Malicious Apps, Targeted Attacks Are Major Concerns
Mobile threat research from the Anti-Phishing Working Group pinpoints key vulnerabilities, such as sophisticated
malware baked into rogue mobile applications, says anti-
phishing expert Dave Jevans.
Over the past six months, the APWG, a global consortium of industry leaders from various sectors, has analyzed emerging mobile security threats.
"There are a number of new attacks that are specifically targeted at mobile devices," Jevans, founder and chairman of the APWG, says in an
interview with Information Security Media Group [transcript below].
"The criminal underground ... has taken their focus and started to move it toward the mobile platform with malicious
apps," he says.
Some malicious apps are designed to intercept SMS/text messages that compromise out-of-band online-banking
authentication, Jevans says. Some are written to steal contact details. But other mobile attacks focus on networks. "Those include poisoning or takeover of the DNS or the Wi-Fi hotspot," he says.
"The big message here ... is that malicious and fraudulent activity on the mobile platform is growing much more quickly than it did on the PC platform," Jevans says.
Organizations have to be concerned about these risks and address them proactively, he says. "Anybody who is allowing their employees to bring these mobile devices into the workplace is at risk."
During this interview, Jevans discusses:
- Key mobile user risks and technical considerations the APWG has noted in its latest mobile threat reports;
- The authentication challenges U.S. banks are facing as more users adopt mobile banking;
- How the multitude of mobile operating systems is complicating mobile-risk mitigation.
Jevans serves as chairman of the
Anti-Phishing Working Group, a consortium of more than 1,500 financial services companies, Internet service providers, law enforcement agencies and technology vendors globally. He also is the founder of mobile security and cloud service provider Marble Security, formerly IronKey, and has been involved in Internet security for more than 15 years. Earlier, Jevans held senior management positions at Tumbleweed Communications, Valicert, Teros and Differential. He also served on the CEO's technology council at Apple Computer, helping formulate the company's Internet strategy. And he worked in the operating systems group and the advanced technology group at Apple, leading an engineering team that developed 3-D computer graphics systems for the Mac.
Mobile Threats
TRACY KITTEN: We've been talking about mobile threats for quite some time, but is there evidence now that some of these threats are actually materializing in the wild?
DAVE JEVANS: There is evidence, and we've published a research report and an addendum to it with technical information. It has been compiled over about six months with help from a number of the members of the APWG Mobile Working Group, a number of the security vendors out there, university folks and independent security researchers. What we're finding is that the criminal underground for the last five to 10 years has been targeting primarily PCs with malware, fraud schemes, phishing, spear-phishing and APTs, and have taken their focus and have started to move it toward the mobile platform with malicious apps, malware, Wi-Fi takeovers, big banking apps, etc.
Cyberthreats Aimed at Mobile
KITTEN: You've touched on malware and phishing, but are there new cyberthreats that are aimed at mobile that the APWG has now identified?
JEVANS: We've identified a number of new attacks that are specifically targeted at users of mobile devices. On the PC side of things, most of the attacks have traditionally involved malware, which exploits vulnerabilities in the operating system kernel or in applications, such as the Internet Explorer browser, or, more recently, vulnerabilities in common plug-ins such as the Adobe Acrobat Reader, Flash or Java and JavaScript. They typically have been lower-level-type exploits of bugs in the system.
On mobile, we're seeing less of that because the operating systems, in particular iOS and Android, are generally newer operating systems with a stronger security model than broader legacy operating systems like Windows. The threats are different and the threats that we've been seeing include what we would call malicious applications - not malware in the way that we're used to it on Windows, but applications that users are tricked into willfully and purposefully downloading.
An example would be there were versions of the game Angry Birds, which costs money to purchase. There are now versions of those that have been taken, hacked and malicious code's been added to them. They're posted for free on off-shore marketplaces where people can easily find them and they willfully download them, unaware that it's not the real version of Angry Birds.
