DEMYSTIFYING MOBILE SECURITY ATTACKS Check Point: Demystifying Mobile Security Attacks | White Paper IOS MALWARE DELIVERED USING FAKE ENTERPRISE OR DEVELOPER CERTIFICATES WHAT IT DOES AND HOW IT WORKS iOS malware delivered using fake certificates is malicious software installed on a device using the Apple iOS operating system (OS) that is accompanied by certificates validated by Apple that actually represent a trusted organization that has been compromised. Ever heard of Sutxnet, Flame and Bit9 attacks? – they used a method similar to this. INFECTION VECTORS – HOW IT ‘GETS IN’ Apple grants two different 3rd party certificates to organizations that agree to adhere to Apple’s guidelines. They are: 1. Developer certificates, which allow developers to test their apps before they go public on the Apple app store. DAMAGE IT CAN CAUSE This malware can be used to do almost anything. It can act as a remote access Trojan, with a surveillance toolkit that may enable the attacker to steal passwords, emails, calendar records and geolocation, in real time. It can even activate the microphone to listen in on conversations and meetings. HOW TO DETECT AND PREVENT IT DETECT: You need Device Risk Assessments that can detect iOS apps on the device that are using stolen or fraudulent Enterprise/Developer certificates. PREVENT: You need OnDevice Remediation that can block or remove fraudulent certificates to eliminate the attack. 2. Enterprise certificates, which provide organizations the opportunity to establish their own, in-house marketplace for dedicated apps. Behind the scenes, Apple validates an app is signed by a trusted certificate before allowing it to be side-loaded (which means it’s not installed through the App Store) on the device. If an attacker is able to obtain a certificate they can use it to validate their malware and install it on any iOS device without passing it through the vetting process in the App Store. A user can then be lured to download their seemingly harmless app. (Note, given the volume of apps, it is very difficult for Apple to monitor the use of certificates, as a result, attacks have started to emerge, such as FinFisher mRAT that use these certificates.) CONTACT US Worldwide Headquarters | 5 Ha’Solelim Street, Tel Aviv 67897, Israel | Tel: 972-3-753-4555 | Fax: 972-3-624-1100 | Email: [email protected] U.S. Headquarters | 959 Skyway Road, Suite 300, San Carlos, CA 94070 | Tel: 800-429-4391; 650-628-2000 | Fax: 650-654-4233 | www.checkpoint.com ©2015 Check Point Software Technologies Ltd. All rights reserved. Classification: [Protected] March 30, 2015 3 Check Point: Demystifying Mobile Security Attacks | White Paper IOS MALICIOUS PROFILES WHAT IT DOES AND HOW IT WORKS INFECTION VECTORS – HOW IT ‘GETS IN’ An attack that uses a configuration file for iOS that can re-define system functionality parameters, such as device, mobile carrier, mobile device management (MDM) and network settings. A profile can circumvent device and or application security mechanisms, which is why it’s an attractive target for attackers. A user may be tricked into downloading a malicious profile and, by doing so, unknowingly provide the rogue configuration the ability to re-route all traffic from the mobile device to an attackercontrolled server, further install rogue apps or even decrypt communications. A profile can also be loaded by an attacker, who gains physical access to the device. DAMAGE IT CAN CAUSE A malicious profile circumvents typical security mechanisms, so it can be used to do almost anything. It can enable the attacker to steal passwords, emails, all data stored or passed through the phone, calendar records and geo-location, in real-time. HOW TO DETECT AND PREVENT IT DETECT: You need Device Risk Assessments that can detect rogue iOS profiles or profiles that have been altered on the device. Behavioral Application Analysis can also be used to identify profiles that exhibit abnormal or suspicious activity. PREVENT: You need OnDevice Remediation that can block or remove malicious profiles to eliminate the attack. IOS SURVEILLANCE AND MOBILE REMOTE ACCESS TROJANS (MRATS) WHAT IT DOES AND HOW IT WORKS INFECTION VECTORS – HOW IT ‘GETS IN’ iOS mRATs are malicious software installed on a device using the Apple iOS operating system (OS) that gives an attacker the ability to remotely gain