Blog Cell Phone Forensics CelleBrite iPhone Forensics Malware MFC 2012 Mobile Forensic Conference 2012 Mobile Forensics Tablet PC forensics

Android & iPhone’s Growing Malware Problem – MFC 2012

Wednesday mornings keynote speaker was Chet Hosmer. Mr. Hosmer is the Chief Scientist at Wetstone Allen. The realm of digital and network security has changed dramatically. Think back to before smart phone devices, as a network security manager. You only had to worry about the network locally within your firewall. With the boom of smartphones and mobile workforces the realm of protecting your companies data and infrastructure has grown to be almost uncontrollable.

The latest corporate buzz word is BYOD (Bring Your Own Device). When you have a BYOD policy within a company you are allowing more uncertainty into the work place by allowing unknown devices to access your systems, email, and confidential documents. You do not know what OS the device is running, what applications are installed, if encryption is enabled, or if the device is already compromised. As a network administrator you can try to control everything within your firewall, but how do you control a mobile worker with their own personal device?

Infected smartphones is not new. Today Android OS devices lead the industry in this epidemic. They lead this epidemic because they are an open sourced OS and because their App Marketplace relies on users vetting out bad applications. When dealing with iPhones you have a OS that is proprietary and leaves the public guessing as to what the 10+ million lines of code really are. Having these 10+ million lines of code confidential protects (somewhat) Apple iPhones from giving hackers exploits in their OS.  By no means am I saying iPhone users do not need to worry about malware or trojans, because they do and it has happened.

iPhone recently had a hot selling app called Flashlight. The actual flashlight didn’t really do anything special, but people were paying for the app anyways. It took 4 weeks for Apple to realize that this app was a Fake app and people were buying it because it provided users a tethering options via a Trojan exploit into the iOS.

Android had a major outbreak of malware recently that was found in 100’s of apps. Google Bouncer found some of them, but its easy to look at the data and realize it didn’t vet them all. Some of these apps that were infected were Dice Roller, Chess, Super Ringtone Maker, Best Password Safe, Advanced Compass Leveler, Piano, Quick Delete Contacts, and many more. This specific exploits in these apps used RATC (rage against the cage). RATC allows the malware to be installed and install unwanted apps or steal data. Here is how RATC works:

1. Finds dbug server (adb_server) & process ID

2. Kills adb_server (auto restart)

3. Server auto restarts and beings to execute root access.

4. RATC races to reduce the number of allowed processes in the adb_server.

5. Two system calls are made:

A. setgid (AID_Shell)

B. setuid (AID_Shell)

Within step 5 the calls fail. This exploit is here because the programmer never checked to see if the calls would give a return value. Mr. Hosmer made this statement: ” Programers that do not check return values equal dinosaurs because they become extinct.” A Android OS code line was the exploit and it was found when these two calls were made when the adb_server was rebooting and accessing root.  When this failed it would leave the system running in root and give the malware free reign.

Below are a few malware, trojan, and fake apps that have been found with in mobile OS devices.

BASSBRID – Trogan – Set up to steel personal data

JIFAKE.F – Trojan – Version of Jimm Mobile ICQ Client. This would set up SMS messages to send to a premium service and charge the user $4-$6 per message on their bill. This was the first malware known to be installed by having the user scan a QR Code.

BATTSTATUS – Fake App – Sent personal data to remote servers.

Ginger Master – Root exploit

Rabbiddog.A – Malware – Sends SMS messages to all of your contacts the following message ” I take pleasure in hurting small animals, just thought you should know.”

Not discussed by Mr. Hosmer was the availability of Spyware. I am not referring to Spyware that is downloaded like a virus, but Spyware that can be purchased by someone and installed on to a phone for monitoring or calls, texting, location, email, and web history. This is a teaser for a future blog post, but I have had several cases within the past few months where Spy software was purchased and installed onto a target smartphone. It is out there and it is VERY powerful. The scariest parts is that you will never know its there with the naked eye.

Here are some of my final thoughts on this situation. The growth of malware and trojans on mobiles phones is growing at a rapid pace and no OS is going to be completely safe. When a corporation is concerned over classified information or intellectual property the policy of “bring your own device” should be shelved and the company should provide devices that can be managed by the network IT guys. This allows you to manage which APPs are downloaded, what information is stored on the device, and it gives you the ability to wipe the device if it is lost of stolen. Each OS has its benefits and both have their minuses. I think their will always be a need for open sourced mobility to accelerate innovation in mobility. With acceleration comes risk and the need to manage and assess those risks.