Security Issues vs User Awareness in Mobile Devices a Survey
Mobile devices help modern man stay connected. Mobile phones come handy to serve this purpose; they use a radio link available in a geographical area, to make and receive telephonic calls,without compromising on the mobility. In the most recent years, the mobile phones are not just meant for making calls; they are used for many more purposes. Their penetration rate has increased drastically with a wide range of applications coming into the market every day. The latest ones, the Smart phones, serve an increasing number of activities besides storing sensitive data. This has made the mobile phones a prime target for attacks. The users lose all the important data besides losing a handsome amount with the loss of mobile phones; even messaging has become highly insecure. Hence this paper intends to discuss the results of a survey made online on the possible attacks on mobile devices. The paper also throws light on the case studies of a variety of attacks that have beenregistered in the world of mobile phones.
Content
International Journal of Advanced Research in Engineering and Technology (IJARET), ISSN INTERNATIONAL JOURNAL OF ADVANCED RESEARCH IN 0976 – 6480(Print), ISSN 0976 – 6499(Online) Volume 4, Issue 3, April (2013), © IAEME ENGINEERING AND TECHNOLOGY (IJARET)
ISSN 0976 - 6480 (Print) ISSN 0976 - 6499 (Online) Volume 4, Issue 3, April 2013, pp. 217-225 © IAEME: www.iaeme.com/ijaret.asp Journal Impact Factor (2013): 5.8376 (Calculated by GISI) www.jifactor.com
IJARET
©IAEME
SECURITY ISSUES VS USER AWARENESS IN MOBILE DEVICES: A SURVEY
Khaja Mizbahuddin Quadry, Research scholar, JNTUK, Kakinada, A.P, India Dr. Mohammed Misbahuddin, Senior Technical Officer, C-DAC, Electronic city, Bangalore Dr.A.Govardhan, Professor of CSE Dept and Director of Evaluation, JNTU, Hyderabad, A.P., India
ABSTRACT Mobile devices help modern man stay connected. Mobile phones come handy to serve this purpose; they use a radio link available in a geographical area, to make and receive telephonic calls, without compromising on the mobility. In the most recent years, the mobile phones are not just meant for making calls; they are used for many more purposes. Their penetration rate has increased drastically with a wide range of applications coming into the market every day. The latest ones, the Smart phones, serve an increasing number of activities besides storing sensitive data. This has made the mobile phones a prime target for attacks. The users lose all the important data besides losing a handsome amount with the loss of mobile phones; even messaging has become highly insecure. Hence this paper intends to discuss the results of a survey made online on the possible attacks on mobile devices. The paper also throws light on the case studies of a variety of attacks that have been registered in the world of mobile phones. Keywords: Security issues, Vulnerabilities, attacks, malware 1. INTRODUCTION Mobile phones, [1] otherwise called the cell phones, facilitate making and receiving telephonic calls through a radio link available in a geographical area, while being mobile. The cellular network provided by a mobile phone service provider in any area allows the cell phone access to the public telephone network. In addition to telephony, text messaging, mailing, internet access, short 217
International Journal of Advanced Research in Engineering and Technology (IJARET), ISSN 0976 – 6480(Print), ISSN 0976 – 6499(Online) Volume 4, Issue 3, April (2013), © IAEME range wireless communications (I.R, Bluetooth) business applications, gaming and photography are also possible by these modern mobile phones.. Hence, every common man in the modern times finds a trustworthy companion in the form of these mobile phones. They serve as a means to stay connected with family and friends, carry on business transactions, make emergency calls, etc. Records show that rural consumers, earning less than $1000 yearly, make the fastest growing cell phone subscribers world-wide. The expansion of Indian cell phone industry presents a sharp contrast when compared to the other industries. The present day Smart phones are supported with more general computing capabilities. The cell phone industry registered a boost in December 2008. More than 10million new subscribers were reported in comparison to the 8 million in 2007. The overall subscription in the cell phone industry grew by 48% in 2008 with 34 million customers. The past twenty years, from 1990 to 2010, recorded a growth in the worldwide mobile phone subscriptions, from 12.4 million to over 4.6 billion; it penetrated and reached the bottom level of the economic pyramid in the developing economies. An exponential increase in the numbers of users has been recorded ever since the mobile phones were first made available. The end of 2009 saw over 50 mobile operators with 10 million subscribers each and another over 150 mobile operators with at least one million subscribers. The year 2010, has recorded 4.6billion mobile phone subscribers on the whole, a number that is expected to grow more rapidly in the years to come... 2.1 VULNERABILITIES and Security of Mobile Devices With the wide spread use of Mobile phones for a wide range of applications, their security is a matter of serious concern. Mobile phones are nowadays considered to be the very handy authentication medium by many websites [3] and by most of the online businesses. They send an SMS based authentication code for ensuring authentication online; often in clear text involving no codes. As these mobile phones run the risk of being stolen, the fraudster can easily read the text or forward it to another number. This allows a cyber criminal authenticate fraudulently. Vulnerability, [2] though not so common a factor with the desktops, is very serious in case of mobile devices given to their small size and portability; thus being easily stolen or lost. The report presented at Georgia Tech Cyber Security Summit 2011, the Emerging Cyber Threats 2011 talks about the rise of vulnerabilities in case of mobile browsers. The security experts say that the device constraints and tension between usability and security make it difficult to debug issues. As the mobile browsers never get updated as traditional web browsers do, and the users continue using the same operating system and the mobile browser as it was on the date of manufacture, the attackers gain a big advantage. Attackers leverage a logic flaw in the mobile network standards and force mobile phones to send premium rate SMS messages preventing them from receiving messages for long periods of time. Major actions like checking credit or voice mail, calling emergency numbers or customer support and even performing mobile banking are performed by these malicious applications, while typically they figure themselves as menu or application bearing the operators’ name. A majority of cell phones don’t notify for the SIM Toolkit messages; some others wakeup from their sleep mode, but neither they indicate the receipt of any neither message nor do they show any message in the inbox. However, when automated error reports are sent, the users of some branded phones get notified for the message being sent but can’t really see any message. Only the Nokia devices ask for confirmation to send SIM toolkit response. But this option, asking for confirming the SIM service actions, is off by default on the phones configured by the operators. The most recent devices like iphones and the Windows mobile 6.x devices notify the message being sent but offer no way to stop it. However the sender can request for a reply via SMS either directly to the sender’s number or to the operator’s message center. The online banking applications through mobile browsers are also vulnerable to the phishing websites that invite the bank customers to enter their passwords or other credentials.
