The mobile device sector has become a target rich environment, and attackers favor the way of least resistance. As Corporate networks lock down, threat actors will adapt and look for creative ways to find a successful vector. The numbers show that this is already the case:
Malware aimed at Android smartphones alone has grown 76% over the last year (Source, source)
Every mobile device connected to a corporate network is an attack vector, capable of evading detection. Sensitive information can be gathered while connected to the corporate network, then exfiltrated when off network, avoiding any detection that has been implemented. As an analyst, when we see a threat beaconing from a mobile device over a corporate network we know the headache we have just uncovered for the team. They are hard to track down even on networks with great logging and identification processes deployed. Mainly because the host is literally moving and unless you can put the phone to a face, most teams will let the threat walk.
At Morphick we are always researching and expanding our knowledge base. As analysts, when something doesn’t look right, it’s in our blood to start pulling that thread. A recent investigation involved a mobile device and POST request to this domain:
XX.XX.XX 57154 54.223.198.203 80 1 POST tdcv3.talkingdata.net /g/d - (empty) 635 3 200 OK - - - (empty) FlNjC32KNoymA0azpb application/x-gzip FuanmuDRDNcJ7p6M6 -
Initially the investigation didn’t reveal much, except that this was a POST request with a GZIP to an IP/Domain hosted in China. Files going to China can be a sign of trouble, but this organization has deep ties to Chinese business. Being curious, I started digging deeper. Quickly I came across an excellent write-up for this domain. The domain in interest, [ tdcv3[.]talkingdata[.]net/g/d ] has been found hardcoded into various types of Android spyware.
The source of the write up was an application called Flash Keyboard, one of the most downloaded apps in the Google Play store. And while Talkingdata is a legitimate data analytics company based in China, this application used it for exfiltration of sensitive user data. Mobile malware can be written to hook into legitimate applications, leveraging the applications granted permissions to collect desired information. While this particular event may not pose an imminent threat, it may create an attack vector capable of network reconnaissance. Threat actors can use the gathered information to launch future attacks.
Below is some the information this application was collecting.
- Device manufacturer
- Device model number
- Device IMEI
- Owner’s email address
- Wi-Fi SSID
- Wi-Fi MAC
- Mobile Network (e.g. Vodafone)
- GPS coordinates accurate to 1-3 meters
- Information about nearby Bluetooth devices
- Details of any proxies used by the device
- Keylogging features since it has access to your keyboard
The application sends the information to a Chinese analytical server without the knowledge of the user. While our investigation concluded that no direct threat was present in the alert we observed, it does shed light on the real security risk of mobile devices,
“Passing data without users knowledge”
Most applications on the market today have access to far more data than needed. Many developers often value functionality over security. As a result users have become complacent to the permissions they hand over.
The question that needs to be asked is, “Why does a keyboard application need to gather network information?” Short answer; it doesn’t, and this is a violation of Google Play store policy. Any time your personal information is collected and passed to a third party, you are only making your digital footprint larger.
With any problem, the first step is being aware there even is one. Since user awareness is much lower than anyone is willing to admit, educating employees on the risk of mobile devices can go a long way. The solution is simple: you wouldn’t download questionable applications on your work device, so why would you download them on a device holding the keys to your professional and personal life.
Below are examples of simple safe practices anyone can use to secure their mobile device:
- Configure Mobile devices to refuse connections to unsecure wireless networks
- Pay close attention to the permissions an application requests
- Disable unnecessary permissions for applications
- Bluetooth should be either off or hidden from discovery
- Block the use of third-party software
- Enable password protection or biometric security on device
- Turn on encryption
- Implement remote wipe capabilities on device
- Delete “stale/dead apps”, ones which are no longer being maintained by the developer
- Update Mobile Devices frequently, the vast majority of updates are security patches
- Do not jailbreak phones
- Download a mobile security application
- Be cautious about giving away your phone number
- Do not put your phone number on Facebook
- Dating applications like Tinder and Match are a phisherman’s dream, be cautious
Some of these recommendations may seem advanced, but implementing just a few of these will go a long way in securing your digital identity. We have seen them to be incredibly effective for our clients, both individually and at a corporate infrastructure level. With attempts to compromise mobile devices rising, we wanted to share these guidelines to help keep our readers safe.
