1  

akamai’s [state of the internet] / threat advisory

1

1.1 / OVERVIEW / Information from intelligence sources suggests ongoing efforts by an organized and resourceful group of malicious actors to target mobile devices, such as smartphones. Open-source intelligence suggests man-in-the-middle attacks are targeting owners of specific phone and software vendors with attempts to steal credentials or hijack browsing sessions in an effort to serve malicious applications.

This activity has been observed primarily in Asia, beginning in September 2014. The attacks have targeted software vendors, Software-as-a-Service (SaaS) providers and Internet service providers in an attempt to acquire the sign-in credentials of their users. Attacks also attempt to serve malicious software, such as Remote Access Trojans (RATs), by the use of phishing techniques or by impersonating valid applications. Other attacks use phishing to solicit users to download applications being hosted on third-party repositories.

Attackers first compromise a client device or network to use webinjects, however portions of these attacks might also be used in cross-site scripting (XSS), phishing, and drive-by download attacks.

1.2 / OPEN-SOURCE INTELLIGENCE / A variety of sources have publicized attacks involving mobile devices.

§ Apple Daily, a site owned by Next Media, was said to have reported distributed denial of service (DDoS) attacks caused downtime and disruption in content publishing, according to Computer World Hong Kong.

§ FireEye published research data that suggested the use of customized and sophisticated malware, which indicates a high-level of skill and resources typically only available to veteran criminals. Figure 1 shows captured traffic indicating the man-in-the-middle attack.

§ Attacks on a large scale appear to have targeted companies that supply SaaS and application services, such as Microsoft online email and Apple application services, by conducting man-in-the-middle attacks on the Internet infrastructure.

§ GreatFire.org reported a man-in-the-middle attack against Microsoft, Yahoo and Apple iCloud service. These attacks purportedly sought to obtain credentials of victims by intercepting traffic going to these sites. They were reported in October 2014 and coincided with the release of Apple’s iPhone 6 in Asia. Apple acknowledged the attack by producing a web page warning against the forged certificates and releasing a series of recommendations for users to avoid becoming victims of this type of attack. A forged security certificate is shown in Figure 2.

1

MAN-IN-THE-MIDDLE ATTACKS TARGET iOS AND ANDROID

TLP:  GREEN  GSI  ID:  1084  

RISK FACTOR - HIGH

 

  2  

akamai’s [state of the internet] / threat advisory

2

   

 Figure  1:  GreatFire.org  shared  captured  traffic  indicating  the  man-­‐in-­‐the-­‐middle  attack      

   

Figure  2:  A  forged  security  site  certificate  for  iCloud.com    

1.3 / TARGETED DEVICES: MOBILE / Open source intelligence suggests the active targeting of mobile devices. This targeting has been seen in the forms of phishing attacks, attempts to create man-in-the-middle application stores and impersonating an application so the attackers can compromise devices, redirect them or gather information about users’ browsing actions. The attacks require access to specific parts of the Internet infrastructure as well as specific knowledge of mobile operating system architecture in order to develop the customized malicious payload.

In addition, the use of cell phone signal interception technology may have been used when targeting victims. By intercepting cellphone signals and data, attackers can pinpoint the user’s approximate location, eavesdrop on communications, modify incoming transmissions, and view communication and application protocols being used by victims and proceed to target them. Previous research by Kristin Paget showed that actual interception of GSM traffic was possible by targeting GSM protocol vulnerabilities. Research also shows that CDMA protocol and mobiles can be targeted and compromised.

2

 

  3  

akamai’s [state of the internet] / threat advisory

3

3

The use of this technology by attackers may have aided their efforts in targeting specific applications and generating customized malicious payloads.

Apple iOS and Android mobile operating system have been the primary mobile architectures targeted. The open-source Android architecture is more accessible to would-be attackers than iOS, but both have been targeted.

1.3A / ANDROID / The exploitation of the Android platform can range from footprinting a specific operating system version to the complete takeover and command of the mobile device. Device users can allow installation of applications from third-party application stores, some of which are unsigned or unverified by the Google Play Store. Figure 3 shows how extensive exploitation of an Android mobile can be using current payloads available on the Internet.

   

Figure  3:  An  example  of  Android  operating  system  exploitation  via  Metasploit  penetration  testing  software    

1.3B / iOS / The iOS platform is closed-source and has a very restricted process of application verification, approval, review and publishing. It has multiple OS-based security controls. Companies must follow a process involving a number of formal requests and financial investments in order to be part of the Apple development program or even to get access to development resources. This makes iOS more difficult to target than the Android platform and reinforces the thesis that higher-level skills and resources were needed to create the exploits.

Due to this difficulty, malicious actors chose tactics such as impersonating or bypassing the Apple store in order to serve malicious payloads to targeted victims. This is often accomplished by targeting enterprise provisioning profiles and bypassing the Online Certificate Status Protocol (OCSP) check used to validate enterprise certificates. A detailed description of this type of attack was published by Virus Bulletin.

