As Mobile Devices Proliferate, so does the Challenge of Securing Them
As the IoX starts to take shape, it is becoming painfully obvious that the majority of mobile devices will be sorely lacking in OS or hardware security. That means the enterprise will have to become their own equivalent of homeland security. And that is much easier said than done.
One of, if not the, major reason is the diversity of mobile devices and their software/hardware makeup. Another, reason, which has multiple vectors is that a) they are becoming much more sophisticated and b) with this sophistication comes an increased interest to hackers.
The mobile device will, for a great majority of users, become their primary computing device. And at present the security on these devices is all over the map. Many have vulnerable OSs that do not get regular updates. Another security leak is rogue apps/Trojans. Still another is just plan poor device hygiene. And then there is sloppy software and supply chain compromises. And don’t forget PUPs and malware. In the following discussion, these and other related topics will be discussed.
First, the Sad State of Mobile OSs
Perhaps one of the most troubling aspects of mobile security is the OS itself. Mobile OSs such as Android are fraught with vulnerabilities. All one has to do a quick Internet search on Android or Apple OS vulnerabilities and pages of results pop up.
Perhaps the most memorable, in recent history, was Android’s Stagefright, which was discovered about a year ago. It got the name because it exploits the libStageFright mechanism, which, incidentally, is a core system-level file embedded deep inside the OS. This compromises the Android media playback service because it allows video that is sent, via the MMS, to open an attack vector using the libStageFright RCE capability. And RCE is the worst kind of vulnerability.
The reason this worked is because of an Android vulnerability that allows shellcode, which are executable instructions parading as multimedia data, to take over the device as soon as it is run. All that has to happen is the phone receives a malicious message and once it runs, it compromises the OS and the perpetrator has access to the device. One would think that only receiving a message without opening it would keep such attacks at bay, which is normally the case. But with Android operating systems prior to KitKat and Lollypop, they opened messages as soon as they are received, by default. And this affected about 950,000,000 android devices at the time.
Of course it has been patched, but it is simply an example of the many vulnerabilities, including ones in third party supplied software such as the Qualcomm and Broadcom Wi-Fi drivers, in the Android OS, alone. And this doesn’t take into consideration the apps. The same state exists in iOS and Windows although Apple doesn’t have the same third party issues that Android has.
Aside from the slew of vulnerabilities in the OSs, app provide a fertile playground for hacker. Not that the majority of apps aren’t legitimate, but there is a real threat with rogue apps.
Securing apps is daunting. If for no other reason, just the sheer volume of apps and the number of downloads. Today there are about two million apps available for each OS. By the end of this year, Gartner predicts that they will have been downloaded 200 billion times, worldwide –and that has hackers drooling.
The reward of getting a rogue app into a mobile device is much more than just grabbing some audio or movies. Today, mobile devices having ubiquitous access to financial data and assets, as well as a plethora of confidential personal data, not only the device owners, but whomever the user is connected with, as well. In Tomorrow, they will have access to any and every connected thing in the IoX. In many cases, these devices are the primary computing device of a large populous of individuals and will also be umbilically connected to the IoX.
Both Google and Apple do a decent job of walling their app stores. Apple is the best since the iOS will only download apps from the Apple App Store, or a legitimate store. The Android OS is a bit looser and isn’t restricted to where one can get apps.
The biggest threat here is the independent third-party app stores. These stores generally have no scrutiny of the apps they carry. There is also a new generation of processes hackers use to compromise apps they can hijack.
Originally vShare was the marketplace for rogue apps that provided apps for Android and jailbroken iOS devices. Apparently, vShare has come up with a new generation of processes that allow non-jailbroken iOS devices to download them, as well.
This next generation has been dubbed DarkSideLoader. DarkSideLoader is a major concern because it seems to be the beginning of an expansion of a new attack technique. It commandeers the phone, much like its Android cousin, Stagefright, and allows the attacker to load devices configuration profiles onto the iOS. These device profiles can enable the attacker to reconfigure VPN settings to allow the redirect of network traffic to their man-in-the-middle nodes. It can also modify various OS settings.
It does this by signing unsanctioned apps with real, but unauthorized enterprise app distribution certificates. The DarkSideLoader takes legitimate apps, decrypts them. Makes the desired modifications and then re-signs with the enterprise certificate. When the app is downloaded, (this is most often done in enterprise environments where certificates are readily available, but it can be done in any network if the credentials are available), it contains the hacked code.
Trojans, and Other Malware
Aside from the techniques discussed above, there are the Trojan apps. These are similar to the Trojans that have existed in the computer universe for years. And, like their computer brethren, Trojanized apps are apps that look like something else – rogue apps masquerading as legitimate apps.
Trojans are a favorite methodology for compromising mobile devices. Like their cousins that go after servers, PCs and the like, they contain some sort of malicious code. Typically, Trojans function the same as the legitimate apps, but use the injected rogue code to get to the root the device, where it can alter the code of other apps (which is not allowed with legitimate apps). Trojans have a much wider base of apps they can compromise. Just about any app can masquerade as a Trojan, even make it to the official app stores.
One would think that anti-malware software would be a good defense against such apps. But it turns out that the hackers have found a way to circumvent it. The technique employed by this malware uses a simple technique – delayed execution. It simply waits until the app is loaded, and at some time in the future, sometimes even days, runs the malware code.
Recently a dangerous new variant of a Trojan appeared, called SlemBunk. It is similar to the GM Bot and one of a growing list of Android malware families. Why SlemBug is called a family of apps is because it isn’t the only app downloaded (see Figure 1). Up to three apps have to be downloaded to the device to set up the actual request of the SlemBunk payload. It is designed this way because it makes it much more difficult for security analysts to trace the observed attacks back to their real origin. This approach allows the malware to have a longer and more persistent existence on the device. And, even if SlemBunk is detected and eradicated, unless the sister apps are removed as well, it has the potential to simply be re-downloaded and reinstalled.
