Ruslan Rakhmetov, Security Vision
More than half of the world's inhabitants have a smartphone. Cellular networks and mobile stations - button phones, smartphones and other subscriber devices - have gone through stages of evolution from analogue systems (AMPS, TACS, NMT-450/900) of the first generation through digital standards (D-AMPS, GSM, GPRS, EDGE, UMTS, HSPA) to the familiar 4G (LTE) and 5G networks. The speed of mobile data transmission grew with each new stage of development, and today it can reach 20 GBit/s. At the same time, computing power grew, storage and screen technologies were improved, specialised operating systems were developed, the convenience and ease of use of subscriber devices increased - as a result, today we have the opportunity to use the smartphones we are all familiar with.
Back in 2016, the global number of mobile internet users exceeded the number of users of stationary access to the network - for most people, the capabilities of a smartphone are enough to solve everyday tasks, especially since over time most businesses have adapted their websites and services for mobile devices. Accordingly, attackers are increasingly targeting smartphones and tablets, which are used for managing bank accounts, social networking, and business correspondence in email clients and messengers. In this article we will talk about current mobile threats, ways to detect, prevent and remove them.
So, let's start with a brief description of the evolution of devices and mobile threats. Some advanced phones of the 2000s ran full-fledged mobile operating systems and supported a Java virtual machine to run programs, including self-written ones. Ericsson R380 (released in 1999, EPOC mobile OS, touch screen, built-in email client), Nokia 9210 (released in 2000, full Symbian mobile OS, web browser, colour touch screen), Siemens SL45i (released in 2001, support for running Java applications, memory cards, built-in MP3 player) are prime examples. In addition, communicators and PDAs, popular in the 2000s, ran Windows CE/Windows Mobile, Symbian, Palm OS, BlackBerry OS and a number of others. The first attacks on button mobile phones were quite harmless and consisted, for example, in overflowing the memory of the devices after receiving a specially created SMS-message. As the functionality of mobile devices grew, more advanced threats gradually appeared: in June 2004, the first Cabir virus for the Symbian mobile operating system was detected with self-propagation via Bluetooth, and in 2005, the Commwarrior virus for the same operating system accessed contacts and self-propagated via MMS messages. In July 2004, the first Duts virus for Windows CE/Windows Mobile PDAs was detected, and in August of the same year, researchers discovered the first dangerous Brador backdoor virus for the same OS, which allowed attackers to remotely control an infected device. The first Java viruses for mobile phones appeared in Russia: in 2006, the Redbrowser Trojan was discovered, which was distributed under the guise of a Java application supposedly for free WAP-browsing, and after installation sent SMS messages to a short (paid) number, the owner of which was probably related to the virus author.
Over time, the development of mobile devices has reached a new level, and now smartphones can match or even surpass the level of desktop PCs in terms of technical characteristics and OS functionality. Consequently, more dangerous threats to mobile devices have started to appear: statistics show the prevalence of unwanted applications (Riskware), applications with intrusive advertising (Adware), mobile banking Trojans and ransomware viruses. At the same time, the goals pursued by authors of mobile VPO are usually the following:
1. Hidden sending of messages or calls to paid numbers for unauthorised debiting of accounts, subscription to paid services in applications;
2. theft of funds through unauthorised access to banking applications - this can be implemented either through legal remote control software of the mobile device or be a part of the VPO functionality;
3. Incorporating an infected mobile device into a botnet for covert use in cyberattacks, including DDoS attacks. 4;
4. espionage - access to contacts, messages, files, geolocation data, camera and microphone of the device;
5. Theft of sensitive information (contacts, messages, documents, photos), including stealing a user's ‘digital identity’ by accessing documents stored on the device (personal data, ID cards), incoming SMS and biometric data from the device's facial recognition feature.
A malware infection of a device can be judged by the following signs:
1. Unexpected appearance of pop-ups, banners, and inscriptions. It is also worth considering that some websites may incorrectly use the functionality of sending notifications through the mobile browser, so it is important to periodically close open tabs and clear the browser cache.
2. rapid battery discharge, slow operation, high heat of the device - however, the same phenomena may be related to hardware problems, problem firmware or failures of installed legitimate applications.
