Mobile Devices = New Malware and New Vectors

With the explosion of mobile devices, it should be no surprise that attackers are rapidly turning their attention (and their malware) to focus on smartphones and tablets. These devices are a potential bonanza to sophisticated attackers because, first there are a lot of them (analysts predict mobile device shipments to outpace PCs this year), they are increasingly powerful with the ability to do most things a PC can, and typically they are very poorly secured compared to a corporate laptop. This trifecta of large opportunity, high target value, and poor defenses stand to make mobility one of the most active fronts in cybersecurity in the coming months and years.

Those of you who use Palo Alto Networks have probably seen that addressing these new challenges is a major focus in our research and development. Some of the highlights include protections for known malicious Android APKs, App-IDs for mobile applications, and GlobalProtect clients for both Android and iOS devices. However, we are also pushing to be far more proactive at discovering new mobile malware, and to that end we have been working hard to add support for Android APK files to the WildFire engine.  Palo Alto Networks researchers have been using this ability to automatically analyze massive numbers of APK files in the wild to proactively identify new Android malware and create new malware protections. As part of this process, the team has encountered some very interesting delivery vectors for mobile malware centered around mobile ad networks.

Of course ad networks have been a coveted target for attackers hoping to distribute malware via regular web-browsing. A malicious web-based advertisement can easily perpetrate a drive-by-download against a large number of unsuspecting browsers. However, this technique becomes far more insidious when migrating to mobile applications, and to understand why, we need to dig into how mobile applications and mobile ad networks work.

Mobile applications are heavily dependent on ad revenues to make money for the developer. However, mobile ads work a bit differently than the ads you encounter on a web-page, which are simply delivered from a web-server to your browser. Instead, the mobile application needs to reach out to the Internet and pull the correct ad in order to get paid. To do this the application developer must typically install an SDK or some piece of software for the ad network into the mobile application itself. The image illustrates this process for Google’s AdMob just as a reference.

source: http://www.google.com/ads/admob/monetize.html

This embedded software hook ensures the right content gets served to the application, the ads get tracked, and the app developer ultimately gets paid. The problem is that this hook is a bit of an intentional backdoor into the mobile application and device, and not all mobile ad networks are as reputable as AdMob. So if the mobile ad network turns malicious, then a completely benign application could begin bringing down malicious content to the device. What you have at that point is a ready-made botnet. The only difference is the ad network converts from pushing benign approved content to malicious content – the architecture is the same.

This sort of technique is exactly what Zhi Xu, one of our malware researchers uncovered in the wild, and is very similar to the BadNews network observed in Russia earlier this year (http://www.mobileworldlive.com/badnews-for-android-as-fake-ad-network-targets-google-play ). Our research team identified new malicious APKs, that were able to avoid all tested mobile antivirus solutions. These malicious payloads would quietly run in running memory to avoid raising suspicion by prompting the user to install the application. The malware simply waited until the next time that the user installed a valid application and attempted to lure the user into installing the malware along with the new application. This is a very elegant approach that doesn’t really require the end-user to do anything “wrong”. The user could download a valid application from a valid app store, and ultimately be silently infected by a disreputable ad network.

These innovations in mobile attacks are likely just the beginning of a long cat-and-mouse game between the good guys and bad guys, but it should serve as a reminder that new technologies often result in new threat vectors. Security must innovate alongside new technologies, and that is what makes security challenge, but also why it is stimulating and exciting. May we live in interesting times…