Threat of Mobile Malware
Transcript of Threat of Mobile Malware
-
8/7/2019 Threat of Mobile Malware
1/26
Messaging Anti-Abuse Working Group
MobiCASE Mobile Security Workshop, October 28 2010
Alex Bobotek,
Co-Vice Chairman, MAAWG
Co-Chairman, MAAWG Wireless Special Interest Group
Threat of Mobile Malware and Abuse
-
8/7/2019 Threat of Mobile Malware
2/26
MAAWG | maawg.org | Washington D.C 20102
Attendees Reminder:
What you say may be reported
Press is present
-
8/7/2019 Threat of Mobile Malware
3/26
Page 3
20 Years of Mobile Abuse
1996-1999: The birth of consumer mobile data
Mobile abuse nearly non-existent
Widespread paranoia
2000-2008: Steady growth
Grew up with scattered spam, pranks and fraud
2009-2013: The mobile explosion
The rise of mobile abuse
2014-2015: Fixed/Mobile convergence
-
8/7/2019 Threat of Mobile Malware
4/26
PART I: HISTORY
-
8/7/2019 Threat of Mobile Malware
5/26
Page 5
Pre-2000 Issues
Threat AT&T Wireless
Defense
Severity
EmailSMS cannons (e.g., accidental sysadmin script) Rate limiters, regex and
address filters
L
-
8/7/2019 Threat of Mobile Malware
6/26
Page 6
2004 Issues
Threat Defense Severity
EmailSMS cannons (e.g., accidental sysadmin script) Rate limiters, regex and
address filters
M
EmailSMS spam (mostly non-targeted) Brightmail Content filters M
-
8/7/2019 Threat of Mobile Malware
7/26
Page 7
2006 Issues
Threat Defense Severity
EmailSMS cannons (e.g., accidental sysadmin script) Rate limiters, regex and
address filters
M
EmailSMS spam (mostly non-targeted) RBLs, Limiters, Anti-Harvest,
Brightmail Content filters
H
Targeted WebSMS and EmailSMS spam RBLs, Limiters, Anti-Harvest,
Cloudmark Content filters
Honeypots
Active monitoring
H
-
8/7/2019 Threat of Mobile Malware
8/26
Web SMS Spam: 7/2006 AT&T Passport Holiday Attack
First sophisticated, high-volume, targeted SMS attackSMS using custom-developed malware
AT&T attacked: Replay of 2005 email attack on Verizon Directed against WebSend (www.cingularme.com) Used a network of open/hijacked PCs/proxies to hide IP Sample spam SMS (one of several morphing types):
FRM: Angela
SUB: absolutly
MSG: Congratulations, You just won a cruise to the BahamasPLUS $1000.00 Travel Cash! Call Now 8OO941O98O
Delivered at a rate of about 5/s: ~ 300k total messagesreached subscribers phones
Defense: cat-and-mouse game of writing filter rules
With 62M+ subscribersavailable, attackers will go togreat lengths to deliver spam
-
8/7/2019 Threat of Mobile Malware
9/26
Page 9
2007 Issues
Threat Defense Severity
EmailSMS cannons (e.g., accidental sysadmin
script)
Rate limiters, regex and address filters M
EmailSMS spam (mostly non-targeted) RBLs, Limiters, Anti-Harvest,Brightmail Content filters
H
Targeted EmailSMS spam RBLs, Limiters, Anti-Harvest
Cloudmark
- Content filters
- Honeypots
- Active monitoring
H
MobileMobile spam (Future)
Limiters, Anti-Harvest
Spam feedback
- Honeypots
- Subscriber spam reporting
Cloudmark (or competitor)
- Content filters
- Active monitoring
M
-
8/7/2019 Threat of Mobile Malware
10/26
Messaging Unlimited Issue/Risk April 2007: New AT&T Messaging Unlimited rate plan replaces3000/month Messaging Extreme as high-end messaging plan Prior to this, AT&T has had limited problems with MO spammers Spam techniques observed
Banks of phones tethered to computers, Device-resident programs, and/or Aircard(s)
New plans spam economics (Messaging Unlimited plan) is
a 99% discount for spammers Old rate (116 millicents per unfiltered message) is in thevery high range of commercial spammers.
New rate of 0.652 millicents per unfiltered message is wellin the range of commercial spammers.
.