SlemBunk is a particularly nasty app that contains code for keeping track of running mobile banking app processes. It overlays a fake user interface over the real app, and captures various financial credentials. The latest rendition of this app is targeted at porn site visitors. At the site a rather novel drive-by download technique, which activates on the site, asks for a trojanized APK update to be installed. If allowed to install, the update will run the “dropper” apps and files. These apps will hide certain functions that generate code on the fly, replace it with a temporary app and save it to that app. Then, the dropper loads the second APK, dynamically, into memory and deletes it from the file system. Finally, the second APK becomes the downloader for the actual malicious app.
There is a real movement, in malware today, in this direction to use multiple apps and create a longer attack chains to make detection more difficult. Even legitimate apps, using, commercial packers like DexProtector, which is actually code designed to protect apps from piracy, can be used to create malware. It can be used by the dark side to make it more difficult to detect the malicious app. Both GM Bot and SlemBunk are typical examples of evolution in the malware chain.
Finally, don’t forget about PUPs. Not all malware is malicious. Some if it is just annoying or runs quietly under the radar with a specific purpose. One example of this type of malware is the kind that simply resides on the device, collecting information and data and selling it to third parties for such projects as target advertising. That has long been a problem with computers and it is now quickly becoming part of the mobile device ecosystem, as well.
Compromises in the Software/hardware Supply Chain
Just as semiconductors can have compromises slipped in somewhere along the supply chain, so can mobile devices. An example of that is the rewrite of Apple’s Xcode development kit that contains rogue code (XcodeGhost). If developers recompile anything with the compromised version, it surreptitiously inserts malicious code next to the regular apps, which instructs them report to a C&C server. That server, and the hacker(s) who run it, now have control of the device.
A rather ingenious approach. Why bother trying to break into the devices when you can have the app, API, firmware and open source code do it for you, via legitimate developers. So rather than spending time and energy on creating the malicious app and jumping through hoops to get it approved in the App Store, the XcodeGhost’s simply targets Apple’s legitimate iOS/OSX app developers. XcodeGhost has caused the infection of hundreds of apps, including the ride-hailing app Didi Kuaidi, and WeChat.
Compromises in the supply chain are possible in all vectors, not just Android and iOS. The past year has seen a significant increase in firmware-level malware, right out of the box. It is significant that this attack was targeted at the up upstream segment of the chain, signaling hackers proclivity to expand the attack surface.
The Patch Mechanism
One might think that the above topics might just about cover it. But there is one area that has is overlooked much of the time. But, of late, attention is starting to be paid to it because so many of the compromises are due to the “jeep” construction mentality – just take whatever you can find and Frankenstein it together to make a mobile device.
There are so many unconnected camps that come together to make a mobile device – the OS developers, the handset manufacturer, the wireless module OEM, and others. And rolling out patches often requires carrier involvement, cooperation and adjustments, especially at the firmware layer. This requires a great deal of coordination among all entities.
Back to the Stagefright issue. Just like Microsoft when they stop supporting aging OSs, Apple and Google do the same. Devices in circulation using the Android Jelly Bean 4.1-4.3 or earlier release phones, will be go unpatched with regard to Stagefright. Google no longer updates them, yet make up 30% of Android devices out there today. That leaves them not only vulnerable by themselves, but if they are part of a network, they are an open door to hackers who can use them to drill further into the net – a not so insignificant issue if this mentality carries over to the IoX.
And while Apple has less of a problem with handsets, it’s iOS still has its own problems with the zero-day vulnerabilities. Researchers from Georgia Institute of Technology, Indiana University, and Peking University discovered a vulnerability, which can compromise passwords in the iOS keychain.
Apple has known about it since October 2014, but hasn’t patched it because it is so deeply embedded in the keychain architecture itself. The complexities of fixing this in the field are overwhelming so they have just let it go, hoping it doesn’t become an issue. There is a fix, but it is a workaround. An open source tool called XGuardian, can be used to look for the type of keychain hijacking seen by the vulnerability.
The State of Affairs? Chaotic
The current state of affairs with mobile devices is somewhat chaotic. There are many compromised vectors, from OSs to rogue apps to Trojans, as well as the supply chain. Getting everybody on board to fix it, globally, is a somewhat daunting task. And this is really just the beginning. With devices becoming more complex, functional, and in many cases, the primary computing device of the user, attackers see a fertile playing field that is weak in security.
Then there is the lackadaisical attitude of many of the users, who often throw caution to the wind and pay little or no attention to any of the cautions the mobile device vendors put out there, or pay little regard to the danger of malevolent apps.
This becomes even more chaotic in the enterprise where the movement for BYOX devices is gaining traction. Many enterprises do not have the necessary security envelope, within their own network, to keep user devices with compromised hardware or software from gaining access to the enterprise network.
In the end, the mobile landscape is fraught with pitfalls. It is moving fast and keeping up with what is new and evolving is daunting. It also doesn’t have the deep well of experience its tethered brethren have, but is also seems like it isn’t learning much from that segment either. Perhaps that is because it was thought to be rather bulletproof for a long time, it is taking a while to marshal the forces.
However, the window of opportunity is closing rapidly. The mobile device ecosystem is going to be one of the most sought after by hackers. That means there isn’t a lot of time to get a handle on this. With the ubiquity of mobile devices, the IoX, the cloud, 5G and many other platforms and technologies soon to become mainstream, mobile devises will be the most numerous element – and the platform with the potential to do the most damage.
APK – Android Application Package
BYOX – Bring Your Own Anything
PUP – Potentially Unwanted Program
RCE – Remote Code Execution