3. unexpected debits from your mobile phone account for paid services (SMS, calls) or debits from the bank card used in mobile applications.
4. Appearance of unknown applications on the device, sudden switching on of the screen, unexpected display of the activity indicator of the geolocation service, microphone, camera.
5. Spontaneous access of the smartphone to web resources, network scanning, sending large amounts of data to unknown Internet services - such behaviour can be detected by using network traffic capture techniques.
Here is a description of some threats for the main popular mobile operating systems - iOS (developed by Apple) and Android (developed by Google).
The following specific threats are characteristic for iOS:
1. Extortion scheme for unlocking the device: attackers use social engineering techniques to ask the victim to log in to the Apple device under the Apple ID account, the login and password to which are provided by the scammers themselves. After logging in to the device with another person's Apple ID, the attackers take full control of the device, put it into ‘missing mode’ and demand a ransom from the user. The method of defence should be to refuse to log in to your device with a rogue Apple ID and follow Apple's security guidelines.
2. Unauthorised access to Apple ID: attackers hack into the email account used to create the Apple ID (especially if an email address other than the Apple domains @icloud.com, @me.com or @mac.com was used), then gain access to the Apple ID account, lock the device and place their ransom demands on the lock screen. The success of the attack and the likelihood of ransom demands is increased by accessing the victim's iCloud data using the compromised Apple ID. The defence method should be the rules of basic cyber hygiene: use of multi-factor authentication for emails linked to the Apple ID, use of a complex password, vigilance when clicking on web links and entering credentials on websites.
3 Attackers can use MDM (Mobile Device Management) functionality built into Apple's ecosystem: attackers can trick users into installing configuration profiles or enrollment profiles, after which the device will be under full control of hackers, including installation of any applications, access to geolocation data, and remote wipe of all information on the device. The method of protection will be vigilance when clicking on links and receiving requests to install new configuration profiles or registration, as well as enabling Lockdown mode on the device.
4. exploiting the features of Apple's beta testing platform: Apple's TestFlight platform is designed for beta testing applications without placing them in the App Store, and access to such beta applications is provided by sending test participants a link like https://testflight.apple.com/join/[randomly generated application ID]. The attack is effective due to the use of legitimate functionality (including the original apple.com domain), the lack of proper security checks on beta apps by Apple, and the ease of implementation for attackers (they only need to create an Apple software developer account). The method of defence will be to be vigilant when clicking on links and receiving requests to install new applications, as well as enabling Lockdown mode on the device.
5. Use of .ipa files: In the iOS ecosystem, an .ipa file (short for iOS AppStore Package) is an archive of app content that can be exported and imported from/to Apple mobile devices. An attacker could develop a malicious iOS app on their own, sign the .ipa file with an Apple developer certificate, trick the user into adding that certificate to ‘trusted’ on the device, and then force the user to manually install the app from the .ipa file sent to them. A defence method would be to be vigilant when downloading files and receiving requests to install new apps, and to enable Lockdown mode on the device.
Android is characterised by the following specific threats:
1. Difficulty of centralised management of OS updates by Google (Android developer): the diversity of smartphone/tablet manufacturers and models and the openness of the Android platform lead to the fact that the ‘pure’ Android OS is installed only on a limited number of mobile devices (e.g. Google Pixel series smartphones), and many vendors and enthusiasts independently improve and customise the original OS. As a result, the process of distributing security updates for the Android OS, which is regularly found dangerous vulnerabilities, and some manufacturers do not bother to develop patches at all. As a protective measure, it is advisable to consider purchasing devices only from reputable companies that regularly release updates and patches for the OS.
2. Alternative app shops: Many manufacturers offer their own app shops for their smartphones and tablets, where the control over the security and reliability of the placed software is weaker than in Google Play. As a result, the app shops may contain some types of unwanted software characterised by intrusive ads, banners, requests for paid subscriptions, etc. As a protection measure, we can recommend using only the official Google Play app shop to install software, but even there, malicious applications are regularly detected. In addition, a developer's Google Play account can be hacked and malicious components can be embedded in the next application update.
