Mobile Security Weekly – Are iOS and Android full of holes or is it just Gamma Group?


Questions continue to be raised, both by users and now governments, regarding the safety of mobile devices. With news items going both ways, it’s hard to keep up and make sure that your enterprise is aware of all the relevant risks.

In light of the recent Gamma Group leak, is iOS that much safer, or not?
In today’s mobile landscape, Apple loves to highlight the fact that Android phones are more susceptible to malware while the iPhone is considered more secure. Now, leaked documents from Gamma Group, one of the world’s leading surveillance companies, seem to have reaffirmed the idea, or did they?

The latest Gamma Group document leak exposes quite a lot of information on the groups most advanced surveillance tools for sale. Included is a full breakdown of Finspy – an advanced mobile Remote Access Trojan (mRAT) that can be used to monitor Skype conversations, take screenshots and photos using a device’s camera, record microphone use, emails, voice-over-IP and extract files from hard discs. FinSpy can be controlled remotely as soon as the compromised device is connected to the Internet.

While FinSpy has the capabilities to infiltrate Android, Blackberry, and older Microsoft handsets, iPhones are out of reach unless the device’s core security protocols have changed through jailbreaking.

Why is this Significant?
In a world where nobody uses a jailbroken device – this would indeed be a headline proving iOS’s superior security. In actual fact:

  • Tens of millions of users around the world (including many that bring their devices to work) have jailbroken their own iOS devices.
  • Advanced attacks against iOS devices also include the installation of malicious configuration profiles – settings “packages” created with Apple’s iPhone Configuration Utility that are easy way of distributing network settings to iOS devices. Threat actors can use malicious profiles to hijack network activity and retrieve confidential data – for more listen to our recent podcast.
  • Targeted Man-in-the-Middle attacks are much easier to carry out against mobile devices.
  • APT campaigns targeting mobile users also include the installation of developer and enterprise certificates, known to have been used in former version of FinSpy.

To learn more about the top-5 cyber security threats to iOS devices, watch our 5-min YouTube video.

Metropolitan Police calls for mandatory passwords on all new mobiles in the UK
In light of the worrying rise in mobile related crime (both from cybercrime and theft), senior officers from the Met’s National Mobile Phone Crime Unit (NMPCU) have met with firms including Apple and Samsung to discuss the new measure, which police see as a key way of tackling handset and identity theft. Police want to see each phone sold with a password already in place.

Recent research suggests that up to 60 per cent of phones do not have a password, offering thieves access to a vast amount of valuable personal information. Putting espionage aside, an unlocked device is also worth much more on the streets.

Why is this Significant?
This is the second time in as many weeks where British officials have taken action regarding mobile security. Like last week, we see this as a very positive step forward (although it’s obviously also a sign that mobile-related crime is growing). It’s important to note that the manufacturers aren’t ignoring this issue either. Apple and Samsung are constantly looking at ways to improve device security. Both are slowly but surely going deeper into the realm of biometrics. Fingerprint scanners are already here and retina scanners are on the way. It’ll be interesting to see how this area continues to evolve over the coming months (the iPhone 6 is just weeks away…).

New report claims that 178 million Android devices in the Middle East & Africa are at risk
Researchers claim that more than 94 percent of popular Android apps used in the Middle East and Africa are potentially vulnerable due to the prevalence of older Android versions. This is based on a problem with the Android Internal Storage – a protected area that Android-based applications use to store private information, including usernames and passwords.

The report goes on to say that a threat actor may be able to steal sensitive information from most of the apps on an older version of Android OS using the Android Debug Bridge (ADB) backup/restore function. What’s more, many of the security enhancements added by Google to prevent this type of attack can be bypassed. With about 85% of Android devices in the Middle East and Africa running 4.0 or below – millions of people are in harms way.

Unfortunately, most of the apps on the Google Play marketplace, including pre-installed email and browser applications, use the backup system, making them vulnerable. Many Android apps store user passwords in plaintext in Android Internal Storage, meaning almost all popular e-mail clients, FTP clients and SSH client applications are vulnerable too.

Why is this Significant?
This goes back to the much discussed issue of Android fragmentation. The fact the more recent versions of Android OS are immune to this and many other security problems is almost irrelevant when there are hundreds of millions of devices that are still running earlier versions, often with users not even knowing that they are in danger or being able to do something about it.

This type of problem requires a joint effort from Google, the app developers and the cellular providers. The apps need to improve their security, Google needs to find a way of supplying security enhancements to more users and the cell providers need to help make the process as simple as possible. This is obviously not something that will happen in the immediate future. Enterprises need to consider third party solutions that can provide a comprehensive, integrated and scalable mobile threat management solution to detect and mitigate advanced mobile threats to corporate resources

Mobile Security Weekly – Bringing the Hammer Down on Mobile Threats

The world of mobile security is constantly absorbing and adopting new trends. This week’s summary highlights just that. It’s evident just how unsecure even the most “secure” devices are – despite several companies attempting to create an “impregnable” device. On the flip side, we see more examples of mobile security being taken seriously – whether by Google or governments.