access to everything stored and flowing through the device. These attacks typically take advantage of a device that has been jailbroken, which means all the built-in iOS security mechanisms have been removed. It’s not unusual for iOS users to jailbreak their own device, so they can install any iOS application they want, not just the ones that are from Apple’s proprietary store. Attackers can also jailbreak an iOS device themselves, by physically obtaining access to the device or propagating the jailbreak code from a compromised computer through a USB cable. Once jailbroken, attackers can install the surveillance or spyphone application of their choice, or disguise it in an application from a third party app store for an unwitting user to download. CONTACT US DAMAGE IT CAN CAUSE mRATs can act as a remote access Trojan, with a surveillance toolkit that can enable the attacker to steal passwords, corporate data and emails, as well as capture all keyboard activity (keylogging) and screen information (screen scraping). They may also activate the microphone to listen in on conversations and meetings, or act as a botnet to steal contacts or text messages (SMS texts). HOW TO DETECT AND PREVENT IT DETECT: You need to conduct Device Risk Assessments to detect those devices that have been jailbroken and then investigate the actual behavior of the communication on the device. PREVENT: You need both On-Device Remediation and Network-based Mitigation to actively block traffic and contain the mRAT. Worldwide Headquarters | 5 Ha’Solelim Street, Tel Aviv 67897, Israel | Tel: 972-3-753-4555 | Fax: 972-3-624-1100 | Email: [email protected] U.S. Headquarters | 959 Skyway Road, Suite 300, San Carlos, CA 94070 | Tel: 800-429-4391; 650-628-2000 | Fax: 650-654-4233 | www.checkpoint.com ©2015 Check Point Software Technologies Ltd. All rights reserved. Classification: [Protected] March 30, 2015 4 Please complete the form to gain access to this content Access Now Related Resources Network Boundaries Have Gone Mobile HOW MOBILE MALWARE COMPROMISES YOUR SECURE CONTAINERS AND ENTERPRISE CONTENT CHECK POINT SANDBLAST ZERO-DAY PROTECTION: THE BEST PROTECTION AT EVERY LEVEL THE TOP 6 CYBER SECURITY THREATS TO IOS DEVICES THE TOP 4 CYBER SECURITY THREATS TO ANDROID MOBILE DEVICES 3 STEPS TO IMPLEMENTING AN EFFECTIVE BYOD MOBILE SECURITY STRATEGY EXPOSING THE UNKNOWN: HOW SANDBOXING TECHNOLOGY FIGHTS MODERN THREATS THREAT RESEARCH: TARGETED ATTACKS ON Enterprise ENTERPRISE MOBILE
Check Point: Demystifying Mobile Security Attacks | White Paper IOS MALWARE DELIVERED USING FAKE ENTERPRISE OR DEVELOPER CERTIFICATES WHAT IT DOES AND HOW IT WORKS iOS malware delivered using fake certificates is malicious software installed on a device using the Apple iOS operating system (OS) that is accompanied by certificates validated by Apple that actually represent a trusted organization that has been compromised. Ever heard of Sutxnet, Flame and Bit9 attacks? – they used a method similar to this. INFECTION VECTORS – HOW IT ‘GETS IN’ Apple grants two different 3rd party certificates to organizations that agree to adhere to Apple’s guidelines. They are: 1. Developer certificates, which allow developers to test their apps before they go public on the Apple app store. DAMAGE IT CAN CAUSE This malware can be used to do almost anything. It can act as a remote access Trojan, with a surveillance toolkit that may enable the attacker to steal passwords, emails, calendar records and geolocation, in real time. It can even activate the microphone to listen in on conversations and meetings. HOW TO DETECT AND PREVENT IT DETECT: You need Device Risk Assessments that can detect iOS apps on the device that are using stolen or fraudulent Enterprise/Developer certificates. PREVENT: You need OnDevice Remediation that can block or remove fraudulent certificates to eliminate the attack. 