3. Easy customisation and reflashing of Android devices: enthusiasts release customised builds of the OS for many devices, which may contain vulnerabilities or malware added intentionally, by mistake, or as a result of an attack on the enthusiast developer. In addition, advanced users can install LineageOS on Android devices, which is positioned by the creators of this project as a more customisable and secure alternative to the privacy-oriented Android OS. As a protective measure, we can recommend not installing modified versions of the OS or, in case of doubts about the security of the official firmware (for example, if you purchased a smartphone from a little-known manufacturer), installing LineageOS.
4. Ease of obtaining root rights: obtaining root rights on many Android devices, especially not the newest ones, can be a fairly trivial task, and some manufacturers even openly publish instructions for rooting their models. Working with root privileges has a negative impact on OS security, as it disrupts Google's security architecture and stops the mechanism of receiving and installing security updates. Besides, in most cases getting root is connected with preliminary unlocking of the OS bootloader, which also significantly reduces the device security.
5. Ease of bypassing built-in security restrictions: Android OS standard tools allow installation of unverified and potentially malicious applications distributed as .apk files (the method is called sideloading), as well as USB debugging using the Android Debug Bridge (adb) tool, which allows sideloading or uninstalling any application. Android also has an inbuilt privilege called AccessibilityService, which is designed to help people with disabilities use the device - it grants extremely extensive rights (including the ability to control the device by voice, access on-screen content), so it is important to monitor applications that request this permission.
In addition, there are a number of threats specific to both iOS and Android:
1. Malicious QR codes: quishing (QR phishing) attacks involve sending phishing emails with QR codes that lead to fraudulent or malicious websites. In addition, placing or re-posting QR codes in public places or on Internet resources can also be used by attackers to direct users to fraudulent resources or to launch QRLJacking attacks. It is important to remain vigilant when scanning QR codes and then navigating to web pages, as well as when scanning QR codes in banking applications and messengers.
2. Substitution of applications removed from official Apple and Google app shops: on the wave of news about the mass removal of sanctioned banking applications from Apple and Google shops, scammers started posting links to supposedly updated banking applications in the Internet, and also started publishing malicious applications in some alternative shops allegedly on behalf of well-known sanctioned banks. If you need to install an application of a sanctioned bank, you should either follow the installation instructions from the bank's official web page or visit the office.
3. Jailbreak, rooting: obtaining and working with superuser rights on both iOS and Android is fraught with a significant decrease in the level of OS security and incorrect operation of defence mechanisms.
4. Physical access to an unlocked device: unauthorised copying of information and stealthy malware installation are possible when an attacker has physical access to an unlocked device and when the unlocked device is connected to the attacker's PC, so it is not recommended to connect your smartphone to unknown chargers (including chargers in public places).
5. Sophisticated spyware VPO: a number of companies produce mobile apps (e.g. Pegasus from NSO Group, Hermit from RCS Lab, Predator from Cytrox and several others) that are used for cyber espionage via iOS and Android mobile devices. Such VPOs have a wide range of functionality and are extremely difficult to detect and remove. If a threat of this level is relevant to the user, a factory reset of the device on an iOS device and subsequent activation of Lockdown mode can help, and on Android - installation of LineageOS with further deep tuning of security features, including locking the OS bootloader and configuring SELinux.
In conclusion, we would like to point out that current versions of modern mobile operating systems have a fairly high level of security ‘out of the box’, and in-built security mechanisms (e.g. Google Play Protect scanning and Apple App Store rules) provide protection against most malicious applications. Mobile OS antiviruses, in addition to application scanning, provide internet access security, QR code analysis, anti-spam and anti-phishing features. With this in mind, it is important for users to follow a few basic rules to ensure a sufficient level of cybersecurity:
1. Do not install applications from unknown sources, do not click on links from unknown senders.
2. When installing new applications from official shops, evaluate the rating, date of first release, number of installations of the application, review the list of requested permissions.
3. Do not jailbreak or root your device.
4. Regularly install OS updates, including security updates.
5. Do not connect devices to unknown charging stations, do not give unlocked devices to strangers.
.jpg)
.jpg)
 2 - копия.jpg)
.jpg)
