Threat Advisory: Man-In-The-Middle Attacks Target iOS and Android

download Threat Advisory: Man-In-The-Middle Attacks Target iOS and Android

of 12

  • date post

  • Category


  • view

  • download


Embed Size (px)

Transcript of Threat Advisory: Man-In-The-Middle Attacks Target iOS and Android

  • 1

    akamais [state of the internet] / threat advisory


    1.1 / OVERVIEW / Information from intelligence sources suggests ongoing efforts by an organized and resourceful group of malicious actors to target mobile devices, such as smartphones. Open-source intelligence suggests man-in-the-middle attacks are targeting owners of specific phone and software vendors with attempts to steal credentials or hijack browsing sessions in an effort to serve malicious applications.

    This activity has been observed primarily in Asia, beginning in September 2014. The attacks have targeted software vendors, Software-as-a-Service (SaaS) providers and Internet service providers in an attempt to acquire the sign-in credentials of their users. Attacks also attempt to serve malicious software, such as Remote Access Trojans (RATs), by the use of phishing techniques or by impersonating valid applications. Other attacks use phishing to solicit users to download applications being hosted on third-party repositories.

    Attackers first compromise a client device or network to use webinjects, however portions of these attacks might also be used in cross-site scripting (XSS), phishing, and drive-by download attacks.

    1.2 / OPEN-SOURCE INTELLIGENCE / A variety of sources have publicized attacks involving mobile devices.

    Apple Daily, a site owned by Next Media, was said to have reported distributed denial of service (DDoS) attacks caused downtime and disruption in content publishing, according to Computer World Hong Kong.

    FireEye published research data that suggested the use of customized and sophisticated malware, which indicates a high-level of skill and resources typically only available to veteran criminals. Figure 1 shows captured traffic indicating the man-in-the-middle attack.

    Attacks on a large scale appear to have targeted companies that supply SaaS and application services, such as Microsoft online email and Apple application services, by conducting man-in-the-middle attacks on the Internet infrastructure. reported a man-in-the-middle attack against Microsoft, Yahoo and Apple iCloud service. These attacks purportedly sought to obtain credentials of victims by intercepting traffic going to these sites. They were reported in October 2014 and coincided with the release of Apples iPhone 6 in Asia. Apple acknowledged the attack by producing a web page warning against the forged certificates and releasing a series of recommendations for users to avoid becoming victims of this type of attack. A forged security certificate is shown in Figure 2.



    TLP: GREEN GSI ID: 1084


  • 2

    akamais [state of the internet] / threat advisory


    Figure 1: shared captured traffic indicating the man-in-the-middle attack

    Figure 2: A forged security site certificate for

    1.3 / TARGETED DEVICES: MOBILE / Open source intelligence suggests the active targeting of mobile devices. This targeting has been seen in the forms of phishing attacks, attempts to create man-in-the-middle application stores and impersonating an application so the attackers can compromise devices, redirect them or gather information about users browsing actions. The attacks require access to specific parts of the Internet infrastructure as well as specific knowledge of mobile operating system architecture in order to develop the customized malicious payload.

    In addition, the use of cell phone signal interception technology may have been used when targeting victims. By intercepting cellphone signals and data, attackers can pinpoint the users approximate location, eavesdrop on communications, modify incoming transmissions, and view communication and application protocols being used by victims and proceed to target them. Previous research by Kristin Paget showed that actual interception of GSM traffic was possible by targeting GSM protocol vulnerabilities. Research also shows that CDMA protocol and mobiles can be targeted and compromised.


  • 3

    akamais [state of the internet] / threat advisory



    The use of this technology by attackers may have aided their efforts in targeting specific applications and generating customized malicious payloads.

    Apple iOS and Android mobile operating system have been the primary mobile architectures targeted. The open-source Android architecture is more accessible to would-be attackers than iOS, but both have been targeted.

    1.3A / ANDROID / The exploitation of the Android platform can range from footprinting a specific operating system version to the complete takeover and command of the mobile device. Device users can allow installation of applications from third-party application stores, some of which are unsigned or unverified by the Google Play Store. Figure 3 shows how extensive exploitation of an Android mobile can be using current payloads available on the Internet.

    Figure 3: An example of Android operating system exploitation via Metasploit penetration testing software

    1.3B / iOS / The iOS platform is closed-source and has a very restricted process of application verification, approval, review and publishing. It has multiple OS-based security controls. Companies must follow a process involving a number of formal requests and financial investments in order to be part of the Apple development program or even to get access to development resources. This makes iOS more difficult to target than the Android platform and reinforces the thesis that higher-level skills and resources were needed to create the exploits.

    Due to this difficulty, malicious actors chose tactics such as impersonating or bypassing the Apple store in order to serve malicious payloads to targeted victims. This is often accomplished by targeting enterprise provisioning profiles and bypassing the Online Certificate Status Protocol (OCSP) check used to validate enterprise certificates. A detailed description of this type of attack was published by Virus Bulletin.

    In other cases, attackers will create clones of third-party applications in which they embed a targeted application bundle identifier. Once this cloned (and malicious) application is installed, it will replace the genuine application, bypassing security checks. This approach is feasible because iOS does not enforce matching certificates for applications with the

  • 4

    akamais [state of the internet] / threat advisory



    same bundle identifier. A detailed account of an attack named iOS Masque was published on the FireEye blog.

    1.3C / THE JAILBREAKING FACTOR / Malicious actors have also targeted users that have used jailbreaking on their iOS phones. Jailbreaking is the process of removing limitations and security checks in the iOS operating system in order to allow users to install applications from other application stores. In China, for example, 14 percent of the 60 million iOS devices have been jailbroken, often to support the use of third-party Chinese character keyboard apps. Cydia is the most popular third-party application store installed after jailbreaking an iPhone

    1.4 / MOBILE REMOTE ACCESS TROJAN: THE XSSER MRAT / Lacoon Mobile Security discovered the Xsser mRAT, the first advanced Chinese iOS Trojan, which is related to Android spyware already distributed broadly in Hong Kong. Both Android and iOS payloads were found to be installed in the same command-and-control server.

    Xsser mRAT was originally an Android-exclusive mobile Remote Access Trojan (mRAT); however, a new variant aimed at infecting iOS devices emerged in the jailbroken market. The app is installed via a rogue Cydia repository and once the bundle has been installed and executed, it gains persistence. It then makes server-side checks and proceeds to exfiltrate data from the users device and executes remote commands from its command-and-control (C2) server.

    Applications bundled in Cydia use the popular Debian packaging system, where a .deb file contains the archive of files for the application. The Xsser mRAT package consists of several installation scripts and a Mach-O (name associated with Apple binaries) executable.

    Following the extraction process, the postinst (post install) file shown in Figure 4 executes a series of bash commands to adjust the permissions of the files.

    Figure 4: The post-installation script packed with the iOS XsserRAT Debian file It then executes the shell script, shown in Figure 5, which is used to install the LaunchDaemon plist, giving the Trojan persistence.

  • 5

    akamais [state of the internet] / threat advisory



    Figure 5: The startup script executed after the post-installation script Once th