The next time you open your smartphone, be sure that you know what it’s doing behind the scenes. Attackers have been infecting desktop computers for years with malware that enlists them into botnets, hijacking them and placing them under someone else’s control. Now, the proliferation of mobile and tablet devices, along with their increasing power, has made them prime targets too. 

Tens of millions of devices have been infected and ordered to carry out tasks on the attackers’ behalf, undetected by their owners. The era of mobile hijacking is here.

The problem has become increasingly visible to experts recently, explains Dan Waddell, managing director, North America region at (ISC)². “Over the past six years, the category of ‘application vulnerabilities’ has maintained its position as the top security concern in the (ISC)² Global Information Security Workforce Study, and mobile devices has been in the top five,” he says.

“The main thing is to steal credentials,” says Solomon Sonya, an assistant professor of computer science at the U.S. Air Force Academy (USAF). Sonya, who has also been an officer in charge at the Air Force Computer Emergency Response Team (AFCERT), presents on mobile security and authored a proof of concept mobile botnet client called Splinter in 2012. 

Just as with regular botnets, stealing credentials is a common tactic for malicious applications that hijack smartphones, he says. “So many users will still check their bank accounts on their phones, log into Facebook, and log into their email, which is just as juicy as a bank account.” The reason: an attacker with email access can reset passwords for countless online services. 

Mobile application hijacking shares another common payload with traditional desktop botnets: advertising fraud. Online advertisers pay people displaying their ads when visitors click on them, but they often don’t distinguish between legitimate and illegitimate publishers. Malicious applications will digitally simulate users without their knowledge, artificially “clicking” online advertisements, using up computing resources and bandwidth on the victim’s phone to earn money for the malware authors. 

“The actors behind these malicious advertising families are well funded, and have their own internal app development teams that are dedicated to creating unique applications to lure users into installing their applications,” says Andrew Blaich, security researcher at Lookout, which sells mobile endpoint security tools.

A report on ad-serving apps from anti-ad fraud firm Forensiq revealed that these ads will often call online ads as often as 20 times per minute, compared to legitimate apps that call new ads twice a minute at most. They will also access affiliate links to generate revenue for the attackers from those sources.

Some malware also hijacks other legitimate applications running concurrently on the device to show its own ads. For example, NoIcon, a component of the YiSpecter malware found on iOS devices, detects apps running on a device and then uses another malware component, called ADPage, to show full-page ads for its authors.

Gooligan, a form of malware embedded in Android apps downloaded from third-party app stores, focuses on mobile app advertisements. After obtaining root access to the phone it simulates user clicks on advertisements for legitimate apps, and then uses Google Play store account credentials stolen from the phone to install them. The attackers then gets a fee from the unwitting ad network.

OUR EXPERTS: 
Smartphone smarts

Andrew Blaich, security researcher, Lookout
Rob Labbé, director of information security, Teck Resources
Tammy Moskites, CIO & CISO, Venafi; former CISO, Time Warner Cable
John Douglas, director of product strategy, Sizmek
Solomon Sonya, an assistant professor of computer science at the United States Air Force Academy
Dan Waddell, managing director, North America region at (ISC)²
Rob Wood, principal consultant, NCC Group

Ad fraud using malicious apps is endemic. Forensiq’s report analyzed 5,000 apps flagged for ad fraud over 10 days and found more than 12 million unique devices running at least one of these apps. That puts them on around one percent of all the phones in the U.S. and two to three percent of those in Europe and Asia. 

These malicious applications will typically run as a background process on the phone, booting at startup, which makes them difficult to detect. They can be installed in various ways. Sideloading – installing tempting applications from unapproved third-party app stores – is one method. Deliberately jailbreaking or “rooting” phones to install ad hoc, unapproved applications – is another. Both are inadvisable.

Even applications that have been scanned and approved by Google or Apple can be dangerous, though. Sonya recalls the Android/Mapin trojan embedded in many games. “It would wait between one and three days before the malicious payload would execute on the machine,” he says. That makes it hard for automated scanners to spot.

Another approach is simply to compromise the software tools used by a legitimate developer, turning them into your unwitting pawn. That’s what happened with XcodeGhost, a malware attack that hit dozens of applications in 2015.

“XcodeGhost embedded itself in the integrated development environment for writing Apple’s products,” Sonya recalls. Attackers released a version of the Xcode IDE on Chinese forums, promising faster downloads than Apple’s official version, but it added malicious code when they compiled their iOS applications for submission to Apple.

“Many applications were compromised with additional code injected into it from XCode Ghost,” he continues. At the time, experts worried that hundreds of millions may have downloaded the compromised apps, which included regional versions of WeChat and Angry Birds 2.

Others have attacked Apple devices by using an enterprise developer account, which provides digital certificates intended to distribute in-house applications. Some attackers (such as the developers of YiSpecter) have misused these certificates to distribute malware more widely. It also enabled them to use otherwise-unavailable private application programmable interfaces (APIs) in iOS to perform more sensitive operations, such as masking their programs. 

