For many years, the primary threat to mobile devices was click-jacking and adware. But as the mobile device has become more deeply embedded in everybody’s life, as mobile banking has increased and the amalgamation of personal data on devices has grown, so has the attraction of the mobile device increased for both cyber criminals and even nation states.
In its first analysis (PDF) of the mobile threat landscape, endpoint security firm Crowdstrike examines the current and evolving state of mobile threats and malware. This threat is aggravated by the generally weaker level in the maturity of mobile security than in traditional desktop computers and servers.
There are five major categories of malware, although the report authors mention legal commercial spyware (which it terms ‘spouseware’ or stalkerware) as a possible sixth. “It significantly lowers the barrier to entry for deploying malicious software and should be considered part of any mobile device threat model,” they say.
The five primary categories are remote access tools (RATs), banking trojans, ransomware, cryptominers, and — the old favorite — advertising click fraud.
RATs are typically used to gather intelligence on users. This is especially attractive on mobile devices because of the easy access to built-in facilities such as microphones, cameras, and GPS chipsets. However, once installed, a RAT will often intercept SMS messages, with an emphasis on capturing MFA tokens sent to the device.
Indiscriminate data gathering by mobile RAT requires multi-platform capability, and while Apple’s iOS is not immune to RATs, cross platform RATs are more difficult to develop and sustain. For this reason, suggest the authors, multi-platform campaigns are best-suited to nation-state actors — and they point to four commercial companies that offer such products: Hacking Team (Remote Control System — RCS); Gamma Group (FinFisher), NSO Group (Pegasus) and DarkMatter (Karma). Other high-end RATs include Exodus and AndroRAT.
Mobile banking trojans — which also often provide functionality similar to RATs, are a second growth area. The key differentiator is the ability to deploy screen overlays that place invisible input boxes over legitimate logon panels. The credentials are stolen, but the user is often sent to the real banking service to maintain functionality and disguise the malicious action. Variations on this basic theme include the Gustuff Android trojan that sends push notifications that lead to a phishing page. If the user is persuaded to enter credentials, they are captured from the device’s virtual keyboard.
Ransomware is another typical desktop malware that is now targeting mobile devices. Here, however, the high use of cloud storage facilities by users makes encryption less useful. Instead the malware tends to simply lock the device and only unlock it on payment of the ransom.
Cryptomining malware is also found on mobile devices. On the one hand, cryptomining is inefficient on mobile devices due to the reliance on rapidly consumed battery power and the lack of algorithm optimization for mobile CPUs; but on the other hand, the vast number of potential victim devices makes it attractive. “CrowdStrike Intelligence,” say the authors, “assesses that Trojanized mobile applications will continue to embed cryptomining code due to the relatively low development requirements and risk incurred by the malware authors.”
The final category of mobile malware is advertising click fraud. This is the least directly dangerous for the user since it is primarily designed to hijack the user through hidden HTTP requests to specific advertising resources. Nevertheless, it represents a valuable revenue stream for bad actors, with the World Federation of Advertisers estimating in 2016 that such fraud could total up to $50 billion by 2025.
The primary distribution method for mobile trojans is via app stores, through phishing enabled distribution, via compromised websites, and through compromised OS images. The first is the simplest method. Weaponized versions of free tools or legitimate applications are uploaded to app stores in vast numbers. Some will always be missed by the app store’s application verification process, and some of these will be downloaded by users. The more attractive the supposed subject of the app, the more successful it will be — with one series that purported to drive simulation games being downloaded 560,000 times.
A second method is to send out spoofed SMS messages with links to a fake website. The fake website requests the user to update the app, but downloads a trojan.
Watering hole attacks are also used. Crowdstrike believes that the Iranian APT group it knows as Static Kitten (aka MuddyWater) used the Turkish NGO website setav[.]org to propagate mobile malware as part of a spreading mechanism delivered to additional targets via SMS.
One particularly effective distribution had a malware strain known as SimBad installed an estimated 150 million times during 2018. This, says Crowdstrike, “involved the compromise of the RXDrioder Software Development Kit (SDK) used by a number of legitimate developers to create applications that with each build included malicious code in the app package.”
The primary motivations behind mobile malware are financial gain (as in banking trojans, ransomware and click fraud), and intelligence or information gathering (through RATs and spyware). Crowdstrike notes that a possible future motivation could be disruption as part of a targeted ransomware attack on a company. When ransomware strikes, companies are often forced to fall back to mobile devices to continue internal communications. However, if the attackers can access the corporate mobile device management system, it would be possible to push out over-the-air (OTA) updates that install the malware on each corporate device at the same time, locking them from further use.
It is clear from Crowdstrike’s analysis that both the quality of mobile malware and the sophistication of the adversaries is increasing, with even nation-states getting more involved. This is down to the greater importance of mobile devices as part of everybody’s way of life, the sheer size of the target, and the relative weakness of mobile security. While strong security options are emerging for corporate devices that can and should be employed, there are fewer available options for private users.
Private users are, to a large extent, left to their own devices — and the standard advice, reiterated by Crowdstrike, is to avoid downloading from anywhere other than trusted sources and official app stores, to be aware of phishing methodologies and attempts, and to religiously patch the operating system whenever a new version becomes available.
Related: Intel Adds Hardware Shield to New 8th Gen Intel Core vPro Mobile CPUs
Related: Attackers Can Use Mobile Device Sensors to Generate Unique Device Fingerprint
