When Malware Goes MobileVanja Svajcer, Principal Researcher

2

Malware goes mobile

•Mobile malware•Securing mobile devices

3

•First malware for mobile platforms around 2004•Symbian – most prevalent•JavaME – still being developed•WinCE – very few samples •iOS – few instances in 2010,2011•Android – big growth in the number of malware samples

Mobile malware

4

•Platform popularity (75% new smartphones sales)•Adding applications to Google Play is easy•Alternative Android application markets•Forums and file sharing sites•“Cracked” and repackaged apps•China, Russia•Android app landscape similar to Windows

Android environment

5

Android – Google play

6

Android Malware

2010

-08

2010

-09

2010

-10

2010

-11

2010

-12

2011

-01

2011

-02

2011

-03

2011

-04

2011

-05

2011

-06

2011

-07

2011

-08

2011

-09

2011

-10

2011

-11

2011

-12

2012

-01

2012

-02

2012

-03

2012

-04

2012

-05

2012

-06

2012

-07

2012

-08

2012

-09

2012

-10

0

10000

20000

30000

40000

50000

60000

70000

80000

Cumulative number of discovered samples

Series1

7

Android Malware

2010 2011 20120

10000

20000

30000

40000

50000

60000

70000

80000

Samples discovered per year

Samples

8

Android Malware

30%

11%

5%4%4%

3%

3%

3%

2%

2%

32%

Top malware families discovered

Andr/Boxer-D

Andr/Boxer-A

Andr/Gmaster-A

Andr/Boxer-C

Andr/NewyearL-B

Andr/Kmin-C

Andr/Opfake-F

Andr/KongFu-A

Andr/Opfake-G

Andr/FakeIns-A

Others

9

Android Malware

2011

-07

2011

-09

2011

-11

2012

-01

2012

-03

2012

-05

2012

-07

2012

-09

0%10%20%30%40%50%60%70%80%90%

100%

Discovered Android vs JavaME samples

JavaME samplesAndroid samples

10

•Over 70k unique samples of malware known•Information stealers (Andr/SMSRep) •SMS senders (Andr/AdSMS)•Phishing (fake mobile banking software)•Privilege escalation exploits (DroidDream)•Zeus for Android (Zitmo)

Android malware

11

Andr/Boxer family

12

Andr/Boxer familyWitness

13

Andr/Boxer familyWitness

Zitmo environment

14

Send status &SMS messages

Zeus/Zitmo C & C server

SMS mTANVictim

Attacker

15

Android malware ItW

Andr/PJApps-C65%

Andr/BBridge-A9%

Andr/Generic-S6%

Andr/BatteryD-A4%

Andr/DrSheep-A3%

Andr/DroidRt-A2%

Andr/Opfake-C2%

Andr/Boxer-A2%

Andr/FaceNiff-A1%

Andr/Opfake-A1%

Others5%

Malware reports ItW

16

PJApps distribution

Malware reports ItW

17

Android malware ItW

United States17%

United Kingdom13%

Germany10%

Brazil8%

Venezuela4%

Cyprus4%

Italy4%

Spain3%

Argentina3%

Costa Rica3%

Mexico3%

Netherlands3%

Switzerland2%

Romania2%

India2%

Republic of Korea2%

Peru1%

China1%

Others17%

Android malware reports per country

18

Android Malware

Australia Brazil United States

Others Malaysia Germany India France United Kingdom

Iran0.00%

2.00%

4.00%

6.00%

8.00%

10.00%

12.00%

14.00%

Android Threat Exposure Rate

Threat Exposure Rate

Paradigm shift

?

Securing mobile devices

• Platform and device diversity• Compliance for access to corporate data

• Device security• Application security

• IT productivity

20

Diversity

Use MDM framework to manage all major smartphones and tablet types from a single console • Apple iOS• Android• RIM Blackberry 5.x, 6.x• Windows 8?

21

Compliance

• Compliance enforcement• Best practice in configuration• Best practice in app security• Protecting enterprise assets

22

Compliance Enforcement - Basics

23

Send statusValidate rules

Control mail access

EAS Proxy Exchange

Device & data security (loss)

• Remote Lock and/or Wipe• Auto-wipe after a number of failed login attempts• Locate lost or stolen phone• SIM change notification/wipe• Device encryption !!!

24

Application security

Enterprise App Store for recommended apps • Recommend supported apps• Enforce required apps• Distribute homegrown apps• Help for the agnostic user• Limit the risk of too many used apps

Keep OS and apps up to date• Easier with apps• Difficult (for Android) for OS

25

IT Productivity – remote and OTA management

• Define password policy and lock period• Control installation of apps• Block use of camera, browser, Youtube, …• Send text notification to client• Manage endpoint security/anti-malware software• Prevent jailbreaking• Blackberry most suited for fine tuning, then iOS, Android

26

Conclusions

• Mobile devices are changing the enterprise• Diversity (apps rule, not OSes), BYOD• Android most targeted by malware• Malware growth to continue• Malware complexities increase• Follow the best practice to secure mobile devices

27

Control, secure, protect

Android version available late September 2012

Sophos Mobile Control - Mobile Device ManagementOn-premise or cloud-based solution to manage, control and protect mobile devices.Enable BYOD without the risks

Sophos Mobile Security – Anti-Virus for AndroidScans for malicious data-stealing apps and provides loss and theft protection. Free download Protect devices from Android malware

Sophos Mobile Encryption – Mobile Data ProtectionExtends SafeGuard Encryption for Cloud Storage to mobile devices – iOS or Android*Ensure persistent encryption

Complete Security

Email Data Endpoint Mobile Web Network

Clean up

Automation

Visibility Local self-help

WiFi security

Keep people working

Technical support

Access control

Intrusion prevention

Anti-malware User education

Data Control

Stop attacks and breaches

Firewall

Email encryption

Virtualization

Endpoint Web Protection

Mobile Control

Secure branch offices

Encryption for cloud

Live Protection

Mobile app security

Protect everywhere

Web ApplicationFirewall

URL Filtering

Anti-spam Patch Manager

ApplicationControl

Encryption

Device Control

Reduce attack surface

29

30

US and Canada 1-866-866-2802

NASales@sophos.com

UK and Worldwide + 44 1235 55 9933

Sales@sophos.com

nakedsecurity.sophos.com

Staying ahead of the curveStaying ahead of the curve

facebook.com/securitybysophos

twitter.com/Sophos_News

Sophos on Google+

linkedin.com/company/sophos