3. Mobile malware
•First malware for mobile platforms around 2004
•Symbian – most prevalent
•JavaME – still being developed
•WinCE – very few samples
•iOS – few instances in 2010,2011
•Android – big growth in the number of malware samples
3
4. Android environment
•Platform popularity (75% new smartphones sales)
•Adding applications to Google Play is easy
•Alternative Android application markets
•Forums and file sharing sites
•“Cracked” and repackaged apps
•China, Russia
•Android app landscape similar to Windows
4
17. Android malware ItW
Android malware reports per country
Others
Peru 17%
1% China United States
1% 17%
Republic of Korea
2% India
Romania 2%
2% United Kingdom
Switzerland 13%
2%
Netherlands
3% Mexico Germany
3% 10%
Costa Rica
3%
Argentina Italy Brazil
3% Spain 4% 8%
3%
Cyprus Venezuela
4% 4%
17
18. Android Malware
Android Threat Exposure Rate
14.00%
12.00%
10.00%
8.00%
Threat Exposure Rate
6.00%
4.00%
2.00%
0.00%
Australia Brazil United Others Malaysia Germany India France United Iran
States Kingdom
18
20. Securing mobile devices
• Platform and device diversity
• Compliance for access to corporate data
• Device security
• Application security
• IT productivity
20
21. Diversity
Use MDM framework to manage all major
smartphones and tablet types from a single
console
• Apple iOS
• Android
• RIM Blackberry 5.x, 6.x
• Windows 8?
21
22. Compliance
• Compliance enforcement
• Best practice in configuration
• Best practice in app security
• Protecting enterprise assets
22
23. Compliance Enforcement - Basics
Validate rules
Send status
Control mail access
EAS Proxy Exchange
23
24. Device & data security (loss)
• Remote Lock and/or Wipe
• Auto-wipe after a number of failed login attempts
• Locate lost or stolen phone
• SIM change notification/wipe
• Device encryption !!!
24
25. Application security
Enterprise App Store for recommended apps
• Recommend supported apps
• Enforce required apps
• Distribute homegrown apps
• Help for the agnostic user
• Limit the risk of too many used apps
Keep OS and apps up to date
• Easier with apps
• Difficult (for Android) for OS
25
26. IT Productivity – remote and OTA management
• Define password policy and lock period
• Control installation of apps
• Block use of camera, browser, Youtube, …
• Send text notification to client
• Manage endpoint security/anti-malware software
• Prevent jailbreaking
• Blackberry most suited for fine tuning, then
iOS, Android
26
27. Conclusions
• Mobile devices are changing the enterprise
• Diversity (apps rule, not OSes), BYOD
• Android most targeted by malware
• Malware growth to continue
• Malware complexities increase
• Follow the best practice to secure mobile devices
27
28. Control, secure, protect
Sophos Mobile Control - Mobile Device Management
On-premise or cloud-based solution to manage, control
and protect mobile devices.
Enable BYOD without the risks
Sophos Mobile Security – Anti-Virus for Android
Scans for malicious data-stealing apps and provides
loss and theft protection. Free download
Protect devices from Android malware
Sophos Mobile Encryption – Mobile Data Protection
Extends SafeGuard Encryption for Cloud Storage to
mobile devices – iOS or Android*
Ensure persistent encryption
Android version available late September 2012
29. Complete Security
Endpoint Web Email Data Mobile Network
Reduce attack surface Protect everywhere Stop attacks and breaches Keep people working
URL Filtering Web Application Endpoint Web Encryption Data Control Access control Automation WiFi security
Firewall Protection for cloud
Anti-spam Patch Manager Mobile Control Virtualization Anti-malware User education Visibility Local self-help
Application Mobile app Clean up Technical
Device Control Secure branch Intrusion Firewall
Control security support
offices prevention
Encryption Live Protection Email
encryption
29
30. Staying ahead of the curve
Staying ahead of the curve
US and Canada
facebook.com/securitybysophos 1-866-866-2802
NASales@sophos.com
Sophos on Google+
UK and Worldwide
linkedin.com/company/sophos
+ 44 1235 55 9933
Sales@sophos.com
twitter.com/Sophos_News
nakedsecurity.sophos.com
30
Editor's Notes
There are few things which make malware for Android more common then for other platforms. Adding new applications to the market is easy and Google’s process for controlling functionality of application is not very strict.It is very easy to become an Android developer and publish application. It is very easy to decompile an application, change its functionality and repackage the application as a completely new (effectively stolen application). Installation from third party sites is possible. There are number of alternative Android markets for applications, including the one set up by the network providers and other well known companies such as Amazon.In addition to that cracked applications are shared on many Android related forums and file sharing web sites. Piracy is a major problem. An article on forbes states “The costs of piracy are very real. One-in-three developers say they’ve lost more than $10,000 in revenue due to piracy. 32% say piracy increases their support costs. One-in-four say piracy increases their server costs, with all those extra users piling onto their servers.”There is a significant number of alternative markets in China, which is currently the main source of malicios applications.Overall, the situation with Android application is very similar to early days of Windows and considering that, it is not surprising that we are seeing increasing numbers of Android malware in our labs.
