Embed Size (px)
Citation preview
A Comprehensive Guide to Mobile Targeted Attacks(and What Can You Do About It)Ohad Bobrov, [email protected]
twitter.com/LacoonSecurity
• The collapse of the perimeter
• Why mobile devices are targeted
• Mobile Remote Access Trojans (mRATs)
• Demo
• Infection vectors
• Detection, remediation, and building a secure BYOD / HYOD architecture
Agenda
• Protecting organizations from mobile threats
• HQ SF, USA. R&D Israel
• Cutting edge mobile security research team
• Protecting tier-1 financial, manufacturing, legal and defense organizations
About Lacoon Mobile Security
The Collapse Of The Corporate Perimeter
> 2011
TARGETED MOBILE THREATS
Why To Hack Mobile Device?
Eavesdropping
Extracting contact lists, call &text logs
Tracking location
Infiltrating internal LANs
Snooping on corporate emails and application data
The Mobile ThreatscapeB
usin
ess I
mp
act
Complexity
Consumer-oriented. Mass.Financially motivated, e.g.:Premium SMSFraudulent chargesBotnets
Targeted:PersonalOrganizationCyber espionage
Mobile Malware Apps
mRATs / Spyphones
The Mobile Threatscape
mRATs / Spyphones
High End: Government / Military grade
Mid Range: Cybercrime toolkits
Low End: Commercial surveillance toolkits
HIGH END:GOV / MIL mRATs
FinSpy – Mobile
Extracted from: http://wikileaks.org/spyfiles/docs/gamma/291_remote-monitoring-and-infection-solutions-finspy-mobile.html
MID: CYBERCRIME TOOLKITS
Recent High-Profiled Examples
LOWER END:COMMERCIAL
SURVEILLANCE TOOLKITS
Commercial Mobile Surveillance Tool (Spyphone)
Commercial Mobile Surveillance Tools:A Comparison
Varying Costs, Similar Results
Capability FlexiSpy AndroRAT FinFisher
Real-time listening on to phone calls
+ + +
Surround recording + + +
Location tracking (GPS) + + +
Retrieval of text + + +
Retrieval of emails + + +
Invisible to the user + + +
SMS C&C fallback + + +
Infection vector Physical Repackage Exploit?
Cost $279 Free €287,000
Activation screen + - -
STATISTICS
Data sample1 GB traffic sample of spyphone targeted traffic, collected over a 2-day period.
Collected from a channel serving ~650K subscribers
Traffic constrained to communications to selected malicious IP address
CommunicationsTraffic included both encrypted and non-encrypted content
Survey: Cellular Network 2M Subscribers Sampling: 650K
Survey: Cellular Network 2M Subscribers Sampling: 650K
Infection rates:
June 2013:
1 / 1000 devices
Survey: Cellular Network 2M Subscribers Sampling: 650K
DEMO
INFECTION VECTORS
Infection Vectors - Android
Current SecurityStatus
Current Solutions – FAIL to Protect
Mitigation: Current Controls
Mobile Device Management (MDM)
Multi-Persona
Wrapper
Active Sync
NAC
Mitigation: Current Controls
Mobile Device Management (MDM)
Multi-Persona
Wrapper
Active Sync
NAC
Detection: Adding Behavior-based Risk
Malware Analysis
Threat Intelligence
Vulnerability Research
Application
Behavioral AnalysisDevice
Behavioral Analysis
Vulnerability
Assessment
Lacoon Solution
