Mobile malware gets serious – RATs can bypass sandboxes and encryption

Lacoon Mobile Security has announced details of its latest research undertaken in partnership with global mobile network providers. It sampled 2 million subscribers and found that 1 in 1000 users have been infected with a mobile RAT. Detailed figures have not been released, but 52% of the infections involve Apple’s iOS devices, while 35% involve Android handsets.

“Infection of smartphones with mRAT requires the spyware to install a backdoor through the rooting of Android or the jailbreaking of Apple devices,” says the announcement. The implication from this – which cannot be verified from the details so far released since it isn’t clear whether the sampled devices were randomly selected or focused on rooted devices – is that there are huge numbers of jailbroken Apple devices; and around 1 in every 2000 iOS devices has a RAT installed. Jailbreaking almost always requires owner participation.

Once installed, the latest mRATs can bypass mobile device management (MDM) defenses. “MDM solutions create secure containers that separate business and personal data on the mobile. The concept is to prevent business critical data from leaking out to unauthorized individuals,” explained Ohad Bobrov, CTO and co-founder of Lacoon Mobile Security. “However, our research team demonstrated that mRATs do not need to directly attack the encryption mechanism of the secure container, but can grab it at the point where the user pulls up the data to read it.” That is, the RAT is able to access data either before it is encrypted or after it has been decrypted.

Once it has got the data, the RAT simply sends it on to its command-and-control (C&C) server. “The reason mRATs pose such a danger,” he added, “is that, while the software may be installed on a single device, it can be used to target the whole organization for espionage purposes.” Lacoon is warning that mRATs can eavesdrop on calls and listen in on board meetings, steal text messages and voice recordings, track the location of key executives, and snoop on corporate emails and application data.

“While MDMs do offer static compliance and policy enforcement some protection,” says Lacoon, “organizations need to understand that they do not offer complete protection.” Lacoon will be demonstrating a live attack technique aimed at bypassing popular MDM solutions later this month at Infosecurity Europe in London.

Meanwhile, what remains a puzzle is how so many iOS devices can be jailbroken. A call to Lacoon for clarification was not answered in time for publication. Graham Cluley of Sophos is puzzled. “It's ‘theoretically’ possible to jailbreak” a device remotely, perhaps social engineering would be involved, but he suspects that the RATs concerned are typical ‘spousal and parental spy’ RATs. “In that scenario, the ‘attacker’ probably does have physical access to the device (while their partner is in the shower, out at the tennis club, whatever) and can easily jailbreak it and install a ‘keylogger’.”

This doesn’t lessen the theoretical threat to business, but it is obviously harder to get spousal spy software onto a business phone via local jailbreaking. The '1 in every 2000' figure will surprise many.

What’s hot on Infosecurity Magazine?