It has been a frightening year for anyone with a mobile device, with several high-profile vulnerabilities and attacks on both Android and iOS users. In July, the owners of 950 million Android devices learned that they were susceptible to Stagefright attacks that could be launched in several ways, including via a single text message. iOS has had its own scares with the Masque Attack and XcodeGhost resulting in riskware and malware being distributed via both legitimate and spoofed apps, in and outside the App Store.
Fortunately, we can learn some lessons from the security problems that have been made public and apply them to protect against other unknown and unnamed vulnerabilities.
Stagefright has become the common name for the numerous vulnerabilities that continue to be found in the default media playback framework on Android devices, making it the gift that keeps giving for vulnerability researchers. In October alone, the monthly Android patch cycle covered 15 more remote code executable vulnerabilities labeled as critical and related directly to Stagefright.
This particular bug will have a lasting impact as Android devices continue to be several months, if not years, away from getting critically needed patches for these types of vulnerabilities. Looking forward, we should address the core of the problem, which is the use of largely unaudited code libraries. Not carefully inspecting these libraries and continuing to use them in mobile devices and applications will result in these types of vulnerabilities living on.
2. iOS XcodeGhost
The XcodeGhost malware is noteworthy in that it did not stem from Apple’s iOS but from the tools used to build iOS apps. iOS developers were unwittingly using a malicious version of the Xcode development tool and baking potentially malicious code into their apps. The result was weaponized apps that collected sensitive information from user devices.
Since its discovery, Apple has been working to remove the infected apps from the App Store, but that doesn’t mean the trouble has ended. This type of exploit can happen again, as XCodeGhost has made malicious actors realize attacking at the developer level is an effective approach. For their part, developers must ensure their tools come from trusted sources -- or else place users’ data at risk.
Certifi-gate is a vulnerability affecting Android apps that has been used in the wild. It allows applications to gain illegitimate privileged access through mobile Remote Support Tool (mRST) apps’ security certificates. These tools -- TeamViewer, Rsupport, and CommuniTake Remote Care to name a few -- are often pre-installed and usually have privileged access to functionality on Android devices from popular manufacturers. An exploit that takes advantage of this flaw would gain control of the device by impersonating the apps, leaving users completely vulnerable.
This attack is a perfect example of why manufacturers should be more careful when granting privileged app functions to third parties, and why mobile developers need to become more security-savvy to catch these problems earlier in the development cycle.
4. Masque attack
Among the 400 GB of information leaked as a result of the Hacking Team breach, FireEye discovered a new iteration of the Masque Attack. It involved reverse engineering and repackaging legitimate apps like Facebook, Twitter and WhatsApp to steal users’ sensitive information and upload it to a remote server.
Eleven Masque Attack applications were found, any of which could replace legitimate apps on a victim’s device when they were downloaded. It’s important to note that this attack was made possible by spoofing legitimate apps, which could have been prevented if even the most basic anti-tampering controls were in place to prevent attackers from infiltrating and reverse engineering the apps’ source code.
In all of the above cases, as well as more recent Android and iOS malware discoveries we’re still learning about such as YiSpecter, KeyRaider and Ghost Push, there is a common underlying thread -- a lack of sufficient device and OS security. Even if patches are made available and publicized, there’s no guarantee that your particular device will receive one due to the convoluted methods device manufacturers and mobile carriers use to push patches out. For instance, the second bundle of Stagefright patches is only currently available for certain Android models like the Nexus brand from Google, despite the need for all Android devices to be protected.
Ultimately, due to the OS’s inherent vulnerabilities and the breakneck pace of new exploits, we -- consumers, enterprises and developers alike -- can no longer trust default device security measures and must turn our attention further into the mobile stack. Safeguards need to be applied closer to the data, at the app level, to improve mobile security to the extent that the OS provider, device manufacturers and carriers aren’t addressing. Doing so will go a long way toward ensuring we don’t see nearly as many mobile horror stories next year.