218
International Journal of Advanced Research in Engineering and Technology (IJARET), ISSN 0976 – 6480(Print), ISSN 0976 – 6499(Online) Volume 4, Issue 3, April (2013), © IAEME 3 CASE STUDIES We discuss some of the mobile phone attacks reported. 3.1 CASE STUDY: ZEUS TROJAN ATTACKS BANK' S 2-FACTOR AUTHENTICATION Zeus [4], a type of banking Trojan, has been reported to target the mobile phones when the users try to get their handsets upgraded to the two-factor authentication facility. The F-secure antivirus provider researchers informed that the Zeus MitMo attack appears to be similar to the reported in Spain. In both the cases the malware attempted to steal the mTANs (mobile transaction authentication numbers) used by a majority of European banks an enhanced authentication service to their online customers. In this case the financial institutions provide a one-time password through SMS, which in the secondary stage needs pass codes to login to online accounts. The Zeus Mitmo[5] creates a fraudulent field on the web page prompting the users to provide their cell phone numbers and the type of handset they use. As there is no change in the URL or any changes in the header or footer that hints about the untrusted security panel. The users provide the information thinking that they are enhancing their security, least knowing that the notification is fraudulent. Thus activated, the app then monitors your SMS messages and sends the mTANS to the Zeus operator, making it possible to gain access to your bank account as it has got your user name, password and mTAN; combination that would clear your account of cash. 3.2 Case study: Spy Eye banking Trojan: now with SMS hijacking capability Another banking Trojan, the Spy Eye[7] has the capability to reroute the SMSes carrying the onetime passwords sent to victims' cell phones. This feature enables the Trojan to bypass all the protections adopted by the financial institutions. In yet another case, the Spy Eye tried to redirect and trick the victims to reassigning the cell phone number that they have registered with the banks to receive one-time passwords. The fraudulent pages injected into the online banking sessions make a false claim that the users have been assigned a unique telephone number and that they would receive a special SIM card in the mail shortly. Thus injected, Spy Eye allows the fraudsters to receive all the SMS transaction verification codes for the hijacked account via their own telephone network. In this way they divert funds using the SMS confirmation system from the customer's account without acknowledgement or triggering any fraud detection alarms. How the attack works: The malware first gains the access to the login information logs into the account without being detected by the bank or the consumer. With the help of social engineering he obtains the confirmation code originally used to activate the consumer's mobile phone number with the bank. To do this the malware injects a page that is assumed by the consumer that it is from the bank. It says that as a requirement for the new security system unique telephone numbers are being issued to the customers and that they will receive a special SIM card in the mail. The customers are prompted to reregister with the bank using the original confirmation code into the relevant field; of course, the Black Hats are ready to capture it. On getting the code the fraudsters claim for a change in the old phone number with the new one which will be their own number. As soon as this is done, they divert the funds, without alerting the customer or the bank about the fraud. These unauthorized withdrawals or expenditures are noticed only when the customer logs in to his account. This is enough to demonstrate that all out-of-band authentication systems, including SMS-based solutions, are not fool-proof. As the banks have started verifying the transactions and subjecting them to various fraud detection systems, the fraudsters are using a combination of MITB (man in the browser injection) technology and social engineering to buy themselves more time. Once a computer has been identified to be infected with Spy Eye, such attacks can be checked with endpoint security that blocks MITB techniques. Only a layered approach to security can solve the issue otherwise even the most sophisticated OOBA schemes would fail. 219
International Journal of Advanced Research in Engineering and Technology (IJARET), ISSN 0976 – 6480(Print), ISSN 0976 – 6499(Online) Volume 4, Issue 3, April (2013), © IAEME 3.21 First Spy Eye Attack on Android Mobile Platform Spy Eye [8] is fast spreading in the mobile market, making the Android mobile platform their target. Ever since Man in the Mobile attacks (MitMo/ZitMo) first emerged in late 2010, Spy Eye introduced their own hybrid desktop-mobile attacks (dubbed SPITMO). On the Zeus’ tracks. Trojan: SymbOS/Spitmo
The SPITMO Trojan injects fraudulent fields for the user’s mobile phone number and the IMEI of the phone into the bank's webpage, thus directing the user to provide them. The Trojan needs to link up with the developer certificate in order to get installed on the user’s phone. But as the developer’s certificate is tied to the IMEI of the user’s mobile phone, the malware authors request the IMEI along with the phone number on the bank's website. On receiving the new IMEIs, they request an updated certificate with the IMEIs of all the victims in order to sign in and create a new installer. The delay in getting the new certificate from the developer explains why the Spy Eye injected message states it can take up to three days for the certificate to be delivered.