In other cases, attackers will create clones of third-party applications in which they embed a targeted application bundle identifier. Once this cloned (and malicious) application is installed, it will replace the genuine application, bypassing security checks. This approach is feasible because iOS does not enforce matching certificates for applications with the

 

  4  

akamai’s [state of the internet] / threat advisory

4

4

same bundle identifier. A detailed account of an attack named iOS Masque was published on the FireEye blog.

1.3C / THE JAILBREAKING FACTOR / Malicious actors have also targeted users that have used jailbreaking on their iOS phones. Jailbreaking is the process of removing limitations and security checks in the iOS operating system in order to allow users to install applications from other application stores. In China, for example, 14 percent of the 60 million iOS devices have been jailbroken, often to support the use of third-party Chinese character keyboard apps. Cydia is the most popular third-party application store installed after jailbreaking an iPhone

1.4 / MOBILE REMOTE ACCESS TROJAN: THE XSSER MRAT / Lacoon Mobile Security discovered the Xsser mRAT, the first advanced Chinese iOS Trojan, which is related to Android spyware already distributed broadly in Hong Kong. Both Android and iOS payloads were found to be installed in the same command-and-control server.

Xsser mRAT was originally an Android-exclusive mobile Remote Access Trojan (mRAT); however, a new variant aimed at infecting iOS devices emerged in the jailbroken market. The app is installed via a rogue Cydia repository and once the bundle has been installed and executed, it gains persistence. It then makes server-side checks and proceeds to exfiltrate data from the user’s device and executes remote commands from its command-and-control (C2) server.

Applications bundled in Cydia use the popular Debian packaging system, where a .deb file contains the archive of files for the application. The Xsser mRAT package consists of several installation scripts and a Mach-O (name associated with Apple binaries) executable.

Following the extraction process, the postinst (post install) file shown in Figure 4 executes a series of bash commands to adjust the permissions of the files.

Figure  4:  The  post-­‐installation  script  packed  with  the  iOS  XsserRAT  Debian  file    It then executes the shell script xsser.0day_t.sh, shown in Figure 5, which is used to install the LaunchDaemon plist, giving the Trojan persistence.

 

  5  

akamai’s [state of the internet] / threat advisory

5

5

Figure  5:  The  startup  script  executed  after  the  post-­‐installation  script    Once the launchctl load command is executed, the contents of the plist file will determine which application is launched. This will be the xsser.0day_t binary, which has now been renamed to xsser.0day. 1.5 / HOSTING THE MALICIOUS APPLICATION / In order for XsserRAT to be distributed, it must either be pushed onto the user’s device or uploaded into a Cydia repository. Cydia repositories are sources where packages are maintained and distributed. They work in much the same way as Debian sources. Users must add these sources manually, or be tricked into adding them. Many jailbreak users add sources freely, without any guarantee that a source is safe from publishing malicious applications.

There are a number of free sources where a user can host their applications. For example, a website called myrepospace provides free hosting for Cydia sources. This allows a malicious actor to host the offending application and phish users into adding the source with packages that target specific interests, such as popular games sold in the App Store. In Figure 6, a package disguised as the popular Flappy Bird game has been uploaded to a free source hosting webpage.

 

  6  

akamai’s [state of the internet] / threat advisory

6

6

Figure  6:  A  malicious  package  disguised  as  the  popular  gaming  app  Flappy  Bird,  is  listed  on  a  free  source  hosting  site    Once a user has added the unsuspecting malicious source to his or her Cydia source list, the application is available for the user to download, as shown in Figure 7. No details are provided about the application, so the victim is unaware of the malicious binary.

Figure  7:  The  malicious  app  shown  in  the  Cydia  sources  page    When the binary is executed, it will connect back to its C2 server. It will check the remote C2 against the local library file and attempt to update the local library if an outdated file is present. The check is made by the HTTP request CheckLibrary.aspx, as shown in Figure 8.

 

  7  

akamai’s [state of the internet] / threat advisory

7

7

The remote library that is downloaded contains the remaining portion of the Trojan code.

Figure  8:  The  GET  request  checks  for  the  latest  library  component  of  the  XsserRAT  Trojan    Figure 9 illustrates the strings and functions indicating capabilities for logging and remote updating by the downloader.

Figure  9:  XsserRAT  downloader  functionality    At the time this threat advisory was published, the C2 had been taken down and attempts by the Trojan to download its extra library (in the lab environment) failed. Instead, PLXsert statically analyzed the missing library component. The library includes the main functionality of the XsserRAT Trojan, shown in Figure 10, such as functions to exfiltrate phone information, SMS text messages, email and other sensitive data.

 

  8  

akamai’s [state of the internet] / threat advisory

8

8

Figure  10:  The  data  exfiltration  functions  within  the  library  component  of  XsserRAT  Trojan    Once the user has been infected, the malicious actor will receive sensitive information about the user’s device, providing an opportunity to perform follow-up attacks such as extortion or other social engineering-related attacks against a company or organization.

