It was reported yesterday that cyber criminals have found a hole in Android-based two-factor authentication systems that banks around the world are using. As a result of this, 34 banks in four countries have become victims of a sophisticated spear-phishing and malware campaign known as Operation Emmental. Below are comments by security experts: Michael Sutton, VP of security research at Zscaler and TK Keanini, CTO at Lancope.
Tim 'TK' Keanini writes:
"This sort of attach is more evolutionary than revolutionary. This is the co-evolution of the defenders raising the bar in one area and the attackers having to modify their tactics to another. This tiny configuration change represents a larger more known strategy by the attacker which is to get ‘in the middle’ of the communication. This is just another way for them to place themselves in the middle where they can gain an advantageous position in the communication channels.
I think most users will fall victim because targeting Smartphones is relatively new and most users consider it to be safe and secure. Attackers will continue to try every access vector to the Smartphone because having a footprint on the Smartphone has many advantages to their attack campaign. Users need to get much more paranoid about downloads and the general security of their Smartphone.
Early detection is beneficial, but this type of DNS attack is very difficult to detect without the right telemetry. These traffic patterns are incredibly anomalous but the attackers know that no one is monitoring for this anomaly and thus getting away with it. This is the reason why it is so effective. If service providers or organizations monitored the DNS traffic and through anomaly detection algorithms detect that certain machines were not using the configured DNS servers, the attack could be detected at it on set no matter what country was being targeted."
Michael Sutton, VP of security research, Zscaler says:
"This attack highlights a concern that we expressed when revealing recent statistics derived from statically analyzing 75,000 Android apps. In that research we noted that of apps which request SMS access, 28% request 'Read SMS' access. This is a high risk permission to grant as any app with these privileges can read all incoming SMS content as there is no way to restrict a given SMS message to a specific application. Keep in mind that these are stats from the official Google Play store. An attacker wouldn't even need to sneak a malicious app into Google Play, but could simply market a seemingly legitimate application in the Google Play store but include Read SMS permissions and have a Trojan Horse capable of intercepting two factor authentication schemes leveraging SMS. iOS does not allow Read SMS permissions for apps. While this limits the capability of apps, as can be seen, it also prevents a potentially serious security threat. Now that malware authors are leveraging such permissions to defeat two factor authentication schemes, Google will have to re-think allowing this level of access.
We have seen that users are all too willing to install apps on smartphones without scrutinizing requested permissions. This is especially the case for Android's 'all-or-none' permission model where users cannot install an app unless all permissions are accepted up front. This differs from Apple's model whereby an application can first be installed and individual permissions allowed or denied as they are needed, without impacting the overall application. It should also be noted that in this particular attack, because the Android application is using a legitimate permission - reading SMS messages - this application could just as easily be delivered from the official Google Play store as it isn't exhibiting clearly malicious behaviour and is unlikely to be rejected during the approval process.
Awareness is key in alerting users to the threat of an attack such as this, but unfortunately, users will remain the weak link in the security chain regardless of the attention that as attack receives. Google is in the best position to break this attack by restricting/preventing apps from accessing SMS content."