Study reveals mobile enterprise management tools fail to prevent spyware infecting smartphones
London (UK): Lacoon Mobile Security yesterday warned that Mobile Remote Access Trojan (mRATs) infections of smartphones is increasing and bypassing encryption and sandboxes solutions. This statement is made based on the results of its research that discovered one in 1,000 smartphones has mRAT spyware installed. Conducted in partnership with global mobile network providers, the study sampled 2 million subscribers in late October 2012. It found that of 52% of infected devices were attributed to iOS and 35% to Android-based mobile devices. The study showed how the mRATs were capable of intercepting 3rd party applications, such as WhatsApp, despite their guarantee of encrypted communications. The worrying element of this trend is that, with enterprises rapidly adopting mobile device management (MDM) solutions, mRATs can bypass their security controls in the same manner.
Mobile cyber espionage is carried out through dedicated spyware, aka a Mobile Remote Access Trojans (mRAT). Most mRATs provide, at a minimum, the following capabilities which increasingly motivate attackers to succeed and on the other hand, prove to be costly to the business:
Eavesdropping and surround recording. Examples: listening in real time on customer calls and recordings of board meetings.
Extracting call and text logs. Examples: text messages which contain board meetings follow-ups and voice memos.
Tracking location. Examples: tracking the location of executives at key accounts meetings.
Snooping on corporate emails and application data. Examples: retrieving corporate emails regarding upcoming M&A activity.
Infection of smartphones with mRAT requires the spyware to install a backdoor through the rooting of Android or the jailbreaking of Apple devices. Although device manufacturers place rooting/ jailbreaking detection mechanisms, mobile spyware can easily bypass them. Once the mobile device is infected, the spyware then sends mobile content – such as encrypted emails and messages - to the attacker’s command and control (C&C) servers in plain-text. These attacks undermine the basic notion of a secure container – the principle of MDM solutions.
Ohad Bobrov, CTO and co-founder of Lacoon Mobile Security explains, “MDM solutions create secure containers that separate business and personal data on the mobile. The concept is to prevent business critical data from leaking out to unauthorised individuals. However, our research team demonstrated that mRATs do not need to directly attack the encryption mechanism of the secure container, but can grab it at the point where the user pulls up the data to read it. At that stage - when the content is decrypted for the user - the spyware can take control of the content and send it on. To prove their point, our researchers adapted a similar method used by mRATs in the wild that intercept 3rd-party applications such as WhatsApp. The reason mRATs pose such a danger is that, while the software may be installed on a single device, it can be used to target the whole organisation for espionage purposes. To mitigate these and other attacks aimed at the mobile devices utilised within the enterprise, organisations need to accurately assess the risk of mobile activity and actively protect against emerging, targeted, and zero-day attacks.”
While MDMs do offer static compliance and policy enforcement some protection, organisations need to understand that they do not offer complete protection. Spyware attacks rely on exploiting the device’s OS vulnerabilities – not those of the secure container- so it’s imperative to deploy security with defense-in-depth strategy. Best practices and technologies include:
Remotely analyse the risk involved with each device, including behavioural analysis of the downloaded applications
Calculate the risk associated with the device's operating system vulnerabilities and usage
Conduct event analysis to uncover new, emerging and targeted attacks by identifying anomalies in outbound communications to C&C servers
Enable network protection layer to block exploits and drive-by attacks and contain the device from accessing enterprise resources when the risk is high