Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Firm’s MDM Server Abused to Deliver Android Malware to 75% of Its Devices

A threat actor managed to compromise more than 75% of the devices within a company by distributing their malware through a mobile device management (MDM) server, Check Point reports.

A threat actor managed to compromise more than 75% of the devices within a company by distributing their malware through a mobile device management (MDM) server, Check Point reports.

As part of the attack, cybercriminals were distributing a new variant of the Cerberus Android malware that was designed to collect large amounts of sensitive data and exfiltrate it to a remote command and control (C&C) server. The victim was described as a “multinational conglomerate” and researchers believe the attack was targeted.

First identified on February 18, the attack involved the installation of two malicious applications onto the organization’s devices within a short period of time. This was possible because the attackers breached the target’s MDM server and abused its remote app installation features to install malware.

The Cerberus banking Trojan used in this attack is a known Malware-as-a-Service (Maas) that has Mobile Remote Access Trojan (MRAT) capabilities. It can log keystrokes on the device and can steal credentials, Google Authenticator data, and received SMS messages (2FA included). Attackers can use it to control the device remotely via TeamViewer.

Once installed, the malware displays a window that masquerades as an update for the accessibility service. Once the user accepts the update, the threat can leverage the accessibility service when needed, to bypass user interaction.

Next, a receiver on various events is registered, so that the app can start the execution of the malicious flow when triggered. After making the initial contact with the C&C server, the malware receives a list of commands to perform.

The main module of the threat can steal Google authenticator credentials, Gmail passwords and phone unlocking patterns, sends out a list of files and installed applications, and can also upload files if requested. It can also prevent attempts to uninstall TeamViewer, which provides attackers with remote control capabilities.

For persistence, the malware leverages admin privileges, and can prevent uninstallation attempts by automatically closing the App Detail page. It also disables Google Play Protect to prevent detection and removal.

Advertisement. Scroll to continue reading.

A second module (payload), designed mainly with data and credential stealing capabilities, can collect all contacts, SMSs, and installed applications, and send the data to the C&C. Moreover, the module can send SMS messages, make calls, send USSD requests, display notifications, install or uninstall applications, and open popup activities with URLs.

According to Check Point, the malware performed its data stealing activities on all of the unprotected devices that were compromised, meaning that any credentials used there were stolen. If any of these unprotected devices was used by an administrator to access corporate resources using their credentials, the attackers received these credentials.

Due to the extent of compromise and the malware’s capabilities, the victim organization decided to factory-reset all devices.

“This campaign demonstrates the importance of understanding the difference between managing and securing mobile devices. While MDM offers an easy way to manage those devices, security cannot be ignored. Mobile devices are an integral part of the way we work, how we communicate, and how our businesses operate. They need to be protected as any other endpoint as they offer a tempting target,” Check Point concludes.

Related: Syrian Hackers Target Mobile Users With COVID-19 Lures

Related: Security, Privacy Issues Found in Government COVID-19 Mobile Apps

Related: Mobile Payment Fraud on the Rise

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.