Previous Offer:
Messaging Extreme
New Offer:
Messaging Unlimited
Msg/month 3000 3067200
$/month 34.99 25.00
$/msg 0.011663333 0.00000652
-
8/7/2019 Threat of Mobile Malware
11/26
Page 11
2009 Issues
Threat Defense Severity
EmailSMS cannons (e.g., accidental sysadmin
script)
Rate limiters, regex and address filters M
EmailSMS spam (mostly non-targeted) RBLs, Limiters, Anti-Harvest,
Content filters
H
Targeted EmailSMS spam RBLs, Limiters, Anti-Harvest
Content filters
Honeypots
Active monitoring
Subscriber spam reporting
H
SMS/MMS security hole exploits Protocol filters
Limiters, Anti-Harvest
Content Filters
Honeypots
Active Monitoring
M/H
MobileMobile spam/virus Limiters, Anti-Harvest
Spam sensing
- Honeypots
- Active monitoring
- Subscriber spam reporting
Content filters
M
-
8/7/2019 Threat of Mobile Malware
12/26
#1 Issue of 2009: EmailSMS Smishing
Page 12
FRM:STERLINGMSG:Sterling Alert.Unusual activity Callnow at 1-(877)-345-4671
-
8/7/2019 Threat of Mobile Malware
13/26
Page 13
2010 Issues
Threat Defense Severity
EmailSMS cannons (e.g., accidental sysadmin script) Rate limiters, regex and address filters M
EmailSMS spam (mostly non-targeted) RBLs, Limiters, Anti-Harvest, Content
filters
H
Targeted EmailSMS spam RBLs, Limiters, Anti-Harvest
- Content filters- Honeypots
- Active monitoring
H
SMS/MMS security hole exploits Protocol filters (planned)
Limiters, Anti-Harvest
Content filters
M/H
MobileMobile spam/virus Limiters, Anti-Harvest
Spam sensing
Content filters
M
SIM Boxes
Roaming fraud
Spam
International and long distance fraud
???
IMEI Analysis?
Location Analysis?
Pro-active investigation of discountproviders?
?
Mobile botnets are extremely rare (or non-existent)
-
8/7/2019 Threat of Mobile Malware
14/26
Page 14
Mobile-Originated SMS Abuse Spammers connect phones/aircards to PCs Mostly prepaid (anonymous) SIMs with unlimited messaging
Assessment: > 50% of spam generated by < 5 spammers
~0.1% of US SMS is MO spam >500% annual growth rate
Defense: SIM shutdown and inter-carrier blocking Spammer countermeasure: Buy many SIMS & swap to limit daily per-SIMvolume
[Graph redacted]
-
8/7/2019 Threat of Mobile Malware
15/26
Mobile malware
Mobile is on the rise
| 14 October 2010PAGE 15 | Kaspersky Lab PowerPoint Template
Cumulative number of malware signatures -- Source: Kaspersky Lab, October 2010
H2 2004 H1 2005 H2 2005 H1 2006 H2 2006 H1 2007 H2 2007 H1 2008 H2 2008 H1 2009 H2 2009 H1 2010
0
200
400
600
800
1000
1200
1400
1600
-
8/7/2019 Threat of Mobile Malware
16/26
Page 16
How to Have Fun and Make Money With SIM Boxes
Entry Level: Cheap/Anonymous Mobile Access
Architecture SIMs with unlimited MTM voice and/or SMS
SIM Box computers (hold 250+ SIMs)
Internet VOIP or tunnels
Products Cheap long distance calls between mobile networks
Cheap MT Messaging
Voice spam
Growth Option: Virtual Access for Roaming Subscribers
Architecture Offer cut-rate roaming to subscribers
Remote IP SIM Access mobile device application installed
VOIP client mobile device application installed
Virtual SIM Box computers
Products Worldwide take your phone and roam over IP
Worldwide virtual cell phone (leave your phone at home)
Voice
MO & MT Messaging
Fraudulent use of roamers accounts (e.g., spam)
-
8/7/2019 Threat of Mobile Malware
17/26
PART II: THE FUTURE
-
8/7/2019 Threat of Mobile Malware
18/26
What does the future hold?
