A Comprehensive Guide to Mobile Targeted Attacks

1
A Comprehensive Guide to Mobile Targeted
Attacks (and What Can You Do About It)
Ohad Bobrov, CTO ohadl_at_lacoon.com twitter.com/Laco
onSecurity
2
Agenda

• The collapse of the perimeter
• Why mobile devices are targeted
• Mobile Remote Access Trojans (mRATs)
• Demo
• Infection vectors
• Detection, remediation, and building a secure
  BYOD / HYOD architecture

3
About Lacoon Mobile Security

• Protecting organizations from mobile threats
• HQ SF, USA. RD Israel
• Cutting edge mobile security research team
• Protecting tier-1 financial, manufacturing, legal
  and defense organizations

4
The Collapse Of The Corporate Perimeter
gt 2011
5
TARGETED MOBILE THREATS
6
Why To Hack Mobile Device?
Snooping on corporate emails and application data
Infiltrating internal LANs
Eavesdropping
Extracting contact lists, call text logs
Tracking location
7
The Mobile Threatscape
Targeted Personal Organization Cyber espionage
mRATs / Spyphones
Business Impact
Consumer-oriented. Mass. Financially motivated,
e.g. Premium SMS Fraudulent charges Botnets
Mobile Malware Apps
Complexity
8
The Mobile Threatscape
High End Government / Military grade Mid
Range Cybercrime toolkits Low End Commercial
surveillance toolkits
9
HIGH ENDGOV / MIL mRATs
10
FinSpy Mobile
Extracted from http//wikileaks.org/spyfiles/docs
/gamma/291_remote-monitoring-and-infection-solutio
ns-finspy-mobile.html
11
MID CYBERCRIME TOOLKITS
12
Recent High-Profiled Examples
13
LOWER ENDCOMMERCIAL SURVEILLANCE TOOLKITS
14
Commercial Mobile Surveillance Tool (Spyphone)
15
Commercial Mobile Surveillance Tools A Comparison
16
Varying Costs, Similar Results
Capability FlexiSpy AndroRAT FinFisher
Real-time listening on to phone calls
Surround recording
Location tracking (GPS)
Retrieval of text
Retrieval of emails
Invisible to the user
SMS CC fallback
Infection vector Physical Repackage Exploit?
Cost 279 Free 287,000
Activation screen - -

17
STATISTICS
18
Survey Cellular Network 2M Subscribers
Sampling 650K
Data sample 1 GB traffic sample of spyphone
targeted traffic, collected over a 2-day
period. Collected from a channel serving 650K
subscribers Traffic constrained to communications
to selected malicious IP address Communications Tr
affic included both encrypted and non-encrypted
content
19
Survey Cellular Network 2M Subscribers
Sampling 650K
Infection rates June 2013 1 / 1000 devices
20
Survey Cellular Network 2M Subscribers
Sampling 650K
21
DEMO
22
INFECTION VECTORS
23
Infection Vectors - Android
24
Infection Vectors iOS (iPhones and iPads)
25
Current SecurityStatus
26
Current Solutions FAIL to Protect
27
Mitigation Current Controls
Mobile Device Management (MDM)
Multi-Persona
Wrapper
Active Sync
NAC
28
Mitigation Current Controls
Mobile Device Management (MDM)
Multi-Persona
Wrapper
Active Sync
NAC
29
Detection Adding Behavior-based Risk
Malware Analysis
Threat Intelligence
Vulnerability Research
30
Detection Adding Behavior-based Risk
Application Behavioral Analysis
Malware Analysis
Device Behavioral Analysis
Threat Intelligence
Vulnerability Research
Vulnerability Assessment
31
Detection Adding Behavior-based Risk
Application Behavioral Analysis
Malware Analysis
Device Behavioral Analysis
Threat Intelligence
Vulnerability Research
Vulnerability Assessment
32
Lacoon Solution
33
Ohad Bobrov , CTO Lacoon Security
Inc. ohad_at_lacoon.com twitter.com/LacoonSecurity