We've also seen what we call SMS stealer applications that get onto the user's device and will intercept SMS messages that may be sent to them from their bank or increasingly from other online services as a form of two-factor authentication or transaction authentication. We've also seen network-level attacks primarily at the Wi-Fi level, or behind the Wi-Fi and the DNS, either at the Wi-Fi or at the ISP, and those include poisoning or takeover of the DNS inside of hotspots that have the default admin password. Those are attacks not just at the device, but actually at the Wi-Fi hotspots that everybody is using these devices to connect through. Those are some of the new types of attacks we're seeing against mobile users.
Mobile Threat Research
KITTEN: The APWG recently issued a report about some of these emerging threats. What are some of the highlights from that report?
JEVANS: The big message here as you look through the report and the final conclusion is that malicious and fraudulent activity on the mobile platform is growing much more quickly and will continue to grow much more quickly than it did on the PC platform over the last 10 years. The reason is because over 10 years of cybercrime, the underground has been created all around the world. It's composed of people who write phishing kits, people who write malware, people who have zero-day exploits, people who know how to push them out, spammers, and these people who run what we call bulletproof hosting where you can host these malicious apps and malware and you can't get them taken down. The fraud on the back-end - how they monetize, how they use mules to move money around the world - that infrastructure took 10 years to build. That is in place today and they have now figured out that everybody is moving on to the mobile platform, and that whole criminal underground is moving to monetize the mobile platform.
The other takeaway is that there are going to be new types of threats that are going to come after devices as they start implementing NFC payments using your mobile phone. That's going to be truly big dollars in transactions in the future. Your phone is your wallet, and they're fine-tuning their infrastructure to start waiting for that to be able to be exploited. We can expect large-scale attacks of exploit against these devices through these fake applications and that sort of thing as the phones become ... payment instruments.
The other thing that we've got in the report, in addition to a number of technical descriptions and examinations of specific exploits and specific malicious apps, is by working inside of the criminal underground, we've got a snapshot from this year, from the end of Q1, that looks at the different tool kits and services for malicious fraud and attacks against mobile devices and the pricing. What is the criminal underground selling these services and tools for? That's also an interesting glimpse into what we're up against.
Authentication Challenges
KITTEN: I'm also curious about the authentication piece. Is there some concern there about some of the authentication challenges or areas that may be vulnerable when it comes to mobile banking?
JEVANS: Yes. We do look at a number of the authentication challenges and attacks against authentication mechanisms. This breaks down into a couple of areas. One of them is the widespread use of SMS, or application-based messaging, as a second factor of authentication for regular PC-based banking. That's being regularly exploited. We have now seen tool kits ... which allow you to build your own branded app to basically intercept SMS authentication messages sent to phones and trick people into downloading that banking app, but it actually sits as a man-in-the-middle and intercepts those and allows attackers to get those transactions and authentication credentials and log in as you in real-time. Those are some of the things we've looked at.
There's also the threat that a user is on a jail-broken or rooted phone, which basically means if the mobile-banking app on that phone or tablet is not checking to see if the device is rooted or jail-broken, then all bets are off on authentication because the phone will have absolutely no security if it's jail-broken or rooted. That's something that's a great concern when you're opening up mobile banking with the ability to perform transactions. Doing transactions on mobile is increasingly under demand. It's demanded from users, but not just at the consumer level; also wholesale banking, CFOs and finance people want to use tablets to authorize payments. That's definitely a real concern for us.
Lastly, people are worried about, "How do I authenticate a user on a device, at the mobile device, but the SMS doesn't actually do anything?" Our belief is it actually does work as two-factor [authentication], at least through to that device. On an iPad or an Android pad it's a little different, so there are some challenges still to be worked out there.
Concern for Other Sectors
KITTEN: There's an obvious challenge for banking, but are there other sectors that should be concerned about some of these emerging mobile threats?
JEVANS: Anybody who's allowing employees to bring their own devices, in particular these mobile devices, into the workplace or to connect from them to internal workplace applications - whether it's ... the payment system, any form of intellectual property, even SharePoint - or who are allowing employees to use those to connect to third-party cloud services that they might be using, like Salesforce.com or Google Apps, needs to be concerned about the issues around detecting jail-broken, rooted phones and malicious apps on the user's phone.
