Don’t let mobile malware steal your company data
It’s closer than you think
The mobile malware landscape is changing. Standardisation might be a good thing for building ecosystems and making phones more useful, but the emergence of Android and iOS as leaders in the operating-system wars makes life easier for those who would target the data on your corporate devices.
It also means there is more to steal, with the ability to generate revenue through reversed billed text, calls to premium-rate numbers and banking on mobile devices.
It is common practice to prohibit user-bought laptops from the corporate network and most employees accept this, yet the rules are different for phones.
According to security researchers, back-door Trojans, which steal data without the victim’s knowledge, and malware that goes after banking login information made up the largest portion of all new mobile malware families in Q2 2013, adding 17,000 strains to their database.
We have recently seen a number of spy-phone Trojans. They include Android Backflash, which installs an icon that looks like Adobe flash and opens a back door, and the BadNews bug, which was found in 32 different apps on Google Play.
This installed a downloader, which in turn called in a premium SMS dialler. Estimates range between two and nine million infections.
Mobile malware is no longer a threat that is still over the horizon. And it is not just spammers and crooks who are out to get you.
Knowing what you are fighting is an important part of protection, says Charles Brookson of mobile consultancy Azenby.
Brookson designed the A5/1 and subsequent encryption standards for GSM. He heads the security group of the European Telecommunications Standards Institute and the GSM Association security group, so he is not just a person who knows about mobile security but one who draws up the rules.
Hell hath no fury
Brookson points out that falling foul of general malware is very different to being targeted by a rival, jealous spouses or governments.
The three ‘E’s of mobile data security are engineering, enforcement and education. Perhaps the most common type of engineering solution is the secure container. This takes the form of a sand-boxed run-time environment, often based on the NSA-derived Security-Enhanced Linux.
Daniel Brodie of Lacoon Mobile Security explains: “This is done by encrypting the data on the phone and providing additional data security features, such as copy-paste data loss prevention.
“A common scenario is for secure containers to enable companies to perform a remote-wipe only on an ex-employee’s business data, rather than removing all mobile data, thus relieving the anguish (and possibly also the legal ramifications) of deleting the employee’s personal photographs as well.“
The secure container can be on a standard phone. The US security firm General Dynamics bought the company OK Labs for its security container, which it runs on LG phones sold to the US marines.
The recent vulnerability in the Exynos5 chipset in the drivers used by the camera and multimedia devices creates a hidden Suid (set owner user ID) binary and uses it for privileged operations, such as reading the mobile logs. The file is placed in an execute-only directory, which allows it to remain hidden from most root detectors.
The spy-phone listens to events in the Android debug bridge logs. These logs, and their corresponding access permissions, differ between Android versions. For versions 2.3 or less, it is possible to simply use the logging permissions.
For Android version 4.0 and higher, root permissions are required to view the logs. The spy-phone waits for a log event that signifies that the user is reading an email; by dumping the heap it can work out the email structure and send the mail on to whoever is doing the spying.
This of course needs both a very determined attack and a set of circumstances, but the engineering lesson here is to keep operating systems up to date.
Down to earth
The main reason most security professionals praise BlackBerry's security is its end-to-end service. Keeping control of the servers is as important as keeping control of the device.
It is not just the data on the device that companies need to worry about. According to Brookson, mail should be hosted on a server at the company premises.
This might be hugely unfashionable in the era of the cloud. But really, if your users are backing up their most sensitive data over the air, you should know where they are backing it up to.
And don’t forget voice. Many companies have to record calls for regulatory reasons. In the UK this is mandated by the Financial Conduct Authority, which was set up in the fallout of the bank mis-selling scandal.
From the first SIP
A common way to record calls is to use SIP, the protocol for voice and video-over-IP connections. However, at least one bank has fallen victim to crooks surreptitiously inserting the packet-sniffing tool Wireshark.
This can put network interface controllers into promiscuous mode to intercept calls and use the code words given in the security check to empty customers’ accounts.