The cumbersome cycle which is used to circumvent Symbian's signing in requirement makes the Trojan take up to three days to complete an attack. • Ask the user for their device's IMEI • Generate an appropriate certificate • Release an updated installer Trojan:DriodOS/Spitmo The fraudsters find it unreasonable to wait for three days just to steal a couple of SMSs. The Android OS provides a much more intuitive and modern approach to succeed getting desired treasure. Figure3 has a pictorial overview of how MitMo evolved. The figure shows clearly that before 2011 Blackberry and symbian were affected by Zeus Trojan, but after April 2011 the Spy Eye Android, Blackberry and Symbian.
Figure.3 MITMO EVOLUTI (www.pcworld.com/.../spyeye_trojan_targets_online_banking_securit The Trustee reached the following analysis from a Spy Eye compromised machine on July 24th: Stage 1: MITB – web injects module (you know the drill...) When a compromised mobile is used for transacting with the targeted bank, a message prompts a "new" security measure, supposedly being enforced by the bank, which is mandatory in order to use its online banking service thereafter. It seems to be an Android application, fully safe and protecting the phone’s SMS messages from being intercepted (there’s irony for you…) and guards the user against any fraud.
220
International Journal of Advanced Research in Engineering and Technology (IJARET), ISSN 0976 – 6480(Print), ISSN 0976 – 6499(Online) Volume 4, Issue 3, April (2013), © IAEME The "set the application" button on clicking, provides further instructions for installing the application: Stage 2: Android (malicious) App installation The user is directed to click on the URL: hxxp://www.androidseguridad.com/simseg.apk. After the installation of the Android application on the compromised device, the application named "System" is not visible. It's not a service, and it’s not listed in any of the current running applications. In order locate the existence of this app, a bit of searching is required: In order to complete the installation, the user is made to dial the number "325000"; the Android malware hijacks this call presenting a malicious activation code that is to be submitted later in to the "bank’s site": Following is the de-complied code snippet found responsible for the "activation code" operation but there is no reference to it in the application package (as of July 24) Stage 3: Android secure application is a Trojan After the successful installation, the Trojan intercepts all incoming SMSs and transfers them to the attacker C&C; the de-compiled code snippet given below creates a string for later use, whenever an SMS is received: “? Sender= [SendeerAddress] &receiver=[ReciverAddress]&text=[MessageBody The above formed string structure will be later be appended, as a query string, with a GET HTTP request, to be sent to the attacker's end. There is a "Settings.xml" file (asset directory) with a configuration, within the app, for the Trojan; "Settings.xml" defines: • The transfer method i.e. SMS or HTTP • The attacker's drop zone URLs Here’s a snippet of the extracts from "Settings.xml": Stage 4: SMS Spy Command & Control Four domain names in the URLs in use were found not registered (yet!): 124ff42.com; 124ffdfsaf.com; and 124sfafsaffa.com.However, Spy Eye - the domain ‘124ffsaf.com’ has been found ‘hopping’ around in different IPs, in several locations, around the world.The snippet from SpyEye’s tracker history record for the domain 124ffsaf.com over a three day period shows as follows:Peeping around the attacker C&C reveals an unprotected (at the moment!) statistics page It’s worth mentioning that the Attacker C&C above was produced the above stated information when the Trojan was tested in action in the lab. The Sender 15555215556 and the Recipient 15555215554 refers to the two Android emulators used in the lab to simulate the attack (the corresponding HTTP traffic is presented above). As indicated in the page, the attack has yet to gain momentum, so consider this a warning. I'm pretty sure this is just the beginning so I’m tempted to say, “To be continued…” SPITMO for Android loses the battle against Trusteer It is hightime that the Organizations acted and installed a desktop browser security solution in the multi layered security profile they have been using. The banks that already offer Trusteer Rapport are automatically protected and are NOT vulnerable to this attack - even if the Trojan is downloaded. This is due to Rapport being supported by a feature to prevent Spy Eye from installing on the customer's PC, thus terminating the attack before it takes hold. Those who are not using Rapport, Trusteer Pinpoint will detect and report the real-time victims, as being infected with this variant of SpyEye, when they attempt to log in to the bank's website. The attack is nullified by restricting the services to these reportedly infected machines, like disabling it to complete transactions. Finally, Trusteer Mobile for Android (either Secure Library or Secure Browser) will detect and block such attacks by preventing any malicious activity.