There have been several examples of malicious mobile apps circumventing Apple and Google’s scanners to hijack innocent users. Apple’s scanning system overlooked AceDeceiver, a family of malware apps, seven times, according to researchers at Palo Alto Networks. 

Attackers then capture the authentication codes provided by Apple when installing these apps and provide them to a malicious PC client that pretends to be Apple’s iTunes software. The software then uses the codes to install the apps without the user’s knowledge on iOS devices connected to computers running that software.

The ramifications of mobile hijacking can be dramatic for different stakeholders. Ad fraud is a drain on the advertising industry, according to the Internet Advertising Bureau, which researched the issue in conjunction with EY. It found that invalid traffic is costing the U.S. online advertising industry $4.4 billion per year – more than its combined revenue losses from ad blocking and pirated content.

Aside from the direct security implications of stolen credentials, users also suffer from ad fraud because of the computing and bandwidth resources used up by the secretive ad-clicking used by the apps. Forensiq estimates that a typical malicious app can use up to 2Gb of data per day, chewing up data plans and battery life. 

Protection?

How can CISOs protect their users – and their organizations – from mobile hijacking? The bring-your-own-device (BYOD) trend has blurred the lines between individual and organization, points out Sonya, making consumers a threat vector for their organizations. 

“The person is the main focus because they’re easier to fool,” he says. “People love to download those free games and apps. Once you’re on that network I would spread out.”

This is precisely what Dresscode, a malware strain found in hundreds of certified Google Play store apps, has been doing. The malware links an infected Android phone into a botnet that can be directed to click on ads. It also allows attackers to control the phone while connected to a corporate network and download files, a study from Check Point reported.

“CISOs are aware of this problem but they are always trying to balance employee and business productivity against security,” points out Tammy Moskites (left), CIO & CISO at Venafi, and  former CISO at Time Warner Cable.  

“In most cases, organizations have decided that the security risks associated with BYOD are outweighed by the productivity benefits for employees so they are looking for other ways to mitigate the security risks,” she adds.

What are those other measures? Installing anti-virus software onto mobile devices can’t hurt, but don’t rely on it. “While AV software can detect some of these rogue apps, it is consistent with our research that the majority go undetected by such software,” says , which sells products to help companies create and manage online advertising campaigns. “AV providers also need to make ad fraud detection more of a priority in their own business models.”

Other evidence shows that mobile AV is an art rather than a science. Palo Alto Networks found that of 57 security vendors in VirusTotal, only one detected YiSpecter after 10 months in the wild. 

Sonya agrees that AV isn’t enough. He only began noticing anti-virus tools detecting the first version of his Splinter botnet in 2015 – three years after he wrote it as a proof of concept and uploaded to VirusTotal. 

In any case, trying to control security on mobile devices that you don’t own is a fool’s errand, suggests Rob Labbé, director of information security at Canadian metals and mining company Teck Resources.

“Make sure the secure decisions are made in a place you can control,” says Labbé, who proudly highlights his use of mobile data management as a management rather than a security tool. 

“It’s a security design mistake to have security decisions made on the client,” he says, adding that the trick is to assume these devices are already compromised. “One can argue that it’s a bigger mistake when that client’s on mobile, but it was a stupid idea to begin with.”

Mark Walton, director of IT security, South Western Utah University, stays equally paranoid about unknown devices. “Any non-IT issued device is untrusted, and thus is limited as to what kinds of information it can access,” he says. “For extremely sensitive data, we’re moving to a VDI model where we have more control over the environment, and have policies concerning where sensitive data can be accessed and stored.”

As mobile devices look increasingly like computers, we’re headed to a world where people spend more time using them for business and personal purposes than they do using desktop operating systems. Mobile hijacking is now a mainstream trend – and it shows no sign of stopping.

[sidebar]

Stingray

Malicious apps aren’t the only things that are eavesdropping on mobile data these days. Cell site simulators, otherwise known as IMSI catchers, are hardware devices that fool cellphones into divulging their secrets. 

Cell site simulators conduct a man in the middle (MITM) attack on a cellphone by impersonating a cell tower.

“In doing so it has access to all of the data your phone sends or receives in plaintext, and often much of the encrypted traffic,” says Rob Wood (left), principal consultant at NCC Group, a global cybersecurity and risk mitigation provider. “The controversy is that these devices are not always selective in which devices they affect, so are classified as mass-surveillance.”

IMSI catchers can triangulate the location of phones in the area, but may well be able to listen in on text messages and other communications from phones that connect to them, due to the way that modern communication systems work. Encryption only exists between the phone and the cell tower, which can often dictate the type of encryption used during the session, if any. The NSA has demonstrated the ability to decrypt certain cellular encryption protocols.

The Stingray the common brand name for IMSI catchers, is produced by U.S.-based Harris Corp. and has been used by the FBI since at least the mid-90s. Local law enforcement in many states also use the devices. So secretive is the use of this technology that the FBI has moved to dismiss cases in which details of the technology may be exposed. However, reports suggest that IMSI catchers can be built by anybody with a moderate degree of technical expertise.