Argument #1: The mobile abuse threat is overblown
Argument #2: Hell is rising
there is no monoculture for mobile operating systems. There are atleast four major mobile operating systems (iPhone, BlackBerry, Androidand Symbian) and one minor one (Windows Mobile, which is fallingfast). If you are writing malware, which one do you write for? Answer:none of them
Andrew Jaquith, senior analyst, Forrester Research
There are nearly 600 million of them worldwide, naked andunprotected. We need to prepare for the inevitable onslaught. Of
course, smartphones are going to be the targets of criminals. Any otherconclusion is naive, reeks of hubris and merely amplifies the industry'spast errors that have cost us all dearly.
Rob Smith, CTO & CEO, Mobile Application Development Partners
-
8/7/2019 Threat of Mobile Malware
19/26
19
Botnet Non-Mobile Email Spam Example:
Canadian Pharmacy Criminal Organization (glavmed.com, aka Canadian Pharmacy)
Shipping effective but counterfeit drugs Revenue > $150 million per year
Advertising by spam Pays 40% commission to partners Partners send 2.5B email spam messages/day
Sales through dodgy web sites 100 new domains per day 15 uniquely branded websites Modifying content and URL domain every 15 minutes Use of zombie proxies in HTTP path hide the real web sites
Relies on Botnet network of infected PCs For spamming For hiding real websites behind infected proxy websites
Spammers get 40% commission for directing web traffic to Canadian Pharmacy $.00008/msg
Source:
Cisco/Ironport
-
8/7/2019 Threat of Mobile Malware
20/26
Mobile Spam Risk: following the email pattern
Mobile abuse today resembles email spamin 2000 Direct spamming: spammer-owned
nets/devices
At most 100s of direct spammers
Mobile Botnet (mobot) risk is growing Easily developed -- the necessarybusinesses, markets and funding exist
Spammers business case is good
Mobile infection is becoming easierMore users download mobile apps to open
phones
Growth in PCs with cell data/messagingcapabilities
Email-like evolution of mobile spam wonttake 8 years
Mobile data businesses and users are at
risk of attack by well-funded spammersinvesting $50k to make millions bydeveloping mobot networks
-
8/7/2019 Threat of Mobile Malware
21/26
What Causes Abuse? People and businesses looking for ways to get
money irrespective of ethics and laws
Pranksters Individuals and/or groups motivated by ego
Political players Individuals motivated by ego State actors
Non-state actors
Accidents/errors
Where should I hack today?
-
8/7/2019 Threat of Mobile Malware
22/26
Hypothesis:
Economic Models Predict Abuse Abusers are primarily businessmen looking for
ways to get money irrespective of ethics and laws
Ability to monetize Value of an infected device
Vulnerability Cost to infect a device
Both are leveraged by advanced markets for goodsand services Criminal infrastructure
Criminal networks Toolkits/Specialists Large numbers of less-skilled players
-
8/7/2019 Threat of Mobile Malware
23/26
Hypothesis Validation:
Does it explain history? PCs are widely abused, Macs arent
Explanation: market share
9 of top 10 mobile virus threats affect Symbian OS Explanation: 2010 smart phone market share (Canalys)
Symbian 40% Blackberry 18% Android 16% Apple 15% Windows Mobile 7%
Value of an infected device
Mobiles not widely infected Higher cost to infect a device Lower value of infected device
-
8/7/2019 Threat of Mobile Malware
24/26
So What Are the Trends?
An Amazon Payments executive at the2010 Mobile Shopping Summit said that mobile commerce is expected to grow from
$2.4 billion this year to $23.4 billion by 2015, an875 percent increase.
Those figures are based on projections fromCoda Research Consultancy.
Admob (May 2010) reports: Users across all [mobile] platforms are
highly engaged with apps; iPod touchusers even more
Android and iPhone users spend 79-80min/day using apps, 100 min iPod Touch,89 min webOS
Android and iPhone users download ~9new apps/month, ~12 iPod touch, ~6webOS
-
8/7/2019 Threat of Mobile Malware
25/26
25
Criminal networks and services are being leveraged
[intelligence not for public dissemination or publication]
-
8/7/2019 Threat of Mobile Malware
26/26
Prediction
Value of infected device will rise with increaseduse of mobile devices, especially in money transferapplications
When mobile use nears or surpasses PC levels, look out
Cost of infection will decrease with increasedmobile use, especially in SW downloads
Explanation: easier to infect/deceive
Positive business cases exist Mobile Zeus Trojan (TAN stealing)