Wednesday, June 15, 2011

Advanced Mobile Spyware

Mobile Spyware

-Often includes modifications to legitimate programs designed to compromise the device or device data
-Often inserted by those who have legitimate access to source code or distribution binaries
-May be intentional or inadvertent
-Not specific to any particular programming language
-Not specific to any particular mobile Operating System

Attacker Motivation
Practical method of compromise for many systems
–Let the users install your backdoor on systems you have no access to
–Looks like legitimate software so may bypass mobile AV

Retrieve and manipulate valuable private data
–Looks like legitimate application traffic so little risk of detection

For high value targets such as financial services and government it becomes cost effective and more reliable

–High-end attackers will not be content to exploit opportunistic vulnerabilities, which might be fixed and therefore unavailable at a critical juncture. They may seek to implant vulnerability for later exploitation
–Think "Aurora" for Mobile Devices


FlexiSpy
http://www.flexispy.com
$149 -$350 PER YEAR depending on features
Features:
–Remote Listening
–C&C Over SMS
–SMS and Email Logging
–Call History Logging
–Location Tracking
–Call Interception
–GPS Tracking
–Symbian, Blackberry, Windows Mobile Supported

Mobile Spy
http://www.mobile-spy.com
$49.97 PER QUARTER or $99.97 PER YEAR
Features:
–SMS Logging
–Call Logging
–GPS Logging
–Web URL Logging
–BlackBerry, iPhone(JailbrokenOnly), Android, Windows Mobile or Symbian

Etisalat (SS8)
-Cell carrier in United Arab Emirates (UAE)
-Pushed via SMS as "software patch" for Blackberry smartphones
-Upgrade urged to "enhance performance" of Blackberry service
-Blackberry PIN messaging as C&C
-Sets FLAG_HIDDEN bit to true
-Interception of outbound email / SMS only
-Discovered due to flooded listener server cause retries that drained batteries of affected devices
-Accidentally released the .jar as well as the .cod (ooopsie?!)

Bugs & Phonesnoop
–Exfiltration of inbound and outbound email
–Hidden
–Remotely turn on a Blackberry phone microphone
–Listen in on target ambient conversation

Storm8 Phone Number Farming
–iMobstersand Vampires Live (and others)
–"Storm8 has written the software for all its games in such a way that it automatically accesses, collects, and transmits the wireless telephone number of each iPhoneuser who downloads any Storm8 game," the suit alleges. "... Storm8, though, has no reason whatsoever to access the wireless phone numbers of the iPhones on which its games are installed."
–"Storm8 says that this code was used in development tests, only inadvertently remained in production builds, and removed as soon as it was alerted to the issue."

Symbian Sexy Space
–Poses as legitimate server ACSServer.exe
–Calls itself 'Sexy Space'
–Steals phone and network information
–Exfiltrates data via hacker owned web site connection
–Can SPAM contact list members
–Basically a "botnet" for mobile phones
–Signing process: Anti-virus scan using F-Secure (Approx 43% proactive detection rate (PCWorld))
-Random selection of inbound manually assessed
–Symbiansigned this binary as safe!

09Droid –Banking Applications Attack
–Droid app that masquerades as any number of different target banking applications
–Target banks included: Royal Bank of Canada, Chase, BB&T, SunTrust, Over 50 total financial institutions were affected
–May steal and exfiltrate banking credentials
–Approved and downloaded from Google’s Android Marketplace!
–http://www.theinquirer.net/inquirer/news/1585716/fraud-hits-android-apps-market
–http://www.pcadvisor.co.uk/news/index.cfm?RSS&NewsID=3209953

Blackberry Takes Security Seriously
-KB05499: Protecting the BlackBerry smartphoneand BlackBerry Enterprise Server against malware: http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB05499
-Protecting the BlackBerry device platform against malware: http://docs.blackberry.com/en/admin/deliverables/1835/Protectingthe BlackBerry device platform against malware.pdf
-Placing the BlackBerry Enterprise Solution in a segmented network: http://docs.blackberry.com/en/admin/deliverables/1460/Placing_the_BlackBerry_Enterprise_Solution_in_a_Segmented_Network.pdf
-BlackBerry Enterprise Server Policy Reference Guide: http://docs.blackberry.com/en/admin/deliverables/7228/Policy_Reference_Guide.pdf

Does It Really Matter?
-Only 23% of smartphone owners use the security software installed on the devices.
(Source: Trend Micro Inc. survey of 1,016 U.S. smartphoneusers, June 2009)
-13% of organizations currently protect from mobile viruses
(Mobile Security 2009 Survey by Goode Intelligence)

Code Signing
-Subset of Blackberry API considered "controlled"
-Use of controlled package, class, or method requires appropriate code signature
-Blackberry Signature Tool comes with the Blackberry JDE
-Acquire signing keys by filling out a web form and paying $20
–This not is a high barrier to entry
–48 hours later you receive signing keys
-Install keys into signature tool
-Hash of code sent to RIM for API tracking purposes only
-RIM does not get source code
-COD file is signed based on required keys
-Application ready to be deployed
-Easy to acquire anonymous keys

IT Policies
-Requires connection to Blackberry Enterprise Server (BES)
-Supersedes lower levels of security restrictions
-Prevent devices from downloading third-party applications over wireless
-Prevent installation of specific third-party applications
-Control permissions of third party applications
–Allow Internal Connections
–Allow Third-Party Apps to Use Serial Port
–Allow External Connections
-MOSTLY "Default Allow All" policy for BES and non-BES devices

Application Policies
-Can be controlled at the BES
-If no BES present, controls are set on the handheld itself
-Can only be MORE restrictive than the IT policy, never less
-Control individual resource access per application
-Control individual connection access per application
-MOSTLY "Default Allow All" policy for BES and non-BES devices

Installation Files
-.COD files:A COD file is a proprietary file format developed by RIM that contains compiled and packaged application code.
-.JAD files:An application descriptor that stores information about the application itself and the location of .COD files
-.JAR files:a JAR file (or Java ARchive) is used for aggregating many files into one. It is generally used to distribute Java classes and associated metadata.
-.ALX files:Similar to the .JAD file, in that it holds information about where the installation files for the application are located

txsBBSpy Logging and Dumping
-Monitor connected / disconnected calls
-Monitor PIM added / removed / updated
-Monitor inboundSMS
-Monitor outbound SMS
-Real Time trackGPS coordinates
-Dump all contacts
-Dump current location
-Dump phone logs
-Dumpemail
-Dump microphone capture (security prompted)

txsBBSpy Exfiltration and C&C Methods
-SMS (No CDMA)
-SMS Datagrams(Supports CDMA)
-Email
-HTTP GET
-HTTP POST
-TCP Socket
-UDP Socket
-Command and control hard codedto inbound SMS

Future Work (Offensive AND Defensive)
-Reverse engineer .cod file format
-Continued research into unobstructed installation methods (requires exploitation)
-Infect PC with virus that acts as distribution hub
-Research additional exfiltration methods for tunneling without prompting