viaForensics Director of Research Thomas Cannon (@thomas_cannon) recently recorded his presentation of “Corporate Espionage via Mobile Device”. In this presentation, he shows how a innocent application can be used to harbor malware as well as how an attacker could use that malware to exfiltrate data from a mobile device, remotely activate phone features such as the camera and microphone, and can be used to bypass corporate defenses and infiltrate a corporate network. Key quotes, as well as the presentation video and transcribed audio are below.
Quotes of note:
“An attacker can just click this button and it turns the phone into a remote surveillance device”
“Without knowing it, a user could be sitting in a meeting and their phone which is in their jacket pocket is acting as a remote bugging device and the attacker could be listening in on private conversations.”
“Localization will pinpoint my phone using GPS and I can be tracked in real time. If I was outside it would show where I am and would update the map in real time.”
“(The attacker) can also use the phone as a remote camera. The user won’t notice anything on their phone, but the attacker will be able to see anything the phone can see through its camera.”
“(The attacker) can actually turn this mobile phone into a USB keyboard — as an attacker enters keystrokes and sends it over to the phone, the phone then enters those keystrokes on the corporate machine. This bypasses traditional controls such as firewalls and allows an attacker connected from anywhere in the world to send keystrokes through the internet to a phone and from that phone through USB to a desktop and take remote control over a desktop.”
Hello, I am going to do a demonstration of malware on the mobile. I’m going to show how a legitimate application installed on a mobile phone can be a conduit for malware installed at a later date. I’ll be doing this demonstration on Android, but equally we could do a similar attack on iOS.
I have here my personal Android phone, and it has an innocent application installed called ‘demo RSS’. There’s nothing malicious about this application. If it was assessed by a professional, they wouldn’t see anything untoward about it. And we’ll show in a minute how it really works as a real application. Now, this particular channel of sending malware through a legitimate application was actually used in real-world malware quite recently in a piece of malware called ‘bad news’. This masqueraded as a advertising network that developers could embed in their applications. Once many applications had this advertising network installed, the attackers then used the same channel to send out malware to thousands of users.
First of all, I’m going to demonstrate how a user can add a news feed to the news reader application. They could do it manually, but I’m going to show how they may add it using a website which would send the link to the device. So I have here my attacker’s laptop and as an attacker I could be anywhere in the world right now, just connected over the internet to perform this attack. In the top left I’m about to run a command called “send RSS” and this just simulates a user sending a link to their phone and it will appear as a newsfeed. So if I go ahead and hit enter, it takes a couple of seconds to run, and then on the device we can see it refreshing and a news feed has been added. The user can go ahead and open it and read the news articles.
OK, so let’s put ourselves in the position of an attacker and send an exploit to the device instead. Now the attacker can wait for an exploit to be developed for the device. Exploits are developed all the time for both iOS and Android so many users could have this application installed while the attacker waits for an appropriate exploit becomes available and then use that to send their malware over to the device. So on my attacker’s laptop, I’m going to run a similar command called “send exploit”. I hit enter and it will send a message to the legitimate application and on the bottom left you can see I’m running a webserver which is hosting the exploit. The mobile device has just requested the exploit code to be downloaded and executed.
Meanwhile, back on the mobile device, we see the malware has now appeared. For purposes of demonstration, we’ve made sure the malware is visible so you can see it, but in real life this would actually be hidden to the user. So I’m going to go ahead and click ‘connect’, then hide the application as a real user would not see it. On my attacker’s laptop in the top right I have an application called ‘androrat project’. Now this was a piece of malware proof of concept developed by some French students as a college project. The source code is freely available and downloadable from the internet so anybody can take this code and adapt it.
So we see that my device has connected and I’m based in the UK. If I go ahead and open this, it provides us with some basic details about the device, such as the serial number. Now what we’re interested in is what kind of data can we get from the phone, what kind of data can we exfiltrate and the kind of attacks we can perpetrate as an attacker. First view is a file listing. We can view and read all the files on the memory card inside the mobile phone.
This is important because attachments, say for corporate email that contains sensitive documents, when they are opened on the phone they are often saved to the memory card. As an attacker we can go ahead and retrieve those files off the memory card and potentially view confidential and sensitive information. As well, of course, we can also take pictures and other files and backup files that they may have saved. We can also list contacts on the device.
Now, while that’s interesting in itself, we can also use this functionality to perpetrate a further attack of social engineering. Here’s my boss. What I can do is I can send him a text message and it will use the device itself to send the text message. As far as my boss is concerned, this message is coming from my mobile phone, even though it’s actually being sent by an attacker anywhere in the world. I can ask my boss what the password is, perhaps the password for a production server. I can send that to him, and then he may reply with the password. Hopefully he won’t actually do that, but you get the idea of using social engineering techniques in order to get data from internal users.
As an attacker we have a monitoring functionality on this malware, ‘sms monitor’ where we can monitor for incoming sms messages so if that password is sent back we can then retrieve it. More data that we can get back, for example, are call logs. So I’m going to apply a filter here, I’m going to look for missed calls not before the first of March 2013. When I press that button almost instantly a listing of call logs comes back. Now I could also pull back outgoing and incoming calls as well which may contain useful information. I can read sms messages of calls. This application also offers real time streaming of data. Localization will pinpoint my phone using GPS and I can be tracked in real time.
Now, because I’m in a studio today, the GPS signal isn’t working so I can’t be located, but if I was outside it would show where I am and would update the map in real time. Other streaming we can do, for example, is audio. An attacker can just click this button and it turns the phone into a remote surveillance device, so as I’m talking now the phone is picking up what I’m saying. This is being relayed to the attacker and is being echoed out over my laptop speakers. Without knowing it, a user could be sitting in a meeting and their phone which is in their jacket pocket is acting as a remote bugging device and the attacker could be listening in on private conversations.
Similarly, we can also use the phone as a remote camera. What I’m going to do here is take a picture and the user won’t notice anything on their phone, but the attacker will be able to see anything the phone can see through its camera. If I hold up the phone and I click ‘take picture’ we can see on the screen that it’s just taking a photo.
Now, while retrieving and exfiltrating this data was interesting in itself we can actually elevate this attack to something even more serious. When the user plugs in their mobile phone to their corporate laptop or desktop using the USB cable perhaps to charge it or sync with it, as an attacker we can connect to the device, and then from the device we can connect into the PC. We can actually turn this mobile phone into a USB keyboard so it pretends that it’s a USB keyboard and as an attacker enters keystrokes and sends it over to the phone, the phone then enters those keystrokes on the corporate machine. This bypasses traditional controls such as firewalls and allows an attacker connected from anywhere in the world to send keystrokes through the internet to a phone and from that phone through USB to a desktop and take remote control over a desktop.
Now we have actually built this into this malware as a proof of concept and it also has a mouse command as well so you could take over the mouse. It’s as simple as entering the text into a box and hitting the return key. If my phone is connected to my laptop it would then type those commands into the laptop.
This has given you a quick overview of what’s possible with malware on mobile and how easy it is to get that malware on the device. We chose Android today but we could equally do similar attacks on iOS as well. Hope this has been useful to you, thank you.