221
International Journal of Advanced Research in Engineering and Technology (IJARET), ISSN 0976 – 6480(Print), ISSN 0976 – 6499(Online) Volume 4, Issue 3, April (2013), © IAEME 3.22 SPY EYE BANK TROJAN HIDES ITS FRAUD FOOTPRINT Another nastier version of Spy Eye [9], has been detected with the ability to hide all fraudulent transactions from victims and was found allegedly targeting the major UK banks. This Spy Eye version is a tweak of the Zeus crimeware kit that grabs web-form data within browsers. This new Trojan, doesn’t intercept or divert email messages, rather hides the fraudulent transactions, masks the amount of the transaction, and puts forward a fake balance, ensuring that victims are unaware of anything being amiss on their account. Its work can be briefed as: 1. Spy Eye steals the debit card data by employing a man-in-the-browser attack on an online banking session. 2. The fraud is committed with the debit card data. 3. Thirdly, the Spy Eye initiates a post-transaction attack and hides the fraudulent transactions from the victim, when he logs in to his account the next time Here’s detailed description of how it goes down: Step 1 – Malware Post-Login Attack - Credentials Stolen: a. The victim’s machine is first infected with any Man in the Browser malware (e.g. Zeus, Spy Eye, Carberp), with a suitable configuration. b. The fraudulently configured malware asks the customer for debit card data during the login phase (HTML injection) – e.g. card number, CVV2, month and year of expiry, etc. Step 2 – Fraudster Commits Fraudulent Activity: c., The cybercriminals then create a card-not-present transaction fraud by making a purchase or transferring money over the telephone or the internet using the customer’s debit card details. d. The fraudulent transaction details are immediately fed in to the malware control panel by the fraudster. Step 3 – Malware Post-Transaction Attack with Fraud Hidden from View:
Figure 4 MitMo Attack Cycle ( nakedsecurity.sophos.com/.../spyeye-bank-trojan-hides-its-fraudfoot.)
222
International Journal of Advanced Research in Engineering and Technology (IJARET), ISSN 0976 – 6480(Print), ISSN 0976 – 6499(Online) Volume 4, Issue 3, April (2013), © IAEME 3.32 Case Study: Android Trojan records calls Cyber Criminals [11] have increased the functionality of Android Trojans. Earlier versions of mobile malware strains for Google's mobile platform were able to log the duration and numbers of incoming and outgoing calls. The new malware goes a step ahead by capturing the whole content of conversations before storing them on the SD-slot memory card of infected Android phones. The hackers then upload these conversations to a server, according to the tests carried on the malware by the security researchers at CA in a closed environment On installation, the malware drops a 'configuration' file containing the key information about the remote server and the parameters.’ This as-yet-unnamed malware cannot install by itself. It needs to be installed by the victims who consider it to be a prototype of some sort, a game or a tool that they can use against their spouses to keep track of their activities. The Victims, tricked into installing it, would need to agree to install the application, grant it permissions to record audio, read the state of a phone and prevent it from sleeping. 3.31 NEW Drive-By Android Trojan Attacks Mobile Users Android.Notcompatible [11], an Android Trojan horse program getting installed via a partial drive-by download has been identified as a threat by Symantec. Though Symantec gives Android.Notcompatible its lowest risk level, very Low, the main concern is that it might be copied by other hackers to use the technique in other attacks. Drive-by downloads—the malware that installs itself without the user's knowledge--typically occur when a website is visited. Android.Notcompatible pretends as a genuine system update under the name "com.Security.Update". The images below show the download and installation. Taking the program to be a genuine update by its pretence, the infected users approve installation. After being installed on a phone, Android.Notcompatible monitors all incoming and outgoing data including the personal one, sends its copies to the attacker through a proxy code. Android.Notcompatible spreads via URL redirects injected into the HTML of innocent bystander sites. The users who allow installation from unknown sources are most susceptible. Users who download apps from Google Play are safe from this or any other threat. The following sites have been identified as Android.Notcompatible hosts, by Symantec. (The "http" part of the addresses is bracketed to prevent accidental launches of infected sites.):
• • • •
[http://]androidbia.info [http://]androidjea.info [http://]gaoanalitics.info [http://]androidonlinefix.info
3.4 Case Study: Scumbags get sneaky with new self-robbery Trojan A particularly sneaky banking Trojan equipped with a self-robbery tricks that traps victims into transferring funds into the accounts controlled by cyber crooks or their partners has been developed by the malware-peddlers[12]. The users of the infected machines, on logging in to the bank site, get a fake message alerting them of a mistaken credit to their account, asking the user to revert the said amount to unfreeze their account. Trojan falsely inflates displayed account balances on infected machines, besides offering a pre-filled online transfer form in order to make the ploy more plausible. All these make the victim trust and transfer the said amount without getting it confirmed from the bank. While previous banking Trojans, like the URL Zone Trojan displayed fake balances on infected machines, this latest strain of malware is an evolution of this line of attack. As the period of time involved in banking fraud increases the risk of the fraud being tracked down, the fraudsters find it safer tricking victims into transferring funds themselves rather than employing money mules to force entry to the compromised accounts. Fraudsters can thus quickly loot accounts, before the compromised accounts are suspended or login credentials changed.