I'll give you an example. There are some apps out there that, while not specifically malware, will leak corporate information, and this is applicable to banks and any other company. Think of a user on their own tablet and they've got an app that uploads the entire address book to a server out in the cloud. That address book may include all of the addresses of everyone in your corporate directory: their name, e-mail address, phone number and job title perhaps. That information is now being uploaded by one of your users out into some cloud. Whether it's malicious or not, that information is now out there with no control by IT, and that's perfect fodder for spear-phishing back inside the company.
Mobile Platform Vulnerabilities
KITTEN: Is there one type of mobile platform that you would deem to be more vulnerable than another?
JEVANS: In general, what we have seen is that the users of the Android platform are more at risk than users of the iOS platform - the Apple platform - or the BlackBerry platform. This is not to say that Android is an inferior technology, because it isn't. But Android and Google have a very open policy to the operating system and to the apps that can run on it, whereas BlackBerry is a very closed system and the Apple system is quite closed. They do have an app store, but effectively, unless your phone is jail-broken, you're only downloading apps from the app store or a corporate app store, and so there's much more security control around those apps.
When we look at Android, the reason that we're seeing 95 percent of the successful attacks and malicious apps being published for Android is there are thousands of different versions of the Android operating system. With Apple, there's only the current version and the previous ones and they're all controlled and issued by the vendor, by Apple. The Android platform is open-source. It's open. The last time I checked, there were over 6,300 different variants of Android that had shipped. That means there are a lot of versions for patching; those also can be configured by the vendors, so there could be lots of security issues with different versions.
The other reason that we see a lot of attacks against users of Android is that it's very easy to download apps from places other than the Android Play marketplace. In fact, there are companies like Amazon who are creating alternate marketplaces, commercial marketplaces, so users are encouraged and in fact want to use other marketplaces. We've seen over 20 different marketplaces - some legit, some full of pirate-ware and malware for the Android platform. It's not that the platform itself is any less secure; it's how it's configured and how open it is.
International Markets at Risk
KITTEN: Are there certain international markets that are at greater risk than others?
JEVANS: Yes. We have seen that in the current form, the European market appears to have a much more aggressive and developed set of attackers that are going after users of mobile devices than in the United States, Canada, etc. The reason for that is that mobile devices and mobile banking have become much more prevalent in Europe than in the United States much more quickly. People have been on those platforms for a long time. Also, two-factor authentication, even at the consumer level, has been far more widespread in Europe than it has in the United States. And, in many cases, they have been using the mobile phone with SMS or apps. The so-called TAN - Transaction Authentication Number - has been used for many years in Europe. The criminals have flocked to the European banking market. However, it doesn't mean that it's necessarily more or less risky because the exact same technical infrastructure is in both different continents so we can expect that they will be taking their wares, if you will, and moving it more aggressively into the American market.
KITTEN: Before we close, are there any final thoughts that you'd like to share about the APWG's report or mobile concerns generally?
JEVANS: I would encourage folks to take a look at both of the mobile reports. One of them looks at the cybercrime underground: the infrastructure; the pricing model; effectively what we're up against; how sophisticated it is and where the new threat vectors are coming from. The second report, more for pure IT security professionals, goes through an analysis of many different malicious applications, malicious social networks, supporting infrastructures, SMS stealers, phishing, sniffing and hosting providers. There are two accompanying reports on mobile security. I encourage people to look at them.
The last thing I'll say is that many people thought the days of effective phishing were somewhat behind us. Phishing still continues at some of the highest levels we've ever seen it, but the effectiveness has gone down as people have been educated and filters have gone in place. What we have seen, though, is that phishing and, in particular, spear-phishing - targeted phishing against the individual - is far more effective when the individuals are using mobile devices than when they're using PCs. We have a whole new set of things to be concerned about.
I'll finish by saying that mobile banking apps are great. They're flourishing. However, many of the developers of mobile banking apps are not security experts, and I encourage banks that are deploying mobile banking apps to go to the trouble of having a third-party analyze those apps. Do penetration testing and check to make sure that security certificate validation inside SSL, things of that nature, are actually implemented correctly. You can get copies of the report at www.apwg.org under the resources section; look for the Mobile Working Group.