Figure 11 shows a web archive of the maliciously hosted XsserRAT on a Cydia source. This source is where the Trojan was hosted and where subsequent callbacks were made. Figure 12 shows open source data on the xsser.com domain history.

Figure  11:  A  query  to  a  wayback  machine,  shows  the  Xsser.com  domain  was  serving  malware  as  early  as  January  7,  2014    

 

  9  

akamai’s [state of the internet] / threat advisory

9

9

Figure  12:  Open  source  data  on  the  xsser.com  domain  history    PLXsert has been able to verify that the xsser.com domain has been used extensively and modified to serve malware since at least January 7, 2014. There are also multiple randomly-generated subdomains with dates older than January 7, 2014.

1.6 / PREVENTING INFECTION / End-users will find it very difficult to detect whether their phones are under attack from malware such as Xsser mRAT. The best approach is prevention. Several common sense protection measures apply:

§ Avoid the use of free Internet hot spots. They can be readily compromised or set up to entrap unknowing users. Even if a free Wi-Fi SSID is familiar or known, it may be indistinguishable from a malicious one.

§ Disable automatic Wi-Fi connections and disable Wi-Fi in public places. Disabling will prevent victimization by tools that impersonate known SSIDs.

 

  10  

akamai’s [state of the internet] / threat advisory

10

10

§ When possible, use a virtual private network (VPN) service. VPNs provide protection against eavesdropping and man-in-the-middle attacks.

§ Enable two-factor authentication when possible in any application that requires the input of user credentials. Two-factor authentication adds a layer of protection.

§ Ignore sudden or unexpected communications that contain generic salutations, grammatical errors in URLs, unexpected attachments and attachments sent from unknown entities. Do not click anything in these communications.

§ Do not respond with sensitive information without verifying the origin of such requests or communications.

§ It is difficult to detect GSM and CDMA attacks; however, any sudden requests to install, upgrade or download applications should be distrusted. Certificate errors in websites or login errors in phone applications are an indicator of possible malicious activity. In addition, sudden signal intensity changes could indicate cell tower impersonation or tampering.

§ Use peer-to-peer proximity networking technology to help avoid infrastructure eavesdropping or tampering, but be aware that attackers may join these networks and sniff traffic.

§ Do not install any application from an untrusted and unsigned source. Caution will reduce the attack surface when mobile devices are being targeted.

§ Do not jailbreak phones. Jailbreaking exposes the iOS to a wide range of attacks.

§ Consider the use of commercial phone applications that warn, discover and interrupt malicious processes.

 

  11  

akamai’s [state of the internet] / threat advisory

11

11

1.7 / CONCLUSION / The use of sophisticated attack methods against unsuspecting mobile device users shows the extent to which veteran criminals with resources will go to target mobiles phones. Only a well-funded and coordinated multi-member organization can execute such a campaign. Campaigns like this provide a warning message for the types of methods that can be used against users for the purpose of surveillance or profit.

Attack vectors involving mobile technology include DDoS, compromise of the Internet infrastructure, man-in-the-middle attacks, customized malicious mobile operating system payloads, possible cellphone tower eavesdropping technology and social engineering.

 

  12  

akamai’s [state of the internet] / threat advisory

   The Prolexic Security Engineering and Research Team (PLXsert) monitors malicious cyber threats globally and analyzes these attacks using proprietary techniques and equipment. Through research, digital forensics and post-event analysis, PLXsert is able to build a global view of security threats, vulnerabilities and trends, which is shared with customers and the security community. By identifying the sources and associated attributes of individual attacks, along with best practices to identify and mitigate security threats and vulnerabilities, PLXsert helps organizations make more informed, proactive decisions.

Akamai® is a leading provider of cloud services for delivering, optimizing and securing online content and business applications. At the core of the company’s solutions is the Akamai Intelligent Platform™ providing extensive reach, coupled with unmatched reliability, security, visibility and expertise. Akamai removes the complexities of connecting the increasingly mobile world, supporting 24/7 consumer demand, and enabling enterprises to securely leverage the cloud. To learn more about how Akamai is accelerating the pace of innovation in a hyperconnected world, please visit www.akamai.com or blogs.akamai.com, and follow @Akamai on Twitter.

Akamai is headquartered in Cambridge, Massachusetts in the United States with operations in more than 40 offices around the world. Our services and renowned customer care enable businesses to provide an unparalleled Internet experience for their customers worldwide. Addresses, phone numbers and contact information for all locations are listed on www.akamai.com/locations

©2014 Akamai Technologies, Inc. All Rights Reserved. Reproduction in whole or in part in any form or medium without express written permission is prohibited. Akamai and the Akamai wave logo are registered trademarks. Other trademarks contained herein are the property of their respective owners. Akamai believes that the information in this publication is accurate as of its publication date; such information is subject to change without notice. Published 10/14.