Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Author Archive - Warren Tsai (Product Manager)

    One of the biggest announced features of the newly released iPhone 6 and 6 Plus is Apple Pay. This is Apple’s attempt to popularize mobile payments, which have been around in some form for years. For example, Google Wallet has been around since 2011. NFC (Near Field Communication) contactless payments have been around in some form for more than a decade:

    Figure 1. MasterCard contactless payment terminal

    However, Google’s efforts have not met with much acceptance from consumers. The end users do not believe that these ecosystems are secure and private, and neither are they always easy to use. A 2013 survey of smartphone users indicated that security was the biggest concern surrounding mobile payments.

    So, Apple has a big opportunity to make mobile payments mainstream if they get Apple Pay right.  Apple entering any new market is always significant, as their brand allows them to gain a foothold both in the market and in the minds of consumers.

    At the iPhone/Apple Watch launch event, the broad outlines of how Apple Pay would work was demonstrated. NFC in combination with Touch ID would be used to create a secure and easy to use mobile payment system.

    The critical information in the credit/debit card such as card number, the expiration date, and the security code are all stored in the iOS Passbook. This information is tokenized, encrypted, and stored in a dedicated chip called the Secure Element.

    Figure 2. Elements of Apple Pay

    During transactions, only the tokenized information and a dynamic transaction code is transferred between the Secure Element and the merchant’s payment terminal (via NFC). Apple made clear that they do not see the actual transactions, going as far as saying:

    Apple doesn’t know what you bought, where you bought it and how much you paid for it. The transaction is between you, the merchant and your bank.

    In theory, this should address concerns about privacy. In addition, this design reduces the risks of a lost device. If the iOS device is lost, there is no need for any associated credit cards to be cancelled: the user can just remotely disable mobile payments via Find My iPhone.

    What about the broader ecosystem? Mobile payment systems by other vendors (like Google Wallet) have faced resistance from telecom providers, who have their own systems they’d like to promote.

    Instead, Apple bypassed them and worked directly with the credit card networks as well as the banks. Many high-profile US stores have already signed onto Apple Pay and will roll it out to their stores. Online stores and mobile apps will also include support for Apple Pay.

    Figure 3. Merchants that are part of Apple Pay rollout

    All this may make Apple Pay a significant player in mobile commerce. However, success would also attract cybercriminals!  Yes, Apple Pay appears to be secure, and had it been in place, POS attacks like those that hit Home Depot recently wouldn’t be as severe.

    However, until Apple Pay is fully rolled out we cannot fully say whether it is secure or not.  Every aspect of the Apple Pay ecosystem – the device, the payment process, Passbook, and NFC – all these will be carefully scrutinized by attackers trying to breach them. In addition, the existence of Apple Pay itself will trigger attacks that use it as social engineering bait.

    Threats to Apple Pay aren’t the only ones that Apple users may encounter. Phishing attacks, data breaches, and even jailbreaking are some of the incidents that may put the security of Apple devices severely at risk. For information on these threats and suggested countermeasures, you may read our Monthly Mobile Report, “Poisoned Apples: A Look into Recent Threats That Affected iOS Users

    Posted in Mobile | Comments Off on Apple Pay: Introducing (Secure) Mobile Payments?

    10:17 am (UTC-7)   |    by

    The many announcements at Apple’s 2014 Worldwide Developers Conference (WWDC) this week was welcome news to the throngs of Apple developers and enthusiasts. It was also welcome news for another group of people with less than clean motives: cybercriminals.

    Last week we got a concrete example of how some cybercriminals are now actively targeting Apple ID accounts. A thread in the Apple support forums was filled with users complaining that their devices had been locked, with a message from a certain “Oleg Pliss” demanding $100 to unlock the device. (The real Oleg Pliss is a developer for Oracle; his name appears to have been appropriated by the attackers.) Australian users appear to be the ones most affected by this attack.

    How was this attack carried out? It appears that the Find my iPhone feature was abused. An attacker with the victim’s Apple ID credentials would be able to log into the Apple site providing this service, send the ransom message to the user, and lock the phone.

    It’s unclear where the Apple ID credentials came from, but there are multiple possibilities. For example, we know that since last year phishing sites have tried to harvest Apple ID credentials. Reused passwords or social engineering may also have been used in this attack.

    How could users recover from this attack? One way would be to restore a backup from iTunes. Unfortunately, many – perhaps even most – iPhone users are not particularly fastidious about backing up. One could try restoring from iCloud as well, but that would involve logging in with the user’s Apple ID account – which has been compromised by this very attack. As in any case where a user’s account has been compromised, recovery can be very difficult.

    We will likely see more attacks trying to steal Apple ID moving forward. For example, we can see routers with malicious DNS settings being used in man-in-the-middle attacks to try and steal credentials. Phishing attacks may increase as well. The value of a stolen Apple ID can only go up as more and more information is placed in it by users. For example, the introduction of HealthKit and HomeKit in iOS 8 may mean that even more intimate and personal information may be tied, directly or not, to the Apple ID.

    It’s a good reminder that despite Apple’s willingness to use mobile malware and vulnerabilities as a club against competitors, not all mobile threats can be so easily addressed and dismissed.

    Figure 1. Apple criticizing Android fragmentation

    So, what can users do? Our advice is similar to those for any other credential that needs to be protected:

    • Don’t reuse your password.
    • Use a secure password/passphrase.
    • Enable security features like two-factor authentication, if possible.

