Sticking to official distributions is a safer alternative

Mar 8, 2015 22:33 GMT  ·  By
As vulnerabilities get patched, threat actors create new types of attacks
3 photos
   As vulnerabilities get patched, threat actors create new types of attacks

There is no doubt that mobile devices have become the preferred target of cybercriminals over the past year. With billions of smartphones sold, searching for security flaws and exploiting them has become something of a prime directive for the crooks.

iOS systems are no longer 100% safe as the number of malware and cyber-attacks aimed at Apple’s mobile platform has been on an upward trend lately.

From the first worm for iOS (Ikee) discovered in 2009, which simply changed the wallpaper to a Rick Astley photo, iOS has been the target of multiple malware pieces and malicious operations, not necessarily financial in nature.

iOS is no longer the safest choice for mobile technology

A study from Arxan Technology showed that 87% of the top 100 paid apps on iOS had been cloned for malicious purposes, being distributed through unofficial channels.

Jailbroken devices are easier to compromise and these were the target of the Xsser remote access Trojan (RAT) in 2014. Security researchers at Lacoon Mobile Security found it distributed through a Whatsapp message among protesters in Hong Kong with the purpose of stealing private information such as contact list, texts or call logs.

Non-jailbroken devices are not a guarantee of security anymore. In 2014, a malware called Wirelurker was discovered in a third-party store for Mac apps, which lodged on the desktop computer and waited until an Apple mobile device was connected to compromise it and exfiltrate personal information.

Last year, researchers at FireEye found a vulnerability in iOS that allowed a malicious app signed with an enterprise certificate to replace a legitimate one if they had the same bundle ID (used for verifying app updates). This flaw was leveraged by Wirelurker.

Affecting mostly iOS versions earlier than 8.0, a piece of malware called XAgent has been used in a cyber-espionage operation called Pawn Storm to steal from the targeted device various data, ranging from contacts and text messages to geo-location info. It could also be used to start voice recording on the device.

While threats and attacks designed for iOS are not as widespread as those intended for Android, they are starting to increase in frequency.

Meghan Kelly of Lookout mobile security company says that “today, iOS malware looks a lot like Android malware in 2010” and that the threatscape for Apple’s gadgets is almost the same as the one observed for Google’s mobile OS five years ago.

“Thus far, iOS malware has followed a similar pattern with threats appearing in the wild for jailbroken devices, moving to non-jailbroken devices, and finally sneaking into the official App Store,” she adds.

On the other hand, cybercriminals targeting Android started to operate at a different level, where devices are already compromised or full of security holes when they reach their owner.

Now that threat actors have set their sight on iOS, it is very likely that new vulnerabilities will be discovered and exploited to retrieve info from devices running it.

Some devices are vulnerable from the get-go

Security researchers at Bluebox have tested a set of nine Android tablets, the most popular in the bunch, built specifically for children and found that all of them presented risks of different types.

It is important to note that such devices have to comply with privacy laws (Children’s Online Privacy Protection Act – COPPA) that prevent tracking and collecting data. Moreover, they feature special software for protecting the kid’s account on the gadget so that it is restricted from making changes not approved by the guardian (administrator).

The study revealed that more than 50% of the tablets had a backdoor that bypassed the security mechanisms and allowed rooting the device, which permits privileged control.

Except for two products, all of them had third-party app stores pre-installed, increasing the risk that malicious software be downloaded since these marketplaces do not generally benefit from strict verification of the apps they make available.

Another risk found by the researchers was that all the tablets were susceptible to at least three major vulnerabilities (Futex, ObjectInputStream and BroadAnywhere), which could be exploited by a malicious actor.

“The nature of the vulnerabilities in these tablets means that the account separation really won’t do much to prevent an attacker from accessing all of the data on these devices.  The attacker will gain privileges that allow them to bypass the restrictions that are put in place,” said via email Andrew Blaich of Bluebox.

Unofficial retailers and shady manufacturers should be avoided

However, a greater danger is present in the case of Android, one that puts a larger number of users at risk from the moment the device is purchased, as Bluebox discovered with a Mi4 LTE smartphone manufactured by Xiaomi.

The researchers bought the device from a retailer in China and tested its security. The results were quite unbelievable, leading them into thinking that they got their hands on a fake. As it turned out, the phone was the real deal, but the software part had been tampered with somewhere in the distribution chain.

The result was a device that included adware and malware and ran a customized copy of Android vulnerable to Masterkey, FakeID, and Towelroot (Linux Futex). Apart from this, the phone was rooted.

Xiaomi was quick to provide an explanation, after Bluebox published the research, saying that the purchase was most likely made from an unofficial retailer since their distribution chain included the official website, Mi.com, “and a small number of select partners such as operators.”

A representative of the smartphone manufacturer told us via email that the official distributors for their products vary from country to country. In China, apart from the company website, there is Tmall retailer and mobile operators. In Singapore, Xiaomi distributes its Mi devices through operators SingTel, M1 and Starhub, while in Malaysia they can be bought through Celcom, Digi, Maxis and YTL.

Before making a purchase, users should check if the chosen retailer is on the list of official distributors; otherwise, there is a chance that the device is not provided as intended by the manufacturer.

But even so, malware can be built-in straight from the factory. In mid-2014, antivirus vendor G Data found an Android device from Chinese manufacturer Star that came with spyware embedded in the firmware designed to intercept calls, online banking data and text messages.

Users also have to take action to protect data on mobile devices

This goes to show that cybercriminals will go to great lengths to expand their malicious operations. They have become more organized and devise attacks that are not easily discovered by the regular user.

The alternatives the average Joe has for a safe Android are few, and given the aforementioned details, one solution would be to replace the operating system with one vetted by an authorized and trusted entity, such as the factory image provided by Google or CyanogenMod.

Unfortunately, not everyone can find their way to achieve this with ease, and investigating the credibility of the vendor is one way to make sure you get a device that is not compromised to begin with.

With iOS, apart from not jailbreaking the device, users should refrain from accessing links or downloading apps delivered from unknown sources.

Cyber-threats loom large on mobile (3 Images)

As vulnerabilities get patched, threat actors create new types of attacks
iOS security mythsScore from Bluebox's Trustable for tampered Xiaomi Mi4
Open gallery