8/7/2019 Threat of Mobile Malware

1/26

Messaging Anti-Abuse Working Group

MobiCASE Mobile Security Workshop, October 28 2010

Alex Bobotek,

Co-Vice Chairman, MAAWG

Co-Chairman, MAAWG Wireless Special Interest Group

Threat of Mobile Malware and Abuse

8/7/2019 Threat of Mobile Malware

2/26

MAAWG | maawg.org | Washington D.C 20102

Attendees Reminder:

What you say may be reported

Press is present

8/7/2019 Threat of Mobile Malware

3/26

Page 3

20 Years of Mobile Abuse

1996-1999: The birth of consumer mobile data

Mobile abuse nearly non-existent

Widespread paranoia

2000-2008: Steady growth

Grew up with scattered spam, pranks and fraud

2009-2013: The mobile explosion

The rise of mobile abuse

2014-2015: Fixed/Mobile convergence

8/7/2019 Threat of Mobile Malware

4/26

PART I: HISTORY

8/7/2019 Threat of Mobile Malware

5/26

Page 5

Pre-2000 Issues

Threat AT&T Wireless

Defense

Severity

EmailSMS cannons (e.g., accidental sysadmin script) Rate limiters, regex and

address filters

L

8/7/2019 Threat of Mobile Malware

6/26

Page 6

2004 Issues

Threat Defense Severity

EmailSMS cannons (e.g., accidental sysadmin script) Rate limiters, regex and

address filters

M

EmailSMS spam (mostly non-targeted) Brightmail Content filters M

8/7/2019 Threat of Mobile Malware

7/26

Page 7

2006 Issues

Threat Defense Severity

EmailSMS cannons (e.g., accidental sysadmin script) Rate limiters, regex and

address filters

M

EmailSMS spam (mostly non-targeted) RBLs, Limiters, Anti-Harvest,

Brightmail Content filters

H

Targeted WebSMS and EmailSMS spam RBLs, Limiters, Anti-Harvest,

Cloudmark Content filters

Honeypots

Active monitoring

H

8/7/2019 Threat of Mobile Malware

8/26

Web SMS Spam: 7/2006 AT&T Passport Holiday Attack

First sophisticated, high-volume, targeted SMS attackSMS using custom-developed malware

AT&T attacked: Replay of 2005 email attack on Verizon Directed against WebSend (www.cingularme.com) Used a network of open/hijacked PCs/proxies to hide IP Sample spam SMS (one of several morphing types):

FRM: Angela

SUB: absolutly

MSG: Congratulations, You just won a cruise to the BahamasPLUS $1000.00 Travel Cash! Call Now 8OO941O98O

Delivered at a rate of about 5/s: ~ 300k total messagesreached subscribers phones

Defense: cat-and-mouse game of writing filter rules

With 62M+ subscribersavailable, attackers will go togreat lengths to deliver spam

8/7/2019 Threat of Mobile Malware

9/26

Page 9

2007 Issues

Threat Defense Severity

EmailSMS cannons (e.g., accidental sysadmin

script)

Rate limiters, regex and address filters M

EmailSMS spam (mostly non-targeted) RBLs, Limiters, Anti-Harvest,Brightmail Content filters

H

Targeted EmailSMS spam RBLs, Limiters, Anti-Harvest

Cloudmark

- Content filters

- Honeypots

- Active monitoring

H

MobileMobile spam (Future)

Limiters, Anti-Harvest

Spam feedback

- Honeypots

- Subscriber spam reporting

Cloudmark (or competitor)

- Content filters

- Active monitoring

M

8/7/2019 Threat of Mobile Malware

10/26

Messaging Unlimited Issue/Risk April 2007: New AT&T Messaging Unlimited rate plan replaces3000/month Messaging Extreme as high-end messaging plan Prior to this, AT&T has had limited problems with MO spammers Spam techniques observed

Banks of phones tethered to computers, Device-resident programs, and/or Aircard(s)

New plans spam economics (Messaging Unlimited plan) is

a 99% discount for spammers Old rate (116 millicents per unfiltered message) is in thevery high range of commercial spammers.

New rate of 0.652 millicents per unfiltered message is wellin the range of commercial spammers.

.