223
International Journal of Advanced Research in Engineering and Technology (IJARET), ISSN 0976 – 6480(Print), ISSN 0976 – 6499(Online) Volume 4, Issue 3, April (2013), © IAEME 4 CONCLUSIONS This survey concludes that Mobile phones are not secure unless the user is well aware of the risks. They can be attacked and used for various fraudulent purposes, not normally identified by users. This paper explores some vulnerabilities, and explains how they may be exploited. Finally, the case studies expose consequences of attacks on mobile phones by malware. The lack of security awareness [15] among cell phone users and their carelessness are the two prominent risk factors that fall the users prey to the fraudsters. It is extremely important to understand that a smart phone is far more than just a phone and cannot be treated like one of ordinary standards. Unlike the previous generations of cell phones, that were least susceptible to Bluetooth hijacking, the modern smart phones are prone to the same risks as PCs, equipped with Bluetooth or internet features. New attack vectors will increasingly be exploited by fraudsters as online banking services use these devices as second authentication factors given the convergence between PCs and cell phones. Recommendations for a secure mobile banking:
• • Check rating, user reviews, and comments for each mobile application you download. Avoid low rated, new applications, and bad reviews. Carefully evaluate the permission requested by Android applications when you install them. Applications that ask for access to text messages and other sensitive information should raise a red flag and further researched before you download it Have your PC protected with online banking security software such as Trusteer Rapport that can be downloaded from your bank's website. This software rules out the possibility of MitMo attacks by restricting fraudsters from controlling the web channel. Regularly install updates on your mobile device Enable access protection measures such as a PIN or password (if possible). Configure the smart phone to automatically lock after a minute or so when being idle. Before installing or using new smartphone apps or services, check their reputation. Only install applications from trusted sources. Pay attention to the security permissions requested by every application and service you install. Keep your operating system and software applications up to date. Disable features not in use: Bluetooth, infrared or Wi-Fi. If you have Bluetooth enabled, set your device to be hidden and password-protect it. Make regular backup copies of your important files. Encrypt sensitive information whenever possible. Use call and SMS encryption software. Whenever possible, do not store sensitive information on the smartphone. Make sure it is not cached locally. Erase all information from the smartphone once you get rid of it. In the event your phone is lost or stolen, inform your service provider and give them your device‘s IMEI number to block it. You can also use remote or automatic deletion of data (after several failed login attempts). Monitor the smartphone for anomaly detection. Check your account activity frequently to detect fraud. Be aware of the risks associated with these devices and use them correctly
•
• • • • • • • • • • • • • • • • •
224
International Journal of Advanced Research in Engineering and Technology (IJARET), ISSN 0976 – 6480(Print), ISSN 0976 – 6499(Online) Volume 4, Issue 3, April (2013), © IAEME
REFERENCES
[1] http://www.en.wikipedia.org/wiki/Mobile_phone [2]en.wikipedia.org/wiki/Mobile_virus [3]http://www.theregister.co.uk/2011/02/22/zeus_2_factor_authentication_attack/ [4] www.eweek.com/.../Zeus-Trojan-Mobile-Variant-Intercepts-SMS-Pas. [5] www.thinkdigit.com/Mobiles.../ZeuS-Trojan-now-affecting-BlackBer [6] www.networkworld.com/.../zeus-trojan-back-and-targeti... - United States [7]www.theregister.co.uk/2011/10/06/banking_trojan_steals_sms/ [8] www.trusteer.com/.../first-spyeye-attack-android-mobile-platform-no. [9]nakedsecurity.sophos.com/.../spyeye-bank-trojan-hides-its-fraud-foot[ 10]http://www.theregister.co.uk/2011/08/02/android_malware_records_calls/ [11]www.informationweek.com/byte/news/232901415 [12] http://www.theregister.co.uk/2011/07/29/tricky_banking_trojan/] [13] http://www.theregister.co.uk/2011/02/22/oddjob_banking_trojan/ [14]www.informationweek.com/news/security/vulnerabilities/229219049 [15] http://www.scribd.com/doc/57779895/CNCCS-Smart-Phone-Malware [16] K.Sangeetha and Dr.K.Ravikumar, “A Framework for Practical Vulnerabilities of the Tor (The Onion Routing) Anonymity Network”, International Journal of Computer Engineering & Technology (IJCET), Volume 3, Issue 3, 2012, pp. 112 - 120, ISSN Print: 0976 – 6367, ISSN Online: 0976 – 6375 [16] A.Edwinrobert and Dr.M.Hemalatha, “Behavioral and Performance Analysis Model for Malware Detection Techniques”, International Journal of Computer Engineering & Technology (IJCET), Volume 4, Issue 1, 2013, pp. 141 - 151, ISSN Print: 0976 – 6367, ISSN Online: 0976 – 6375
225
ISSN 0976 - 6480 (Print) ISSN 0976 - 6499 (Online) Volume 4, Issue 3, April 2013, pp. 217-225 © IAEME: www.iaeme.com/ijaret.asp Journal Impact Factor (2013): 5.8376 (Calculated by GISI) www.jifactor.com
IJARET
©IAEME
SECURITY ISSUES VS USER AWARENESS IN MOBILE DEVICES: A SURVEY
Khaja Mizbahuddin Quadry, Research scholar, JNTUK, Kakinada, A.P, India Dr. Mohammed Misbahuddin, Senior Technical Officer, C-DAC, Electronic city, Bangalore Dr.A.Govardhan, Professor of CSE Dept and Director of Evaluation, JNTU, Hyderabad, A.P., India
