A global conglomerate had 75 percent of its mobile devices infected by a variant of the Cerberus Android banking trojan after an attack compromised the company’s mobile device management (MDM) server and used it to spread the malware.
In a company blog post report, Check Point Software Technologies identifies MDM as a fairly novel malware distribution attack vector, noting that it’s the “first time we have a reported incident” of this nature, whereby an MDM solution is abused to push out malware to devices.
For the record, instances of MDM abuse have — at least on a limited basis –been reported previously, as demonstrated here. Nevertheless, with businesses leaning heavily on mobile devices and MDM solutions during the COVID-19 crisis, the threat of potentially seeing a string of copycat attacks in the future is likely much greater than before.
Check Point does not name the victimized company, nor the MDM solution that was abused. Typically, MDM solutions are designed to help IT and security professions monitor, manage and secure devices across a mobile work environment, and to reduce complexity where there is a mixture of mobile service providers and operating systems in an ecosystem.
For that reason, if an attacker manages to subvert these mobile protections and infiltrate a company, the ramifications can be highly damaging. That’s why Check Point is urging MDM users to understand the difference between simply managing and actually securing mobile devices — a sentiment echoed by other experts as well.
“MDM’s most prominent feature, arguably the reason for its existence, is also its Achilles’ heel – a single, central control for the entire mobile network,” says the Check Point report. “If that platform is breached, so is the entire mobile network.”
“While MDM offers an easy way to manage those devices, security cannot be ignored… They need to be protected as any other endpoint as they offer a tempting target,” the report continues.
“MDMs are just management tools. They have no way of analyzing if something bad is on the device. That is what MTD [Mobile Threat Defense] is for, said Kern Smith, VP of engineering for the Americas at Zimperium, in an interview with SC Media. (Zimperium is a provider of MTD solutions, as is Check Point.)
“…[O]ther than looking at how the attacker was able to gain access to the MDM (authentication, credential compromise, etc.) there is not much one can do once that initial breach as been made — unless you have MTD on the device to detect that the attackers were now pushing down or installing malware on the managed devices,” Smith continued.
“While MDM does have its functions, help administrators push policies, install applications, and lots of managing options, it does not provide security services,” explained Aviran Hazum, analysis and response team leader at Check Point, in an email interview with SC Media. “No dynamic or static analysis of applications, no signature mechanisms, no network traffic inspection. If this was an ‘anti-virus for PC’ that didn’t have those basic security services, no one would install it on corporate workstations and say that they are protected.”
The incident cited in the blog post report was discovered last February, when Check Point detected a pair of malicious applications installed in automated fashion on a large number devices operated by one of the cyber firm’s customers.
While the researchers ultimately identified the malicious payload as being in the Cerberus malware-as-a-service family, they observed additional remote access trojan capabilities as well.
The variant is capable of exfiltrating sensitive such as user credentials, log keystrokes, steal Google Authenticator data and Gmail passwords, capture or send SMS messages, make calls, install or uninstall applications, command devices remotely through TeamViewer, and more. Some of this functionality is made possible by forcing the user to update permissions for the Accessibility service, the researchers noted.