This year was a prolific one for threat actors, who focused on writing sophisticated code and building on existing threat families, and used familiar distribution techniques.
We’ve boiled down 2016 into five significant mobile threat-types that enterprises and individuals alike should know about. We look at a serious, targeted iOS threat; malware that roots victims’ devices; a particularly “risky” app; threats that put on a mask to trick individuals; and the litany of mobile vulnerabilities we saw this year.
Check out the recap of the most important 2016 mobile threats:
The targeted iOS threat
Targeted attacks are often the most sophisticated and concerning anywhere, but the Pegasus spyware from August topped the list. Pegasus is an iOS threat that used three — now patched — zero-day vulnerabilities, which Lookout named “Trident,” to root the victim’s device and begin spying. Its capabilities include accessing messages, calls, emails, logs, and more from apps including Gmail, Facebook, Skype, WhatsApp, Viber, FaceTime, Calendar, Line, Mail.Ru, WeChat, SS, Tango, and others.
This threat alone made 2016 a landmark year for mobile attacks. Arguably, Pegasus is the most sophisticated threat we’ve ever seen on any endpoint because it takes advantage of how integrated mobile devices are in our lives and the combination of features only available on mobile: always connected (Wi-Fi, 3G/4G), voice communications, camera, email, messaging, GPS, passwords, and contact lists, all in one device.
The Lookout research team worked closely with partner Citizen Lab to notify Apple and close the vulnerabilities, rendering this version of the spyware inoperable.
The rooting-malware threat
Malware authors continued to root devices in 2016. With root access, malware authors have greater leverage over a device, which is concerning for any person or business wanting to protect sensitive data.
One new family popped up and one large family evolved into new variants this year:
- LevelDropper, a new family we found in the Google Play Store, also stealthily rooted devices and went on to install further applications — many of them — to the victim’s device. We worked with Google to remove the malware, but auto-rooting malware remains one of the threats CISOs should pay attention to in 2017, since it covers the full spectrum of risk from annoying adware to malicious spyware.
The risky app
Risky apps are not as straightforward as malware, but they are just as important to an enterprise concerned with malware. A risky app may not itself be malicious, but may perform actions that make an enterprise uncomfortable. For example, we discovered an app called “CAC Scan” in the Google Play Store (Google has since removed the app). “CAC” is short for “Common Access Card,” which is the standard identification card for Department of Defense (DoD) personnel. The app claimed to “scan the front of a CAC to get the cardholder’s first name, last name, middle initial, rank, full social security number, and [DOD ID].”
In order to make sure that this was not a piece of malware, Lookout’s automated systems analyzed it and found that it did not execute any malicious behavior. Additional analysis (including a detailed manual teardown) confirmed that the app does not contain any malicious behavior. In fact, the app is deceptively simple and contains very little code.
Though the app itself didn’t exhibit malicious behavior, it was of large concern to the DoD, which wrote in a response, “We cannot see any valid reason to use this app and the OPSEC/privacy implications are disturbing. It could be used to compromise PII on unsecured or stolen CACs.”
The app proved that mobile security goes far beyond just malware detection. There may be software on mobile devices that isn’t inherently “bad,” but may pose serious risk to an enterprise or a government agency.
Putting a wolf in sheep’s clothing is probably one of the most classic distribution schemes for mobile malware, and 2016 showed no shortage of malicious apps pretending to be something they aren’t.
In May, we reported on five mobile malware families that often impersonate enterprise apps by ripping off the legitimate app’s name and package name. These apps included Cisco’s Business Class Email app, ADP, Dropbox, FedEx Mobile, Zendesk, VMWare’s Horizon Client, Blackboard’s Mobile Learn app, and others.
Attackers also took advantage of the holiday shopping season by creating fraudulent iOS apps that posed as legitimate brands, such as Uggs. We saw a number of these fake apps pretending to be from a specific brand, but really stealing information, such as credit card numbers. Good Morning America featured Lookout Security Researcher Andrew Blaich on the topic.
We also reported on Acecard, a banking trojan that pretended to be a “Black Jack” game app. Once on the device, Acecard silently downloaded a secondary app that displays windows over legitimate banking apps and other popular apps such as Facebook and Skype to trick people into entering their online banking credentials and credit card information.
Attackers also targeted international travelers, posing as an Embassy search tool intended to help travelers find embassies abroad. The app, which Google removed from the Play store, is a variant of Overseers, which is capable of gathering and exfiltrating sensitive information such as contacts, location information, a list of the apps installed on the device, device memory, IMEI, and other device-specific information.
Shortly after the wildly popular Pokemon Go game was released, we saw a number of fake versions pop up that ranged in malicious activity. Some had a Trojan injected into it, some contained adware, and one tried to gain device admin privileges.
Vulnerabilities, or flaws in software code, impacted both iOS and Android devices in a big way this year.
In August, researchers discovered a serious vulnerability in TCP that Lookout determined also affected around 80 percent of Android, or around 1.4 billion devices, based on an install base reported by Statista. The vulnerability lets attackers obtain unencrypted traffic and degrade encrypted traffic to spy on victims, raising concerns for enterprises since attackers were able to spy without executing traditional “man-in-the-middle” attacks.
DirtyCow and Drammer, two distinct Android vulnerabilities we reported on in November, allowed an attacker to root or completely compromise a device.
Quadrooter also made headlines in August. It was a collection of four significant vulnerabilities in Android phones using Qualcomm chipsets, meaning it impacted a significant number of devices. As the name suggests, attackers could use the Quadrooter vulnerabilities to root a device.
Vulnerabilities don’t solely impact operating systems — any software can have flaws in it, and that includes mobile applications. Ahead of this year’s Black Hat conference, Lookout looked into the event’s app and found a concerning flaw as well. The app, which would allow people to sign up, build a profile, and communicate with other attendees, was set up to allow anyone to sign up as another individual, effectively impersonating someone else. Black Hat was able to disable the social components in the app ahead of the conference.
A year of mobile threats
Mobile threats are not an “if” story anymore. New mobile threats and malware variants get traction every month of the year, but you don't have to play whack-a-mole with mobile threats. Lookout Mobile Endpoint security enables your team to get control and to have complete visibility into the full spectrum of mobile risks and integrates seamlessly with major EMM/MDM solutions. Learn more by contacting Lookout today.
Here’s to another year of blocking nasty software and keeping private data private.