ABSTRACT Mobile devices help modern man stay connected. Mobile phones come handy to serve this purpose; they use a radio link available in a geographical area, to make and receive telephonic calls, without compromising on the mobility. In the most recent years, the mobile phones are not just meant for making calls; they are used for many more purposes. Their penetration rate has increased drastically with a wide range of applications coming into the market every day. The latest ones, the Smart phones, serve an increasing number of activities besides storing sensitive data. This has made the mobile phones a prime target for attacks. The users lose all the important data besides losing a handsome amount with the loss of mobile phones; even messaging has become highly insecure. Hence this paper intends to discuss the results of a survey made online on the possible attacks on mobile devices. The paper also throws light on the case studies of a variety of attacks that have been registered in the world of mobile phones. Keywords: Security issues, Vulnerabilities, attacks, malware 1. INTRODUCTION Mobile phones, [1] otherwise called the cell phones, facilitate making and receiving telephonic calls through a radio link available in a geographical area, while being mobile. The cellular network provided by a mobile phone service provider in any area allows the cell phone access to the public telephone network. In addition to telephony, text messaging, mailing, internet access, short 217
International Journal of Advanced Research in Engineering and Technology (IJARET), ISSN 0976 – 6480(Print), ISSN 0976 – 6499(Online) Volume 4, Issue 3, April (2013), © IAEME range wireless communications (I.R, Bluetooth) business applications, gaming and photography are also possible by these modern mobile phones.. Hence, every common man in the modern times finds a trustworthy companion in the form of these mobile phones. They serve as a means to stay connected with family and friends, carry on business transactions, make emergency calls, etc. Records show that rural consumers, earning less than $1000 yearly, make the fastest growing cell phone subscribers world-wide. The expansion of Indian cell phone industry presents a sharp contrast when compared to the other industries. The present day Smart phones are supported with more general computing capabilities. The cell phone industry registered a boost in December 2008. More than 10million new subscribers were reported in comparison to the 8 million in 2007. The overall subscription in the cell phone industry grew by 48% in 2008 with 34 million customers. The past twenty years, from 1990 to 2010, recorded a growth in the worldwide mobile phone subscriptions, from 12.4 million to over 4.6 billion; it penetrated and reached the bottom level of the economic pyramid in the developing economies. An exponential increase in the numbers of users has been recorded ever since the mobile phones were first made available. The end of 2009 saw over 50 mobile operators with 10 million subscribers each and another over 150 mobile operators with at least one million subscribers. The year 2010, has recorded 4.6billion mobile phone subscribers on the whole, a number that is expected to grow more rapidly in the years to come... 2.1 VULNERABILITIES and Security of Mobile Devices With the wide spread use of Mobile phones for a wide range of applications, their security is a matter of serious concern. Mobile phones are nowadays considered to be the very handy authentication medium by many websites [3] and by most of the online businesses. They send an SMS based authentication code for ensuring authentication online; often in clear text involving no codes. As these mobile phones run the risk of being stolen, the fraudster can easily read the text or forward it to another number. This allows a cyber criminal authenticate fraudulently. Vulnerability, [2] though not so common a factor with the desktops, is very serious in case of mobile devices given to their small size and portability; thus being easily stolen or lost. The report presented at Georgia Tech Cyber Security Summit 2011, the Emerging Cyber Threats 2011 talks about the rise of vulnerabilities in case of mobile browsers. The security experts say that the device constraints and tension between usability and security make it difficult to debug issues. As the mobile browsers never get updated as traditional web browsers do, and the users continue using the same operating system and the mobile browser as it was on the date of manufacture, the attackers gain a big advantage. Attackers leverage a logic flaw in the mobile network standards and force mobile phones to send premium rate SMS messages preventing them from receiving messages for long periods of time. Major actions like checking credit or voice mail, calling emergency numbers or customer support and even performing mobile banking are performed by these malicious applications, while typically they figure themselves as menu or application bearing the operators’ name. A majority of cell phones don’t notify for the SIM Toolkit messages; some others wakeup from their sleep mode, but neither they indicate the receipt of any neither message nor do they show any message in the inbox. However, when automated error reports are sent, the users of some branded phones get notified for the message being sent but can’t really see any message. Only the Nokia devices ask for confirmation to send SIM toolkit response. But this option, asking for confirming the SIM service actions, is off by default on the phones configured by the operators. The most recent devices like iphones and the Windows mobile 6.x devices notify the message being sent but offer no way to stop it. However the sender can request for a reply via SMS either directly to the sender’s number or to the operator’s message center. The online banking applications through mobile browsers are also vulnerable to the phishing websites that invite the bank customers to enter their passwords or other credentials.