British Information Watchdog warns of £500,000 fines for putting clients’ data at risk.

The Information Commissioner’s Office (ICO) has voiced its concern over a recent series of data-protection issues in the British legal profession, warning lawyers they face fines as high as £500,000 if they place clients at risk.
After 15 incidents in the past 3 months, the ICO says it’s obvious that staff in the legal profession aren’t using the necessary data-protection practices and technologies to keep data secure.
Why is this Significant?

It’s great to see an official government organization preaching the use of encryption and security measures outside the high-tech industry. Looking at the sensitive information handled by the legal profession – it’s clear why they are being targeted by threat actors:

  1. Lawyers are always mobile – they need much of their private and confidential data with them at all times.
  2. The Legal industry is yet to embrace more advanced security regulations.
  3. Communication is a critical part of the business – making mobile devices the perfect target.

For more information on securing devices in a mobile-driven legal world, you can read our previous blog post here
The “Most Secure” Android Phone Hacked In Fewer Than Five Minutes

The Blackphone, advertised as a highly  secure consumer alternative to standard smartphones, has been successfully hacked. This happened not long after Blackphone had a very public argument with Blackberry after the latter called the secure device “unacceptable” for enterprise and private customers.

This hack was performed live at a recent conference – researchers hacked the phone and gained root access within five minutes, without unlocking the bootloader.
Why is this Significant?
While it must be said that some user interaction is required and Blackphone have since solved one of the problems, this serves as an additional example in the advancements and increase in methods of attacking and gaining control over a device. It is important to recognize that organizations are, more likely than not, going to be infected. The critical part is identifying and mitigating the problem as quickly and professionally as possible.

Google ‘Android Device Manager’ App Updated With ‘Call Back’ Security Feature

Users running Android 2.3 and above now have an interesting new way to try and locate lost smartphones.

The Android Device Manager always enabled data to be remotely erased by users as well as activating the lost device’s screen lock PIN remotely. Now, the important functionality has received an upgrade in the form of a ‘call back’ feature, which when set, enables finders of lost devices to call and return the set to the original owner. Basically, if the device gets lost and is picked up by someone, the ‘Call Back’ functionality displays a new green call button at the bottom when the finder activates the device’s (smartphone) screen.
Another important aspect about Google’s latest security enhancement is that, ‘Call Back’ can be made active even after users lose their Android smartphones.
Why is this Significant?
It’s interesting to see how Google are looking at combating the theft and misplacement of devices. Although this feature won’t help in securing devices against malware, it is undoubtedly an important part of device protection.

Image Credit:

Practical Attacks Against VDI and Augmenting Mobile Security

The following content “Practical Attacks Against VDI and Augmenting Mobile Security” was part of a Black Hat USA 2014 Presentation

Last week at Black Hat, Michael Shaulov, CEO and CoFounder of Lacoon and Daniel Brodie, Sr Security Researcher of Lacoon presented to a packed room of several hundred people on the topic of “Practical Attacks Against VDI.” During the presentation they were clear that they weren’t destroying the myth about VDI, but rather opining out how to evaluate and quantify the mobile security aspects when moving forward with mobility initiatives.

Key points highlighted in the session included:

  • What are the cyber security gaps to be aware of from a mobility perspective
  • Demonstration of 4 practical mobile threats with both iOS and Android examples
  • How to Augment VDI with defense-in-depth mobile security

If you missed the briefing at BlackHat or weren’t able to attend you can view the presentation slides in this post. For a more in-depth look into the topic, please download and read the white paper.

Are Malicious Configuration Profiles iOS’ Achilles Heel?

As part of our ongoing efforts to protect our clients from all types of mobile threats, Lacoon researches Malicious iOS Configuration Profiles. We have been able to gain many insights from this research and to share this, we recorded a podcast episode with one of the senior security researchers at Lacoon Mobile Security, Dan Koretsky.


You can hear the podcast here in our new Mobile Security Talk Podcast Channel.
For those that prefer the written word, we summed up our conversation with Dan:

What exactly is an iOS configuration profile?

Configuration profiles are settings “packages” created with Apple’s iPhone Configuration Utility. They’re intended for IT departments and cellular carriers. Essentially, they’re an easy way of distributing network settings to iOS devices.

For example, a configuration profile can contain Wi-Fi, VPN, email, calendar, and even password restriction settings. A configuration profile can be distributed to employees, allowing them to quickly configure their device to connect to the corporate network and other services. A cellular carrier could distribute a configuration profile file containing its access point name (APN) settings, allowing users to easily configure cellular data settings on their device without having to enter all the information manually.

How is a configuration profile deployed to a device?

There are several ways to deploy configuration profiles:

  • Using Apple Configurator
  • In an email message
  • On a webpage
  • Over the air using a Mobile Device Management Server

What threats can a configuration profile pose to enterprise security?

A user may be tricked to download a malicious configuration profile. Depending  on the malicious profile, the device can eventually be configured to re-route email traffic (enabling the attacker to read all incoming and outgoing corporate emails)  or perform other surveillance tasks such as record conversations, text messages and even room audio.

