Mobile malware becoming sophisticated and scary

BYOD is on track to becoming almost ubiquitous in the modern workplace, due to a combination of user demand and the benefits afforded by enterprise mobility. But as smartphone use in the business has increased, so too has the scale of the threat posed by mobile malware.

Separate reports from McAfee and Kaspersky Lab provide a glimpse into just how sophisticated mobile threats have become.

McAfee Labs published the June 2014 edition of its quarterly Threat Report, which reveals that the number of mobile malware samples it has discovered grew 167% in just 12 months.

The report details examples of new-generation mobile malware designed to exploit the features of trusted applications or services. These include an Android app that abuses the Play store’s authentication and authorisation to covertly download, install and launch other apps.

It also gives the example of two Android trojans. One is designed to exploit a flaw in a digital wallet service to force its money transfer protocol to transfer funds to the attacker’s servers. The second exploits weaknesses in the encryption used for messaging app WhatsApp and allows the attacker to intercept conversations and photos.

Hackers are also taking advantage of popular legitimate apps and services to draw in victims. For example, 79% of the clones of mobile game Flappy Bird sampled by McAfee Labs contained malware.

These malware samples allowed hackers to make phone calls without the user's permission, install additional apps, collect list data, track a user’s location and even establish root access on a device.

In a separate report, Kaspersky Lab revealed it has identified Android and iOS components of Remote Control System (RCS), the spyware tool used by numerous government agencies for online surveillance.

The mobile RCS modules are capable of performing many intrusive surveillance functions, including reporting a target’s location, taking photos, intercepting phone calls and messages and copying events from a calendar app.

RCS, marketed as Galileo, has been developed by Italian company HackingTeam. It is designed to copy and intercept messages from browsers, email clients and instant messaging programs, as well as audio and video streams.

Kaspersky Lab and its partner Citizen Lab said it had identified victims of the RCS tool including activists and human rights activists, journalists and politicians.

While it has long been known that HackingTeam develops mobile malware modules, Kaspersky Lab has for the first time identified the Android and iOS trojan modules for RCS, the company’s Global Research & Analysis Team said in a blog post detailing the findings. The team has also discovered modules for BlackBerry and Windows Phone.

The iOS module only works on unlocked devices, but even non-jailbroken iPhones can be vulnerable, as Galileo’s operators are able to use infected PCs to remotely jailbreak the devices.

Operators build a specific malicious implant for each target and deliver it to mobile devices via infection vectors such as spear-phishing attacks, exploits and even local infections, sent via USB cables while synchronising mobile devices, the company said.

The mobile modules have been carefully designed to minimise the risk of detection through the implementation of triggered spying capabilities. For example, audio recording can be set to trigger only when a victim is connected to a particular Wi-Fi network or changes the SIM card of a device.

Kasperksy Lab said it had also developed a way to fingerprint RCS command servers and used the method to scan the entire IPv4 address space. Doing so, the company discovered 326 servers in 42 countries, including one in Australia.

While the presence of a server is not definitive proof that a country’s law enforcement agencies are using the tools, this is the most likely explanation since agencies are most likely to place servers in their own countries to avoid cross-border legal issues, the company said. Several of the IPs were also identified as connected to governments during WHOIS lookups.

The discovery of mobile malware with these kinds of capabilities in the wild proves that the time is right for enterprises to re-evaluate their mobile security technologies, processes and policies.

Image courtesy of Highways Agency under CC