Previous Offer:

Messaging Extreme

New Offer:

Messaging Unlimited

Msg/month 3000 3067200

$/month 34.99 25.00

$/msg 0.011663333 0.00000652

8/7/2019 Threat of Mobile Malware

11/26

Page 11

2009 Issues

Threat Defense Severity

EmailSMS cannons (e.g., accidental sysadmin

script)

Rate limiters, regex and address filters M

EmailSMS spam (mostly non-targeted) RBLs, Limiters, Anti-Harvest,

Content filters

H

Targeted EmailSMS spam RBLs, Limiters, Anti-Harvest

Content filters

Honeypots

Active monitoring

Subscriber spam reporting

H

SMS/MMS security hole exploits Protocol filters

Limiters, Anti-Harvest

Content Filters

Honeypots

Active Monitoring

M/H

MobileMobile spam/virus Limiters, Anti-Harvest

Spam sensing

- Honeypots

- Active monitoring

- Subscriber spam reporting

Content filters

M

8/7/2019 Threat of Mobile Malware

12/26

#1 Issue of 2009: EmailSMS Smishing

Page 12

FRM:STERLINGMSG:Sterling Alert.Unusual activity Callnow at 1-(877)-345-4671

8/7/2019 Threat of Mobile Malware

13/26

Page 13

2010 Issues

Threat Defense Severity

EmailSMS cannons (e.g., accidental sysadmin script) Rate limiters, regex and address filters M

EmailSMS spam (mostly non-targeted) RBLs, Limiters, Anti-Harvest, Content

filters

H

Targeted EmailSMS spam RBLs, Limiters, Anti-Harvest

- Content filters- Honeypots

- Active monitoring

H

SMS/MMS security hole exploits Protocol filters (planned)

Limiters, Anti-Harvest

Content filters

M/H

MobileMobile spam/virus Limiters, Anti-Harvest

Spam sensing

Content filters

M

SIM Boxes

Roaming fraud

Spam

International and long distance fraud

???

IMEI Analysis?

Location Analysis?

Pro-active investigation of discountproviders?

?

Mobile botnets are extremely rare (or non-existent)

8/7/2019 Threat of Mobile Malware

14/26

Page 14

Mobile-Originated SMS Abuse Spammers connect phones/aircards to PCs Mostly prepaid (anonymous) SIMs with unlimited messaging

Assessment: > 50% of spam generated by < 5 spammers

~0.1% of US SMS is MO spam >500% annual growth rate

Defense: SIM shutdown and inter-carrier blocking Spammer countermeasure: Buy many SIMS & swap to limit daily per-SIMvolume

[Graph redacted]

8/7/2019 Threat of Mobile Malware

15/26

Mobile malware

Mobile is on the rise

| 14 October 2010PAGE 15 | Kaspersky Lab PowerPoint Template

Cumulative number of malware signatures -- Source: Kaspersky Lab, October 2010

H2 2004 H1 2005 H2 2005 H1 2006 H2 2006 H1 2007 H2 2007 H1 2008 H2 2008 H1 2009 H2 2009 H1 2010

0

200

400

600

800

1000

1200

1400

1600

8/7/2019 Threat of Mobile Malware

16/26

Page 16

How to Have Fun and Make Money With SIM Boxes

Entry Level: Cheap/Anonymous Mobile Access

Architecture SIMs with unlimited MTM voice and/or SMS

SIM Box computers (hold 250+ SIMs)

Internet VOIP or tunnels

Products Cheap long distance calls between mobile networks

Cheap MT Messaging

Voice spam

Growth Option: Virtual Access for Roaming Subscribers

Architecture Offer cut-rate roaming to subscribers

Remote IP SIM Access mobile device application installed

VOIP client mobile device application installed

Virtual SIM Box computers

Products Worldwide take your phone and roam over IP

Worldwide virtual cell phone (leave your phone at home)

Voice

MO & MT Messaging

Fraudulent use of roamers accounts (e.g., spam)

8/7/2019 Threat of Mobile Malware

17/26

PART II: THE FUTURE

8/7/2019 Threat of Mobile Malware

18/26

What does the future hold?

