Mobile: Here There Be Monsters

It’s a new, exciting era for Trojan builders. The mobile space in 2012 is a vast, unchartered territory that attracts the talent and creativity of black hatters and malware writers like moths to a flame. If you think about it, the entire mobile security space has huge ‘Here there be monsters’ sections where the cartographers don’t really know what to draw. With its unique architecture, security platforms and operating systems, it’s a challenging, yet highly rewarding exercise.

While most Trojan kits are still focused on building scalable, highly effective web harvesting weapons with a growing arsenal of tricks, demand for mobile-based attacks is growing. It’s been slow, but it’s there. In a few years’ time, those Trojan developers who don’t support mobile platforms will go out of business. And I can promise you they have no intention whatsoever of doing so.

Plenty of Trojans affecting the popular Android mobile platform have been reported over the last couple of years. Zitmo, a Zeus Trojan add-on designed to capture and redirect SMS messages containing one-time-passwords, was launched in 2010 (good coverage of that here and here). Similar functionality not tied with the famous Zeus Trojan was reported in the Philippines even earlier. Other Trojans take control over the mobile device so the attacker can use unauthorized premium services or long distance calls, and there are spyware programs that allow you to eavesdrop, get data, and do other useful things.

A new blog post from McAfee shows another step in the evolutionary ladder for mobile Trojans. It’s an Android app that poses as a legit one-time-password generator used by Spanish banks but is actually a Man-in-the Middle Trojan that steals both the login password as well as the OTP, collects some device identifiers as well and can also be used as a back door for future malicious applications.

Why Android, by the way? Well, security researchers differ in their observations around the relative vulnerability of mobile platforms. In a ‘breaking news – up-to-the-minute hacking threats’ panel I moderated at RSA Conference 2012 we had a lively debate over the matter. Kaspersky Labs’ Roel Schouwenberg maintained that the Android app market, being less controlled, is a fertile ground for malicious apps as opposed to other platforms; Kevin Mahaffey, CTO of mobile security company Lookout argued that no mobile platforms can be singled out as particularly tough to hack, and the fact Android is more attacked can be explained by market forces in the supply and demand for mobile malware. The ecosystem of Android exploits and malware know-how developed faster than in other platforms, so it’s easier to join the trend.

The new mobile Trojan is more a social engineering attack than a Zeus-style silent Trojan that harvests mobile device traffic. It’s not the long-awaited Zeus for Mobile; it cannot sneak into mobile banking applications and listen in; it is not even designed to capture mobile browsing traffic. It’s a standalone attack that leverages the biggest weakness in the mobile space: the users.

In order for this to work, you first need to download the app. My colleague Bob Griffin wrote about app monitoring in his review of the RSA Conference innovation sandbox; it’s not an easy problem to solve. Then you need to install the app and respond to its social engineering interception, not when you bank online but rather when the Trojan itself decides to trigger itself. Still, chances are it will be quite effective. If someone fell for the first step – the download – chances are they’ll fall for any following steps as well.

People’s common sense fails even in the web environment they’ve been using for decades; it’s safe to assume it will fail also in the new, highly dynamic mobile environment. It’s unchartered territory for everyone, and that’s the beauty of it from a cybercriminal perspective. We should expect surprises, creativity and feats of social engineering that can only work in these mobile times.


No Comments