This technology is used by the Star Secure service. It offers encrypted conference calling, voicemail which uses the billing information to give access and a system that sends an email whenever voicemail has been picked up, so even if a phone is stolen you know if the voicemail has been accessed. It will even host the conference servers and voicemail in a company’s own data centre.
Interestingly, the over-the-air link is not the main security weakness. Brookson’s 24-year-old GSM encryption technology is still pretty good; cracking it requires setting up a fake base station for a man-in-the-middle attack – and that won’t cope with the phone being handed off to another cell.
Both 3G and 4G systems have an exchange of keys that makes the traffic even more secure. It is what happens at either end of the airwaves that matters.
The education and enforcement strands go hand in hand. One great source of practical advice is the mobile security blog run by David Rogers.
It is not just good for bizarre mobile security merchandise such as cloud security umbrellas. It produced a leaflet for the Metropolitan Police which gives practical advice about using sensitive services such as banking on open Wi-Fi and turning off Wi-Fi, GPS and near field communication (NFC).
Brookson also warns of the dangers of NFC. When we met at the Scotch Malt Whisky Society he pulled an Android phone and NFC tag out of his pocket and demonstrated how it could open a browser window without user intervention. This in turn could insert an exploit through any holes in the browser.
QR codes pose a similar threat, but at least they have to be actively snapped with a camera.
Rogers has written a book on mobile security. It is a bit thin on plot and characterisation, but at least you know what to get your boss for Christmas.
Brookson praises the security tools that Apple makes available and advises companies that deploy the fruity kit to make the most of them.
He thinks Android offers the biggest opportunity for hackers, but takes an international view of security, pointing out that life is pretty safe in north America and western Europe, where people mostly use Google Play and iTunes for downloading software.
There is much more malware in eastern Europe and Asia, where a high proportion of phones are jailbroken and rooted so users can install pirated programs.
Both Brookson and Rogers highlight the need to protect devices with a PIN and, being security types, say you should change it regularly. This goes for the Android unlock patterns too.
Brookson says your IT department can push this kind of protection. And you don’t really want your company secrets out there in the open because a suspicious spouse has surreptitiously installed some software to monitor the other half.
This can simply be a matter of setting up an iPhone to back up everything to iCloud, enabling the spouse to log in to read the files.
Try Googling “Stealth Genie divorce” and you will get a better idea of the target market
One client for Android, Blackberry and iPhone is Stealth Genie, sold as a way to monitor your children’s activities – but try Googling “Stealth Genie divorce” and you will get a better idea of the target market.
It has to be installed by downloading it to the device – and iPhones need to be jailbroken – but once installed it shows no obvious sign of being there and gives whoever owns the account full access to the phone, including the ability to listen to and replay calls.
Whatever the rights and wrongs of infidelity, a company really doesn’t want an angry spouse gaining access to corporate secrets. But the threat of wronged spouses is nothing compare to governments.
There is a substantial industry in selling security software like Finfisher. In 2011 protestors who took over the headquarters of the Egyptian State Security HQ found paperwork showing that the Egyptian government wanted to buy the Finspy software.
All kinds of governments use malware. In March Kaspersky Labs found an Android attack targeted against Tibetan and Uyghur activists in the form of an email with an apk attachment sent to a mailing list from the hacked account of a high-profile Tibetian activist.
Even without nefarious actions, if your company becomes the subject of a government investigation, the mobile phone companies are obliged to hand over whatever they have under the laws of legal intercept.
In these days of BYOD (bring your own device) it is nigh on impossible to prohibit people from doing work on their own mobiles, but it is reasonable to enforce a company policy of not allowing rooted or jail-broken phones onto work premises.
Only by getting the right infrastructure in place, staying on top of the latest developments in mobile malware and educating both IT staff and users can you be sure that what not so long ago seemed like a distant threat does not become a career-breaking leak of data. ®