Argument #1: The mobile abuse threat is overblown

Argument #2: Hell is rising

there is no monoculture for mobile operating systems. There are atleast four major mobile operating systems (iPhone, BlackBerry, Androidand Symbian) and one minor one (Windows Mobile, which is fallingfast). If you are writing malware, which one do you write for? Answer:none of them

Andrew Jaquith, senior analyst, Forrester Research

There are nearly 600 million of them worldwide, naked andunprotected. We need to prepare for the inevitable onslaught. Of

course, smartphones are going to be the targets of criminals. Any otherconclusion is naive, reeks of hubris and merely amplifies the industry'spast errors that have cost us all dearly.

Rob Smith, CTO & CEO, Mobile Application Development Partners

8/7/2019 Threat of Mobile Malware

19/26

19

Botnet Non-Mobile Email Spam Example:

Canadian Pharmacy Criminal Organization (glavmed.com, aka Canadian Pharmacy)

Shipping effective but counterfeit drugs Revenue > $150 million per year

Advertising by spam Pays 40% commission to partners Partners send 2.5B email spam messages/day

Sales through dodgy web sites 100 new domains per day 15 uniquely branded websites Modifying content and URL domain every 15 minutes Use of zombie proxies in HTTP path hide the real web sites

Relies on Botnet network of infected PCs For spamming For hiding real websites behind infected proxy websites

Spammers get 40% commission for directing web traffic to Canadian Pharmacy $.00008/msg

Source:

Cisco/Ironport

8/7/2019 Threat of Mobile Malware

20/26

Mobile Spam Risk: following the email pattern

Mobile abuse today resembles email spamin 2000 Direct spamming: spammer-owned

nets/devices

At most 100s of direct spammers

Mobile Botnet (mobot) risk is growing Easily developed -- the necessarybusinesses, markets and funding exist

Spammers business case is good

Mobile infection is becoming easierMore users download mobile apps to open

phones

Growth in PCs with cell data/messagingcapabilities

Email-like evolution of mobile spam wonttake 8 years

Mobile data businesses and users are at

risk of attack by well-funded spammersinvesting $50k to make millions bydeveloping mobot networks

8/7/2019 Threat of Mobile Malware

21/26

What Causes Abuse? People and businesses looking for ways to get

money irrespective of ethics and laws

Pranksters Individuals and/or groups motivated by ego

Political players Individuals motivated by ego State actors

Non-state actors

Accidents/errors

Where should I hack today?

8/7/2019 Threat of Mobile Malware

22/26

Hypothesis:

Economic Models Predict Abuse Abusers are primarily businessmen looking for

ways to get money irrespective of ethics and laws

Ability to monetize Value of an infected device

Vulnerability Cost to infect a device

Both are leveraged by advanced markets for goodsand services Criminal infrastructure

Criminal networks Toolkits/Specialists Large numbers of less-skilled players

8/7/2019 Threat of Mobile Malware

23/26

Hypothesis Validation:

Does it explain history? PCs are widely abused, Macs arent

Explanation: market share

9 of top 10 mobile virus threats affect Symbian OS Explanation: 2010 smart phone market share (Canalys)

Symbian 40% Blackberry 18% Android 16% Apple 15% Windows Mobile 7%

Value of an infected device

Mobiles not widely infected Higher cost to infect a device Lower value of infected device

8/7/2019 Threat of Mobile Malware

24/26

So What Are the Trends?

An Amazon Payments executive at the2010 Mobile Shopping Summit said that mobile commerce is expected to grow from

$2.4 billion this year to $23.4 billion by 2015, an875 percent increase.

Those figures are based on projections fromCoda Research Consultancy.

Admob (May 2010) reports: Users across all [mobile] platforms are

highly engaged with apps; iPod touchusers even more

Android and iPhone users spend 79-80min/day using apps, 100 min iPod Touch,89 min webOS

Android and iPhone users download ~9new apps/month, ~12 iPod touch, ~6webOS

8/7/2019 Threat of Mobile Malware

25/26

25

Criminal networks and services are being leveraged

[intelligence not for public dissemination or publication]

8/7/2019 Threat of Mobile Malware

26/26

Prediction

Value of infected device will rise with increaseduse of mobile devices, especially in money transferapplications

When mobile use nears or surpasses PC levels, look out

Cost of infection will decrease with increasedmobile use, especially in SW downloads

Explanation: easier to infect/deceive

Positive business cases exist Mobile Zeus Trojan (TAN stealing)