2. Enterprise certificates, which provide organizations the opportunity to establish their own, in-house marketplace for dedicated apps. Behind the scenes, Apple validates an app is signed by a trusted certificate before allowing it to be side-loaded (which means it’s not installed through the App Store) on the device. If an attacker is able to obtain a certificate they can use it to validate their malware and install it on any iOS device without passing it through the vetting process in the App Store. A user can then be lured to download their seemingly harmless app. (Note, given the volume of apps, it is very difficult for Apple to monitor the use of certificates, as a result, attacks have started to emerge, such as FinFisher mRAT that use these certificates.) CONTACT US Worldwide Headquarters | 5 Ha’Solelim Street, Tel Aviv 67897, Israel | Tel: 972-3-753-4555 | Fax: 972-3-624-1100 | Email: [email protected] U.S. Headquarters | 959 Skyway Road, Suite 300, San Carlos, CA 94070 | Tel: 800-429-4391; 650-628-2000 | Fax: 650-654-4233 | www.checkpoint.com ©2015 Check Point Software Technologies Ltd. All rights reserved. Classification: [Protected] March 30, 2015 3 Check Point: Demystifying Mobile Security Attacks | White Paper IOS MALICIOUS PROFILES WHAT IT DOES AND HOW IT WORKS INFECTION VECTORS – HOW IT ‘GETS IN’ An attack that uses a configuration file for iOS that can re-define system functionality parameters, such as device, mobile carrier, mobile device management (MDM) and network settings. A profile can circumvent device and or application security mechanisms, which is why it’s an attractive target for attackers. A user may be tricked into downloading a malicious profile and, by doing so, unknowingly provide the rogue configuration the ability to re-route all traffic from the mobile device to an attackercontrolled server, further install rogue apps or even decrypt communications. A profile can also be loaded by an attacker, who gains physical access to the device. DAMAGE IT CAN CAUSE A malicious profile circumvents typical security mechanisms, so it can be used to do almost anything. It can enable the attacker to steal passwords, emails, all data stored or passed through the phone, calendar records and geo-location, in real-time. HOW TO DETECT AND PREVENT IT DETECT: You need Device Risk Assessments that can detect rogue iOS profiles or profiles that have been altered on the device. Behavioral Application Analysis can also be used to identify profiles that exhibit abnormal or suspicious activity. PREVENT: You need OnDevice Remediation that can block or remove malicious profiles to eliminate the attack. IOS SURVEILLANCE AND MOBILE REMOTE ACCESS TROJANS (MRATS) WHAT IT DOES AND HOW IT WORKS INFECTION VECTORS – HOW IT ‘GETS IN’ iOS mRATs are malicious software installed on a device using the Apple iOS operating system (OS) that gives an attacker the ability to remotely gain access to everything stored and flowing through the device. These attacks typically take advantage of a device that has been jailbroken, which means all the built-in iOS security mechanisms have been removed. It’s not unusual for iOS users to jailbreak their own device, so they can install any iOS application they want, not just the ones that are from Apple’s proprietary store. Attackers can also jailbreak an iOS device themselves, by physically obtaining access to the device or propagating the jailbreak code from a compromised computer through a USB cable. Once jailbroken, attackers can install the surveillance or spyphone application of their choice, or disguise it in an application from a third party app store for an unwitting user to download. CONTACT US DAMAGE IT CAN CAUSE mRATs can act as a remote access Trojan, with a surveillance toolkit that can enable the attacker to steal passwords, corporate data and emails, as well as capture all keyboard activity (keylogging) and screen information (screen scraping). They may also activate the microphone to listen in on conversations and meetings, or act as a botnet to steal contacts or text messages (SMS texts). HOW TO DETECT AND PREVENT IT DETECT: You need to conduct Device Risk Assessments to detect those devices that have been jailbroken and then investigate the actual behavior of the communication on the device. PREVENT: You need both On-Device Remediation and Network-based Mitigation to actively block traffic and contain the mRAT. Worldwide Headquarters | 5 Ha’Solelim Street, Tel Aviv 67897, Israel | Tel: 972-3-753-4555 | Fax: 972-3-624-1100 | Email: [email protected] U.S. Headquarters | 959 Skyway Road, Suite 300, San Carlos, CA 94070 | Tel: 800-429-4391; 650-628-2000 | Fax: 650-654-4233 | www.checkpoint.com ©2015 Check Point Software Technologies Ltd. All rights reserved. Classification: [Protected] March 30, 2015 4
