Exploiting Vulnerabilities: The Other Side of Mobile Threats
Though the bulk of mobile threats are in the form of malicious or high-risk apps, mobile devices are also troubled with other threats. Take for example the bugs found in Samsung Galaxy devices and the OBAD malware that exploits vulnerabilities to gain elevated privileges. Unfortunately, these are not the only vulnerabilities that mobile users should be wary of.
The “master key” vulnerability was initially reported affecting 99% of Android mobile devices. This is related to how Android apps are signed and may allow an attacker to update an already installed app without the developer’s signing key. Taking advantage of this flaw, the attacker can then replace legitimate apps with malicious ones. We saw first-hand just how big its impact can be when our researchers got hand of an attack that used the vulnerability to update and trojanize a banking app.
The second mobile device vulnerability, on the other hand, stems from the use of old encryption system in most SIM cards today. To abuse the vulnerabilty, the attacker only needs to send an SMS message crafted to intentionally generate error. As a result, the SIM card responds with an error code containing a 56-bit security key. The key can then be used by the attacker to send a message to the device in order to trigger the download of malicious Java applets, which may be designed to perform several malicious routines such as sending text messages and spying on the phone’s location.
Unlike the “master key” vulnerability, the SIM card vulnerability can affect a far bigger set of users since it is not OS- dependent. Furthermore, Because the said threat stems from the use of an old decryption method, updating SIM cards with a newer decryption feature can be seen as impractical and expensive by GSM operators and telecommunication firms.
There are other ways to prevent attacks targeting this vulnerability. Filtering SMS messages can be a good start, but may not be possible with very basic handsets. Some telecommunication providers also offer in-network SMS filtering, but is highly dependent on the mobile carrier.
The third vulnerability confirms that even the iPhone is not immune from vulnerabilities. Researchers from the Georgia Institute of Technology were able to create a a malicious charger (also called Mactan) that contain mini computers that can initiate USB commands. Presented during the recent BlackHat US, the researchers demonstrated how the malicious charger was able to infect the iPhone and execute commands. Apple has then announced that the vulnerability used to execute the attack will be addressed in their next software update.
A Bigger Concern in the Future
So far, vendors like Google, Apple and Samsung have responded swiftly to these security concerns. However, considering that the most known form of mobile threats for some time now has been the abundance of malicious applications, the emergence of vulnerabilities related to mobile computing shows a different and more alarming concern.
Vulnerabilities are very effective avenues for threats, as we’ve learned from dealing with PC threats. They are also very tricky to deal with, both from the users’ and the developers’ side. The way vulnerabilities are handled in terms of PCs is an issue that is still under much discussion, as well as with patch management. The case might not be any different for mobile, should this trend continue. It might even be made more complicated with concerns such as consumerization and fragmentation.
The need for mobile users to keep their device secure from threats is now greater than ever, and is bound to even be more critical later on. Not only are new threats or infection points emerging; the known threats are also increasing, and improving at the same time. As reported in our recently released 2Q 2013 Security Roundup, the malicious and high-risk apps found affecting Android has reached 718,000 — showing an increase of 350,000 in just 6 months.
For now, the best course of action that users can take is to make sure that their device software is always updated. This step, along with installing a security software and downloading only from trusted sources should help minimize the risk of being affected by attacks.
To learn more about these vulnerabilities, and the other developments in the mobile threat landscape, read our 2Q 2013 Security Roundup, Mobile Threats Go Full Throttle: Device Flaws Lead to Risky Trail.