Enhancing Mobile Malware: a Remote Access Tool Case Study – a post by Enrico Frumento

Cyber-attacks are quite common nowadays: data breaches, malware, botnets, phishing are some of the (buzz)words we hear almost constantly in the media. While these attacks were once carried out by “white hat” hackers, whose purpose was to bypass security systems as a hobby or intellectual challenge, now they are performed mostly by criminals, with the aim of making profit.

The constantly growing interest in this sector enables the proliferation of attack toolkits, sold also in underground markets, potentially allowing more people to perform cyber-attacks. Moreover, the discovery of new vulnerabilities is often accompanied by blog posts or proof of concepts from researchers or security firms that demonstrate the technical details of their exploits. Despite their purpose of raising awareness, this information could also be used to perform attacks.

Remote Access Toolkits (RATs) for mobile devices are widespread and they could be considered an enabler for attacks aimed to obtain the control of the device itself. Moreover, given the source code of a RAT, it is possible to extend its features, adapting or modifying its behaviour to the attacker’s needs; for example “hiding” malicious features inside another application, or adding exploits in order to escalate privileges thus obtaining access to the administrative device’s features.

The most common attack scenarios a first step that consists in the installation of a malicious application from an alternative (non-official) store, which allows the attacker to remotely control the device. In general this is common user behaviour, especially in case of such paid applications, which are then provided free of charge.

The RAT, once installed, allows the attacker to control the phone remotely, obtaining access to certain sensitive information (such as contacts, calls & SMS logs, photos, files stored on the SD card, GPS geolocation), and potentially using the device for malicious purposes (create alerts, open links in the browser, make calls or send SMS, take pictures, use the microphone to intercept environmental audio, intercept calls). Subsequently, the attacker can also obtain root privileges and gain a complete access to the device. This allows, in addition to gaining access to many additional features (like the access to the internal memory, the possibility to install other packages, and to edit configurations), also a number of new attacks, like the exfiltration of protected system files, the “transparent” installation of new applications, or the interception of all the communications (e.g., performing a MITM attack by configuring a system proxy on the device) A real and recent example of such an infection mechanism is the recent WireLurker malware.

MUSES works explicitly to find a solution to demonstrate that a product based on real-time risk evaluation of the terminals, context and logical status, is a working approach, even in these complex infection scenarios.

Researchers Dr. Roberto Puricelli and Dr. Marco Lancini will discuss these arguments at the next BSides Conference in Vienna