218
International Journal of Advanced Research in Engineering and Technology (IJARET), ISSN 0976 – 6480(Print), ISSN 0976 – 6499(Online) Volume 4, Issue 3, April (2013), © IAEME 3 CASE STUDIES We discuss some of the mobile phone attacks reported. 3.1 CASE STUDY: ZEUS TROJAN ATTACKS BANK' S 2-FACTOR AUTHENTICATION Zeus [4], a type of banking Trojan, has been reported to target the mobile phones when the users try to get their handsets upgraded to the two-factor authentication facility. The F-secure antivirus provider researchers informed that the Zeus MitMo attack appears to be similar to the reported in Spain. In both the cases the malware attempted to steal the mTANs (mobile transaction authentication numbers) used by a majority of European banks an enhanced authentication service to their online customers. In this case the financial institutions provide a one-time password through SMS, which in the secondary stage needs pass codes to login to online accounts. The Zeus Mitmo[5] creates a fraudulent field on the web page prompting the users to provide their cell phone numbers and the type of handset they use. As there is no change in the URL or any changes in the header or footer that hints about the untrusted security panel. The users provide the information thinking that they are enhancing their security, least knowing that the notification is fraudulent. Thus activated, the app then monitors your SMS messages and sends the mTANS to the Zeus operator, making it possible to gain access to your bank account as it has got your user name, password and mTAN; combination that would clear your account of cash. 3.2 Case study: Spy Eye banking Trojan: now with SMS hijacking capability Another banking Trojan, the Spy Eye[7] has the capability to reroute the SMSes carrying the onetime passwords sent to victims' cell phones. This feature enables the Trojan to bypass all the protections adopted by the financial institutions. In yet another case, the Spy Eye tried to redirect and trick the victims to reassigning the cell phone number that they have registered with the banks to receive one-time passwords. The fraudulent pages injected into the online banking sessions make a false claim that the users have been assigned a unique telephone number and that they would receive a special SIM card in the mail shortly. Thus injected, Spy Eye allows the fraudsters to receive all the SMS transaction verification codes for the hijacked account via their own telephone network. In this way they divert funds using the SMS confirmation system from the customer's account without acknowledgement or triggering any fraud detection alarms. How the attack works: The malware first gains the access to the login information logs into the account without being detected by the bank or the consumer. With the help of social engineering he obtains the confirmation code originally used to activate the consumer's mobile phone number with the bank. To do this the malware injects a page that is assumed by the consumer that it is from the bank. It says that as a requirement for the new security system unique telephone numbers are being issued to the customers and that they will receive a special SIM card in the mail. The customers are prompted to reregister with the bank using the original confirmation code into the relevant field; of course, the Black Hats are ready to capture it. On getting the code the fraudsters claim for a change in the old phone number with the new one which will be their own number. As soon as this is done, they divert the funds, without alerting the customer or the bank about the fraud. These unauthorized withdrawals or expenditures are noticed only when the customer logs in to his account. This is enough to demonstrate that all out-of-band authentication systems, including SMS-based solutions, are not fool-proof. As the banks have started verifying the transactions and subjecting them to various fraud detection systems, the fraudsters are using a combination of MITB (man in the browser injection) technology and social engineering to buy themselves more time. Once a computer has been identified to be infected with Spy Eye, such attacks can be checked with endpoint security that blocks MITB techniques. Only a layered approach to security can solve the issue otherwise even the most sophisticated OOBA schemes would fail. 219
International Journal of Advanced Research in Engineering and Technology (IJARET), ISSN 0976 – 6480(Print), ISSN 0976 – 6499(Online) Volume 4, Issue 3, April (2013), © IAEME 3.21 First Spy Eye Attack on Android Mobile Platform Spy Eye [8] is fast spreading in the mobile market, making the Android mobile platform their target. Ever since Man in the Mobile attacks (MitMo/ZitMo) first emerged in late 2010, Spy Eye introduced their own hybrid desktop-mobile attacks (dubbed SPITMO). On the Zeus’ tracks. Trojan: SymbOS/Spitmo
The SPITMO Trojan injects fraudulent fields for the user’s mobile phone number and the IMEI of the phone into the bank's webpage, thus directing the user to provide them. The Trojan needs to link up with the developer certificate in order to get installed on the user’s phone. But as the developer’s certificate is tied to the IMEI of the user’s mobile phone, the malware authors request the IMEI along with the phone number on the bank's website. On receiving the new IMEIs, they request an updated certificate with the IMEIs of all the victims in order to sign in and create a new installer. The delay in getting the new certificate from the developer explains why the Spy Eye injected message states it can take up to three days for the certificate to be delivered.