Most of the Android malware variants we have seen (around 100 at the moment) have been written this year, though some of them appeared last year as well (first ones in 2009). There is at least 500% increase year over year but the numbers are still very small comparing to numbers of Windows malware. The most significant malware attacks are the ones that successfully infiltrate the original Google Marketplace. The most well known example is Droiddream (March 2011).Attackers have managed, using three Android developer account to plant over 50 trojanized application into the original market.Droiddream uses 2 privilege escalation exploits (one for Linux kernel, one for Android) to obtain root access for the device and integrate with the operating system, it then collects potentially confidential information from the phone and sends it to the malware writers.
Interesting for tactics similar to Windows malware (fake installers, fake antivirus software), but also because files are dynamically built as they are served to the user which achieves a very crude server side polymorphism. A technique used to morph the APK file is to include a random number of images of .... See next slide
This scary looking dude. We thought at the beginning that this may be the virus writer (although that would be quite stupid on his side). It turns out this is the original photo from a wedding in Fryazino. This image was published on one of the popular forum sometimes in 2006 and became a major Russian internet meme with people adding the witness in many photos and ocassions, such as (see next slide).
Examples of some work including the Witness from Fryazino.
The principle of the compliance check is very simple. Compare information from the device against a set of rules. If any of the rules is violated, the device is not compliant. In this case, the device will be highlighted to the administrator. Optionally, a mitigation and enforcement rule can be executed and any further e-mail to the device will be blocked in the EAS proxy.
Pjapps-C is a detection for applications that are cracked. Not malicious necesarrily but cracked using a dodgy tool. Most probably illegal – PUA.Bbridge-A is a detection for data leakage and SMS sending malware it uses HTTP to connect and send the data to a malicious (C&C?) serverGeneric-S is a Labrules bucketBatteryD is another PUA which purports to be an app that saves the battery consumption but is agressive adware that may leak some personaly identifiable information.DrSheep-A – is a hack tool which allows an attacker to hijack sessions on the same wireless network if a web app is not using HTTPS (e.g. Works for linked in at the moment). Similar to FiresheepDroidRt-A – is an app containing a privilege escalation exploit, potentially used to root the deviceOpfake – is a fake Opera installer, real malware, finallyBoxer – is real malware (see next few slides), installs additional (malicious or non-malicious packages) and sends SMS messages premium line numbers (depending on the country)Faceniff- is a Facebook session sniffer (not sure how it works) but it is a hacking tool I think
The principle of the compliance check is very simple. Compare information from the device against a set of rules. If any of the rules is violated, the device is not compliant. In this case, the device will be highlighted to the administrator. Optionally, a mitigation and enforcement rule can be executed and any further e-mail to the device will be blocked in the EAS proxy.
So if you’re looking at your mobile strategy, think of your mobile devices as portable computers – but with additional risks , so you need to use more than just mobile device management to protect them. We have various tools to help you do that.
Complete security means we don’t just detect threats, we:Reduce the attack surface – We address the things that bring risk like vulnerabilities and applications.Protect everywhere – We make sure your users are protected wherever they are and whatever device they’re using.Stop attacks and breaches – Of course we can detect and prevent threats and data loss. But we’ve moved beyond signatures with innovations like live protection, which means we can stop new threats instantly.Crucially, we Keep people working – Both your users and the IT team. We engineer our products to simplify the tasks that take too much time today, like cleaning up infections and recovering forgotten passwords. So, as the threat and the ways that we use IT for work evolve, so does your protection. We stay on top of them, to simply give you all you need to stay secure. We engineer our products to work better together. And we look for opportunities to unify endpoint agents, gateway defenses, security policies and intelligence so it’s even easier.Agents – for every device, combining security to maximise protection and performanceAt the Gateway – virtual or hardware appliances and software options that match your protection priorities and sizeThroughPolicies - We let you create a policy once, and apply it anywhere to give you consistent protection and user experienceFrom our Labs - our experts have visibility of all aspects of security threats and use that expertise to actively fine-tune your protection for you and deliver instantly from the cloud