    To be fair, some of these steps are harder to perform on a mobile device than a desktop or laptop. Entering a long password may be hard without a password manager (like DirectPass), for example. Despite this increased difficulty, it has to be done: it is now clear that mobile device credentials – like Apple ID – are a valuable target for cybercriminals.

    To get the latest news on targeted attacks, visit Data Breaches page in Threat Encyclopedia.

    Posted in Mac | Comments Off on Hacking Apple ID?

    Recently, there was a very public example of how not to do a tablet deployment. The Los Angeles Times reported that the Los Angeles Unified School District had been forced to suspend a program to provide iPads to students because several hundred students had figured out ways to remove security restrictions put in place by school administrators.

    As it turned out, the LAUSD did not use sophisticated tools to manage their iPads. They merely used ActiveSync accounts, which students were able to “hack” by simply deleting them from their tablets. This allowed the students to gain control of their iOS devices and use them to stream music and visit social media sites. (The school district has since taken back all of the issued iPads.)

    This incident highlights the many pitfalls of trying to deploy and manage mobile devices in any large, organized setting. A more sophisticated device management solution may have been needed, but it would have raised costs (both up-front and in the long term). So instead, they relied on a relatively simple and easy to maintain solution – which, unfortunately, was easily defeated. From a purely technical perspective, solutions for this problem were available, but were not chosen.

    However, what’s more interesting – and what we can learn from – is the why. The technical issues can probably be resolved without too much difficulty. Why did students feel the need to hack their devices? One student said it best: they took the devices home and “they can’t do anything with them.”

    Simply put, the students viewed these iPads as personal devices, with their data, and theirs to do as they wished. That, in and of itself, is a valuable lesson for enterprises trying to secure and protect their employee’s devices.

    Despite the rise of consumerization, divisions should still exist between “personal” devices and “work” devices. Mobile device management attempts to bridge this divide, but it does add complexity and cost. Just as importantly, user mindsets about what’s “personal” and what’s “work” still exist. That means that corporate data can be placed at risk due to exposure on “personal” devices.

    What might be more important than technical solutions is to change and understand mindsets. Part of the strategy for dealing with consumerization is the understanding that “work” information on “personal” devices means that behavior has to change, too. You can’t, say, hand off a tablet with your work email to your child to play Candy Crush – that would just be silly. Employees have to understand that more than technical limits, behavioral limits apply, too.

    Conversely, enterprises have to understand that imposed limits on “personal” devices have to be reasonable. Here, the limits were so strict that students had plenty of motivation to go around them.  Enterprises have to be careful that their own limits aren’t similarly evaded – either by either “hacking” authorized devices or just using unauthorized ones.

    In dealing with consumerization, we’ve always said it was important to have a strategy. Obviously, different organizations will have different strategies depending on their needs, capabilities, and potential threats. What this incident teaches us is that in order for that strategy has to be sensible, reasonable, and perhaps most of all: enforceable.

    Posted in Mobile | 1 TrackBack »

    1:03 am (UTC-7)   |    by

    In the past couple of weeks, there has been some breathless reporting about how iOS users could now install pirated apps without having to jailbreak their phones. This was made possible by certain Chinese app store-like services.

    Some of the reporting has been wondering how this was possible, but anyone with knowledge of iOS enterprise deployments knew what was going on. The same features which allow enterprises to deploy their own custom apps have now been abused to deliver pirated apps to users.

    This “newly discovered” method represents one of the methods to get malicious/fake apps onto the iOS devices. However, because the iOS sandbox has not been compromised, what each app can and can’t do is rather limited. The iOS app may try to send out some personal privacy information to external server which creates privacy data leakage problem.

    Read the rest of this entry »

    Posted in Malware, Mobile | Comments Off on Pirated App Stores on iOS?

    1:07 pm (UTC-7)   |    by

    Last week the news sites were full of headlines proclaiming that the “first iOS malware” had hit the iOS App Store. Just one problem with those headlines: they weren’t 100% accurate.

    The “Find and Call” app – the Android version of which we detect as ANDROIDOS_INFOLKFIDCAL.A, and the iOS version as IOS_INFOLKCONTACTS.A – has only one key feature. It sends the user’s address book to a remote server without the user’s explicit say-so. Simply put, that’s a clear violation of privacy and apps shouldn’t be doing it. Period. In this particular case, the people in the address book were spammed, but that was done by the remote server, not the “malware” itself.

    But there’s one problem. Legitimate apps have done exactly the same thing before. The social networking app Path was famously caught doing this earlier this year. Path came under tremendous fire for breaching user’s privacy so blatantly.

    This was enough of a concern for Apple that the iOS 6 beta explicitly requires user consent every time before an app can access/send a user’s contacts, calendars, reminders, or photos.

    The fact is that enough legitimate apps want access to user’s behavior that the practice of sending a user’s calendar information to a server isn’t instantly thought of as “bad” behavior anymore, because so many people let their apps do it. Unfortunately, the act of sending a user’s contact list has been “legitimized” by these apps, even if it remains, strictly speaking, odious behavior. In fact, “Find and Call” did explicitly ask for access to the user’s contact list:

    Users should ignore the exaggerated hype about this “first iOS malware” to think about what it really did – it gave an app (and, implicitly, the people behind that app) access to their contacts. Think about how many apps ask for similar permissions – usually in the guise of sharing with or finding your friends/contacts. This incident should serve as a wake-up call to users as to exactly who – and how often – they’re giving their information to.

    Apple deserves kudos for giving users the tools to help manage their personal information. Other mobile OS vendors should follow suit to provide all users with methods to protect their privacy.

    Posted in Mobile | 1 TrackBack »


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice