If mobile threats diversified and expanded in 2016, they matured in 2017. Mobile ransomware continued to rear its head, burgeoning into the platform’s most prevalent threat. Simple screenlockers, for instance, evolved into file-encrypting malware, some of which even seemed to keep pace with their desktop counterparts in terms of malicious routines.
Banking Trojans, now more obfuscated, can now phish credentials from their banks of interest in real time. Adware, which used to be a nuisance at best, are now stealing data beyond user browsing habits. Targeted attacks also became more noticeable, shedding light on how mobile devices were used in cyberespionage-related campaigns that go as far back as 2011. The learning curve does not appear to be as steep: Cybercriminals weaponized proof-of-concept exploits and repurposed publicly released source code into different versions of themselves, with varying capabilities.
Mobile threats are also joining the cryptocurrency mining bandwagon — a sign of things to come in the platform’s threat landscape. They’re no longer just afterthoughts like they apparently were during the advent of Bitcoin, Litecoin, and Monero. Cybercriminals are now using a myriad of ways to rehash grayware, steal the device’s resources, zombify them, and ultimately make unwitting victims a part of the problem.
More conspicuously, they found more ways to elude detection and persist within an affected device by further obscuring their malicious routines and hiding behind legitimate services (or posing as one). As smartphones add features and become more connected with other devices, the wider their security gaps become and the impact of a single design flaw or vulnerability is magnified. We delved into 2017’s most notable threats to see what lies ahead in the mobile landscape, and what users and organizations can do to navigate it in 2018 and beyond.
Mobile ransomware soared by 415% in 2017
Mobile ransomware still can't match their desktop counterparts in terms of maturity and sophistication, but the spate of screen-locking and file-encrypting mobile malware in 2017 shows why it will still be a cybercriminal staple. In 2017, Trend Micro’s Mobile App Reputation Service (MARS) sourced and analyzed 468,837 unique mobile ransomware samples, which is 415% of the unique samples for all of 2016.
Unique mobile ransomware samples analyzed via Trend Micro MARS in 2016 and 2017
Country distribution of mobile ransomware detections in 2017
What caused the dramatic increase? SLocker (Simple Locker) is a case in point. It is the most pervasive mobile ransomware, comprising 424,200 unique samples in 2017 alone — and it’s unsurprising. SLocker’s source code was released publicly on GitHub, putting one of the oldest mobile ransomware families into more cybercriminal hands. The result: ever-increasing iterations of SLocker in the wild, each with varying capabilities and ransom demands. The SLocker version that mimicked the infamous WannaCry, for instance, was developed using an Android development environment that can serve as a do-it-yourself kit that budding cybercriminals can abuse to automatically create their own file-encrypting Android application packages (APKs).
Other new entrants last year demonstrated how mobile ransomware is evolving beyond locking screens and scrambling files. LeakerLocker, for instance, kicked extortion up another notch by threatening to send personal data to the victim’s contacts. We also saw variants of SLocker that use speech recognition instead of codes that have to be keyed in to unlock the device. Victims had to scan QR codes to see the ransom amount, while some cybercriminals left messages on the device's social network service on how to create their own ransomware, essentially enticing victims to become cybercriminals themselves. Others were more furtive, abusing Android’s Accessibility feature to deliver their malware. To further monetize the ransomware, some would also subscribe the device to attacker-specified, premium-rate SMS and calling services.
Vulnerabilities and exploits were more endemic in 2017.
While operating systems are designed with security mechanisms in place, no platform is impervious — and mobile devices are no different. Added mobile device features expose them to bigger security gaps with potentially greater impact. This is exemplified by the increased number of iOS/macOS and Android vulnerabilities Trend Micro disclosed in 2017 compared to 2016.
The severity and real-world implications of vulnerabilities were accentuated in 2017 with the disclosure of BlueBorne, Key Reinstallation Attack (KRACK), Toast Overlay, and Janus. BlueBorne, a bevy of security flaws in the implementation of Bluetooth, affected as many as 5.3 billion Bluetooth-enabled devices, including those of Google and Apple. KRACK, a proof-of-concept exploit that targets vulnerabilities in the Wi-Fi Protected Access 2 (WPA2) protocol, reportedly affected iOS and 41% of Android devices. Toast Overlay (CVE-2017-0752) can let attackers superimpose seemingly benign window screens atop running apps, while Janus (CVE-2017-13156) can let hackers gain access to an Android device by modifying apps installed on the device.