For example, an attacker could use social engineering and distribute a phishing email encouraging employees of a corporation to install a malicious configuration profile attached to the email. An attacker could also set up a phishing site that tries to download a configuration profile.

When the configuration profile is downloaded, iOS will display information about the contents of the profile and ask the user if they want to install it – the social engineering factor is critical, as the user has to be convinced the profile is legitimate.

Malicious Configuration Profiles in the Wild

As of now, no evidence has been found of a Configuration Profile attack in the wild. It’s worth noting that although not an attack, last year, Linkedin upset many customers by installing an aggressive configuration profile as part of a new iOS app – Linkedin Intro.

The configuration profile defined a unique email account on the LinkedIn servers for each email account you have. In turn, the LinkedIn email accounts link to your respective email accounts. LinkedIn did this via a configuration profile to basically circumvent mail apps security mechanisms. Mail apps do not allow extensions for the simple reason that emails are intended to be kept private and not altered. However, a configuration profile can bypass those security hurdles.

As mentioned, LinkedIn upset many customers with this addition – so much so that 3 months after introducing this feature, LinkedIn pulled it out from their offering.

Mitigating configuration-profile based attacks

To prevent data exfiltration, a solution needs to be in place that can not only detect rogue or altered profiles, but also block and remove them to eliminate the threat.

Configuration profiles can’t hide themselves. They can only direct the infected device towards malicious servers and install malicious certificates. Once the offending configuration profile is removed, the harmful changes will be erased. [Read more...]

Mobile Security Weekly – Android Threats Stack Up

On the heels of BlackHat USA, perhaps it’s hardly surprising that this week has been especially full of malware. Much like the demonstrations and presentations at Blackhat, this week’s stories highlight attackers’ technical prowess as well as effectiveness and practicality.

  1. Researchers in Russia have discovered that half a million devices have been infected with a form of banking malware.
    541,000 smartphones running on Android in Russia, Europe and the US are already infected with malware that grants the perpetrators full access to people’s mobile devices.

    A recurring trend, this attack is based on a large scale SMS campaign, which bombards victims with fake messages until they break and download a malicious file. It’s a well known fact that most Russian banks use SMS messages to communicate confidential details to users. This has quickly become a target for many types of malware. This specific attack can relay a victim’s messages back to a remote server as well as access most other types of data on the device.

    Why is this Significant?

  2. Besides the obvious severity of the attack, it’s worth noting that this malware has also taken an impressive step forward in usability. Attacking mobile devices has never been easier – as demonstrated in the below screenshot:


    The malware is controlled by a very comfortable program that is even equipped with a drop-down menu next to each victim’s phone number. The options for violating the smartphone owner’s privacy include “get images,” “get place” and “start record call.”

  3. Android mRAT impersonates Kaspersky Mobile Security
    An advanced mRAT (Mobile Remote Access Trojan) attack impersonating well-known AV vendor Kaspersky Lab, is actively targeting Polish Android users.Similar to the previous item, the attack is based on a fake email sporting the firm’s logo and warning users that a “..virus designed to steal SMS codes (mTANs) used to authorize bank transfers has been detected on their devices…”.

    The scam goes on to provide the victim with a free virus app that has been commissioned by the users’ bank: “To prevent theft of cash from your account, please promptly install Kaspersky Mobile Security Antivirus on your mobile device..”Sadly, the attached file – Kaspersky_Mobile_Security.apk – is not a security solution, but a variant of the Android SandroRAT. This version of the malware can steal the users’ contact list, SMS messages, browser history, bookmarks, and GPS location. It can also intercept and relay incoming calls and text messages and room audio. is this Significant?

    It’s interesting to see how attackers are taking older strains of malware and updating them. In this case the mRAT can now both access encrypted Whatsapp chats (unless Whatsapp has been updated) and obtain the unique encryption key using the Google email account of the device, something that the original version wasn’t able to do.

    We predict that it won’t be long before this attack spreads out from Poland and starts targeting users worldwide.

  4. Researchers discover that some banking apps designed with Apache Cordova suffer from serious security issues.
    It has been discovered that attackers can steal login credentials and other sensitive data from 1 in 10 Android banking apps, and about six per cent of all Android apps. Users should avoid using the vulnerable apps, which were built using Apache Cordova up to version 3.5.0, until they have been updated.

    The problem is in Cordova, a toolkit for crafting mobile software using HTML, CSS and JavaScript. A cross-application scripting (CAS) hole allows threat actors to remotely run malicious JavaScript code in the context of a vulnerable Cordova-built app. Apparently, it’s possible to exploit other bugs within Cordova to then extract additional sensitive information, such as login cookies.

    Why is this Significant?

    Left untreated, this vulnerability can be abused in a number of different ways to steal online bank account credentials that would enable criminals to withdraw or transfer funds. It’s important to note that in a similar fashion to Heartbleed – this is neither the users nor the app developers fault. An inherent security problem within an app-developing kit is to blame. Sometimes, it’s almost impossible to predict where a security issue will sprout from.