• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Exploits   »   Exploiting Vulnerabilities: The Other Side of Mobile Threats

Exploiting Vulnerabilities: The Other Side of Mobile Threats

  • Posted on:August 8, 2013 at 8:49 am
  • Posted in:Exploits, Mobile, Vulnerabilities
  • Author:
    Gelo Abendan (Technical Communications)
0

Though the bulk of mobile threats are in the form of malicious or high-risk apps, mobile devices are also troubled with other threats. Take for example the bugs found in Samsung Galaxy devices and the OBAD malware that exploits vulnerabilities to gain elevated privileges. Unfortunately, these are not the only vulnerabilities that mobile users should be wary of.

Just recently in BlackHat USA,  three vulnerabilities were discussed :  “master key” vulnerability in Android, the SIM card, and the iPhone charger vulnerability.

The “master key” vulnerability was initially reported affecting 99% of Android mobile devices. This is related to how Android apps are signed and may allow an attacker to update an already installed app without the developer’s signing key. Taking advantage of this flaw, the attacker can then replace legitimate apps with malicious ones. We saw first-hand just how big its impact can be when our researchers got hand of an attack that used the vulnerability to update and trojanize a banking app.

The second mobile device vulnerability, on the other hand, stems from the use of old encryption system in most SIM cards today. To abuse the vulnerabilty, the attacker only needs to send an SMS message crafted to intentionally generate error. As a result, the SIM card responds with an error code containing a 56-bit security key. The key can then be used by the attacker to send a message to the device in order to trigger the downloading of malicious Java applets, which may be designed to perform several malicious routines such as sending text messages and spying on the phone’s location.

Unlike the “master key” vulnerability, the SIM card vulnerability can affect a far bigger set of users since it is not OS- dependent. Furthermore, because the said threat stems from the use of an old decryption method, updating SIM cards with a newer decryption feature can be seen as impractical and expensive by GSM operators and telecommunication firms.

There are other ways to prevent attacks targeting this vulnerability. Filtering SMS messages can be a good start, but may not be possible with very basic handsets. Some telecommunication providers also offer in-network SMS filtering, but is highly dependent on the mobile carrier.

The third vulnerability confirms that even the iPhone is not immune from vulnerabilities. Researchers from the Georgia Institute of Technology were able to create a a malicious charger (also called Mactan) that contain mini computers that can initiate USB commands. Presented during the recent BlackHat US, the researchers demonstrated how the malicious charger was able to infect the iPhone and execute commands. Apple has then announced that the vulnerability used to execute the attack will be addressed in their next software update.

A Bigger Concern in the Future

So far, vendors like Google, Apple and Samsung have responded swiftly to these security concerns. However, considering that the most known form of mobile threats for some time now has been the abundance of malicious applications, the emergence of vulnerabilities related to mobile computing shows a different and more alarming concern.

Vulnerabilities are very effective avenues for threats, as we’ve learned from dealing with PC threats. They are also very tricky to deal with, both from the users’ and the developers’ side. The way vulnerabilities are handled in terms of PCs is an issue that is still under much discussion, as well as with patch management.  The case might not be any different for mobile, should this trend continue. It might even be made more complicated with concerns such as consumerization and fragmentation.

The need for mobile users to keep their device secure from threats is now greater than ever, and is bound to even be more critical later on. Not only are new threats or infection points emerging; the known threats are also increasing, and improving at the same time. As reported in our recently released 2Q 2013 Security Roundup, the malicious and high-risk apps found affecting Android has reached 718,000 — showing an increase of 350,000 in just 6 months.

For now, the best course of action that users can take is to make sure that their device software is always updated. This step, along with installing a security software and downloading only from trusted sources should help minimize the risk of being affected by attacks.

To learn more about these vulnerabilities, and the other developments in the mobile threat landscape, read our 2Q 2013 Security Roundup, Mobile Threats Go Full Throttle: Device Flaws Lead to Risky Trail.

 

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: androidAppleblackhat 2013charger vulnerabilityiphonemaster keymobile threatssim card vulnerability

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.