Android and iOS/macOS vulnerabilities disclosed by Trend Micro in 2016 and 2017
Exploits take advantage of the windows of exposure in unpatched vulnerabilities such as the recent Spectre or Meltdown processor flaws or those that date as far back as 2015. In fact, many of the rooting exploits we saw actively employed in 2017 were based on two old vulnerabilities: CVE-2015-1805 (iovyroot) and CVE-2016-5195 (Dirty COW). Both are kernel-related flaws that, when exploited, can grant attackers root privileges on the Android device.
The exploits were as rife as they were severe: ZNIU, for instance — the first Android malware to exploit Dirty COW — had over 300,000 samples in the wild, which we detected in more than 40 countries. ZNIU also used iovyroot to target devices running Advanced RISC Machine (ARM) 32-bit processors. iovyroot itself was an apparent successor to the PingPongRoot (CVE-2015-3636) exploit after the latter was fixed.
True to our predictions, exploits on Android’s media framework — used to let application program interfaces (APIs) interact with multimedia hardware — considerably lessened, especially after Google hardened its security in Android 7.0 (Nougat) and later versions. And similar to 2016, kernel bugs were the most prevalent security issues in Android last year, including those in drivers from systems-on-a-chip (SoC) vendors Qualcomm, Nvidia, and MediaTek.
Closed-source firmware flaws were also among the most notable in 2017, such as those in TrustZone, Wireless Local Area Network (WLAN), and baseband. TrustZone entails how software/applications are isolated and run, while WLAN and baseband involve data transmission. In a recent Mobile Pwn2Own event organized by Trend Micro’s Zero Day Initiative, participants were able to exploit vulnerabilities in WLAN and baseband remotely.
Google addressed the issues by further strengthening the security of the kernel in Android 8.0 (Oreo), such as incorporating more protections in Kernel Address Space Layout Randomization (KASLR), Privileged Access Never (PAN), and secure computing mode (seccomp). The added mechanisms help mitigate remote exploits and increase the requisites for exploiting a kernel bug. Hackers, for instance, have to look for more security gaps, chain them, and further modify their exploits to achieve code execution in the kernel. Given these countermeasures, we foresee attackers focusing on bypassing them. We also expect closed-source and proprietary components in mobile devices, especially firmware, to be one of 2018’s focal pain points, given how they are an ever-present element in today’s interconnected devices.
It’s also worth noting that the market for jailbreaking iOS devices has markedly declined as the perceived need for it wanes and Apple deploys more security mechanisms in iOS 11. Bug bounty programs are also helping hackers and coders channel their skills toward more productive endeavors. Additionally, the closure of high-profile third-party app stores like ModMyi is diverting attention away from jailbreaking. The practice is not going away any time soon, however: Several jailbreak tools were released on Github based on two vulnerabilities in Apple OSs: CVE-2017-13861, a memory corruption flaw; and CVE-2017-13865, an input validation issue. iOS and Android were also affected by a vulnerability (CVE-2017-11120) in Broadcom Wi-Fi chips that, when exploited, can allow attackers to write arbitrary commands and plant backdoors on a vulnerable device.
Mobile banking malware is still thriving.
Mobile banking has become such an integral part of smartphone users' lives that by 2020 there will be over 2 billion users transacting with banks through their mobile devices. Given the potential income, cybercriminals naturally want a piece of the pie. This is reflected by 108,439 unique banking malware samples Trend Micro MARS sourced and analyzed in 2017, which was 94% more than the total in 2016.
Indeed, mobile banking malware still has a thriving cybercriminal niche even if the industry is already familiar with their main routines. Incidents of theft from Russian bank accounts using mobile banking Trojans in 2016, for instance, reportedly amounted to $6 million in losses.
Last year’s mobile banking Trojans are best described as more obfuscated, persistent, and flexible. They blended in with legitimate processes — or masqueraded as one — to stay under the radar, steal more than just credit card data, and bypass security mechanisms. It was a cybercriminal response as Google further strengthened Android’s native security, such as deprecating APIs typically used by mobile banking Trojans to overlay their phishing templates atop the legitimate app’s login page.
