Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Firm’s MDM Server Abused to Deliver Android Malware to 75% of Its Devices

A threat actor managed to compromise more than 75% of the devices within a company by distributing their malware through a mobile device management (MDM) server, Check Point reports.

A threat actor managed to compromise more than 75% of the devices within a company by distributing their malware through a mobile device management (MDM) server, Check Point reports.

As part of the attack, cybercriminals were distributing a new variant of the Cerberus Android malware that was designed to collect large amounts of sensitive data and exfiltrate it to a remote command and control (C&C) server. The victim was described as a “multinational conglomerate” and researchers believe the attack was targeted.

First identified on February 18, the attack involved the installation of two malicious applications onto the organization’s devices within a short period of time. This was possible because the attackers breached the target’s MDM server and abused its remote app installation features to install malware.

The Cerberus banking Trojan used in this attack is a known Malware-as-a-Service (Maas) that has Mobile Remote Access Trojan (MRAT) capabilities. It can log keystrokes on the device and can steal credentials, Google Authenticator data, and received SMS messages (2FA included). Attackers can use it to control the device remotely via TeamViewer.

Once installed, the malware displays a window that masquerades as an update for the accessibility service. Once the user accepts the update, the threat can leverage the accessibility service when needed, to bypass user interaction.

Next, a receiver on various events is registered, so that the app can start the execution of the malicious flow when triggered. After making the initial contact with the C&C server, the malware receives a list of commands to perform.

The main module of the threat can steal Google authenticator credentials, Gmail passwords and phone unlocking patterns, sends out a list of files and installed applications, and can also upload files if requested. It can also prevent attempts to uninstall TeamViewer, which provides attackers with remote control capabilities.

For persistence, the malware leverages admin privileges, and can prevent uninstallation attempts by automatically closing the App Detail page. It also disables Google Play Protect to prevent detection and removal.

A second module (payload), designed mainly with data and credential stealing capabilities, can collect all contacts, SMSs, and installed applications, and send the data to the C&C. Moreover, the module can send SMS messages, make calls, send USSD requests, display notifications, install or uninstall applications, and open popup activities with URLs.

According to Check Point, the malware performed its data stealing activities on all of the unprotected devices that were compromised, meaning that any credentials used there were stolen. If any of these unprotected devices was used by an administrator to access corporate resources using their credentials, the attackers received these credentials.

Due to the extent of compromise and the malware’s capabilities, the victim organization decided to factory-reset all devices.

“This campaign demonstrates the importance of understanding the difference between managing and securing mobile devices. While MDM offers an easy way to manage those devices, security cannot be ignored. Mobile devices are an integral part of the way we work, how we communicate, and how our businesses operate. They need to be protected as any other endpoint as they offer a tempting target,” Check Point concludes.

Related: Syrian Hackers Target Mobile Users With COVID-19 Lures

Related: Security, Privacy Issues Found in Government COVID-19 Mobile Apps

Related: Mobile Payment Fraud on the Rise

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...