that on-device observability is necessary before, during and after an intrusion to help incident responders understand the true scale of an advanced attack.

“When you discover a new threat actor, one of the first things [an incident responder] will do is they will go back and will look at an enormous pile of Windows binaries, and they will say, do any of these other binaries show similar artifacts because, maybe that’s malware that’s been used in the past.”

“Maybe there are other pieces of malware [associated with a threat actor]. This helps with attribution. It helps with detection. It helps with working out who the victims are, and it increases the cost of the attacker that these systems exist. They should exist on mobile, but they don’t,” Tait declared.

Even worse, Tait accused mobile platform vendors of “actively obstructing” any attempts at accessing security features and data from devices.

“The problem at the moment is the platform vendors in the mobile space are actively obstructing some of the security features that we need. One of these is the ability to scan apps. We should be able to scan all applications in a given app store,” he declared.

“We can ‘kind of’ do this on the Play Store on Google Android, but we really can’t do that on iOS at the moment,” he added.

[Related: The Big SolarWinds Supply Chain Hack ]

“It should also be possible to install security agents on mobile devices and also do forensics. And this should be both post-compromise and also in anticipation of compromise,” Tait said, arguing that mobile systems have been specifically designed to prevent malware scanning tools.

Even beyond mobile platforms, Tait said big technology providers must take the lead in helping to thwart major supply chain attacks like the ones that hit SolarWinds, CodeCov and Kesaya.

“Supply chain infections can only be fixed by platform vendors. The government is not coming to save you,” Tait declared, insisting that tech providers need to aggressively “de-privilege applications,” break permissions to entitlements, and impose auditing requirements on highly-permissioned apps.

Even as the U.S. government is aggressively pushing ahead with mandatory security requirements to handle software supply chain problems, Tait insists these issues cannot be fixed by bureaucrats in federal agencies.

“I think the first thing to point out is the government is not going to fix [supply chain security issues]. This isn’t going to get fixed by a collection of international organizations. It’s not going to be fixed by a consortium of governments. The only way to tackle supply chain intrusions at the scale that’s needed is to fix the underlying technology,” Tait added.

The real fix, Tait insists, is for platform vendors to automate trust throughout computing but he acknowledges the problems will remain in place because technology changes sometimes conflict with “substantial business interests.” 

Related: Sophisticated APT Group Burned 11 Zero-Days in Mass Spying Operation

Related: Secretive Israeli Exploit Company Behind Wave of Zero-Day Exploits

Related: For Microsoft, Security is a $10 Billion Business

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.