Comparison of unique banking malware samples in 2016 and 2017
Country distribution of mobile banking malware detections in 2017
This behavior was epitomized by BankBot (also known as CronBot and Catelites Bot): A reportedly improved version of an open-source malware whose source code was dumped in an underground hacking forum. It emerged in early 2017 and eventually made its way to Google Play. BankBot’s latest versions spoof 160 banks from 27 countries, with one sample alone downloaded 5,000 – 10,000 times. BankBot had anti-signature and anti-sandbox capabilities. It also carried out command-and-control (C&C) communication by abusing Firebase Cloud Messaging, Google’s cross-platform messaging back-end service, as a middleman between their C&C servers and their victim’s data. BankBot also abused AppsFlyer, a mobile app analytics platform, to steal more information. BankBot’s banks of interest aren’t hardcoded in its source code, which means it can remotely serve phishing templates in real time.
Targeted attacks gained more traction.
The cyberespionage campaigns we’ve seen on the mobile platform last year, some of which are still active, were most likely offshoots, extensions, or separate but related operations of their desktop/PC counterparts. And while they may seem nascent or incidental, their activities revealed that they might have been operating as early as 2011.
These campaigns targeted a number of countries and industries from the Middle East and South Asia to Eastern Europe, leveled against politicians, military and government officials, journalists, and high-profile personalities, including those in the education sector.
AnubisSpy and GnatSpy are notable examples of mobile malware used in these campaigns. AnubisSpy, which snuck its way onto Google Play and third-party app stores, was linked to the Sphinx (APT-C-15) cyberespionage campaign against Middle Eastern targets of interest, in a campaign that may have started as early as 2011. GnatSpy, a variant of the VAMP Android information stealer and an extension of its operators’ campaigns, showed that the group — Two-tailed Scorpion/APT-C-23 — is actively fine-tuning their tactics and techniques.
These campaigns focus on stealing messages, contact lists, photos, audio and video files, as well as spying on calls, camera, and their target’s social media.
Defending against mobile threats in 2018 and beyond
TOTAL NUMBER OF MOBILE THREATS BLOCKED IN 2017
The mobile threat landscape of 2017 was riddled with an unprecedented surge of mobile ransomware, a thriving niche of banking Trojans, pronounced cyberespionage-related campaigns, and the permeating, real-life repercussions of security gaps in devices.
The number of malicious applications Trend Micro sourced and analyzed in 2016 and 2017 via MARS
But there’s also an unnerving pattern with which cybercriminals and threat actors are abusing legitimate services. In 2017, for instance, the malicious apps we saw published on Google Play increased by over 30,000 compared to 2016. These threats were harder to detect as they hid behind legitimate and encrypted traffic and normal app functionalities. After they are installed on the device, their malicious executables, normally obfuscated, are retrieved from their command-and-control (C&C) servers. They also seem to keep pace with the services they abuse — from network protocols, cryptocurrency mining scripts, and even Android’s own Accessibility and device administrator features. Google appropriately addresses these issues through Google Play Protect, which promptly removes malicious apps that violate Play policy and continues to expand its protections across the Android ecosystem.
Indeed, last year’s notable mobile threats are a reflection of the platform’s ubiquity, the nascent technologies that will power them in the long term, and the security risks that come with it. Gartner, for instance, projected that artificial intelligence will be the main selling point for smartphones in the next two years, while behavioral biometrics will upend traditional, password-based authentication to improve security and enrich user experience. And like these emerging technologies, mobile threats will continue to be as diverse as they will be multifaceted.
On a positive note, the threat landscape is also prompting a stronger approach to mobile security — as reflected by initiatives on mobile vulnerability research and proactive coordination with various vendors and platforms. Trend Micro Mobile App Reputation Service, for instance, provides users, organizations, and developers/programmers with application security scanning and resource consumption assessments.
App developers and original equipment and design manufacturers are fortunately poised to enforce security by design, go beyond functionality and incorporate data privacy and security in the lifecycle of an app’s development and operations. Everyday users also need to adopt best practices, while organizations, especially those with BYOD policies, must find a middle ground between the need for mobility and significance of security.