The cumbersome cycle which is used to circumvent Symbian's signing in requirement makes the Trojan take up to three days to complete an attack. • Ask the user for their device's IMEI • Generate an appropriate certificate • Release an updated installer Trojan:DriodOS/Spitmo The fraudsters find it unreasonable to wait for three days just to steal a couple of SMSs. The Android OS provides a much more intuitive and modern approach to succeed getting desired treasure. Figure3 has a pictorial overview of how MitMo evolved. The figure shows clearly that before 2011 Blackberry and symbian were affected by Zeus Trojan, but after April 2011 the Spy Eye Android, Blackberry and Symbian.
Figure.3 MITMO EVOLUTI (www.pcworld.com/.../spyeye_trojan_targets_online_banking_securit The Trustee reached the following analysis from a Spy Eye compromised machine on July 24th: Stage 1: MITB – web injects module (you know the drill...) When a compromised mobile is used for transacting with the targeted bank, a message prompts a "new" security measure, supposedly being enforced by the bank, which is mandatory in order to use its online banking service thereafter. It seems to be an Android application, fully safe and protecting the phone’s SMS messages from being intercepted (there’s irony for you…) and guards the user against any fraud.
220
International Journal of Advanced Research in Engineering and Technology (IJARET), ISSN 0976 – 6480(Print), ISSN 0976 – 6499(Online) Volume 4, Issue 3, April (2013), © IAEME The "set the application" button on clicking, provides further instructions for installing the application: Stage 2: Android (malicious) App installation The user is directed to click on the URL: hxxp://www.androidseguridad.com/simseg.apk. After the installation of the Android application on the compromised device, the application named "System" is not visible. It's not a service, and it’s not listed in any of the current running applications. In order locate the existence of this app, a bit of searching is required: In order to complete the installation, the user is made to dial the number "325000"; the Android malware hijacks this call presenting a malicious activation code that is to be submitted later in to the "bank’s site": Following is the de-complied code snippet found responsible for the "activation code" operation but there is no reference to it in the application package (as of July 24) Stage 3: Android secure application is a Trojan After the successful installation, the Trojan intercepts all incoming SMSs and transfers them to the attacker C&C; the de-compiled code snippet given below creates a string for later use, whenever an SMS is received: “? Sender= [SendeerAddress] &receiver=[ReciverAddress]&text=[MessageBody The above formed string structure will be later be appended, as a query string, with a GET HTTP request, to be sent to the attacker's end. There is a "Settings.xml" file (asset directory) with a configuration, within the app, for the Trojan; "Settings.xml" defines: • The transfer method i.e. SMS or HTTP • The attacker's drop zone URLs Here’s a snippet of the extracts from "Settings.xml": Stage 4: SMS Spy Command & Control Four domain names in the URLs in use were found not registered (yet!): 124ff42.com; 124ffdfsaf.com; and 124sfafsaffa.com.However, Spy Eye - the domain ‘124ffsaf.com’ has been found ‘hopping’ around in different IPs, in several locations, around the world.The snippet from SpyEye’s tracker history record for the domain 124ffsaf.com over a three day period shows as follows:Peeping around the attacker C&C reveals an unprotected (at the moment!) statistics page It’s worth mentioning that the Attacker C&C above was produced the above stated information when the Trojan was tested in action in the lab. The Sender 15555215556 and the Recipient 15555215554 refers to the two Android emulators used in the lab to simulate the attack (the corresponding HTTP traffic is presented above). As indicated in the page, the attack has yet to gain momentum, so consider this a warning. I'm pretty sure this is just the beginning so I’m tempted to say, “To be continued…” SPITMO for Android loses the battle against Trusteer It is hightime that the Organizations acted and installed a desktop browser security solution in the multi layered security profile they have been using. The banks that already offer Trusteer Rapport are automatically protected and are NOT vulnerable to this attack - even if the Trojan is downloaded. This is due to Rapport being supported by a feature to prevent Spy Eye from installing on the customer's PC, thus terminating the attack before it takes hold. Those who are not using Rapport, Trusteer Pinpoint will detect and report the real-time victims, as being infected with this variant of SpyEye, when they attempt to log in to the bank's website. The attack is nullified by restricting the services to these reportedly infected machines, like disabling it to complete transactions. Finally, Trusteer Mobile for Android (either Secure Library or Secure Browser) will detect and block such attacks by preventing any malicious activity.
221
International Journal of Advanced Research in Engineering and Technology (IJARET), ISSN 0976 – 6480(Print), ISSN 0976 – 6499(Online) Volume 4, Issue 3, April (2013), © IAEME 3.22 SPY EYE BANK TROJAN HIDES ITS FRAUD FOOTPRINT Another nastier version of Spy Eye [9], has been detected with the ability to hide all fraudulent transactions from victims and was found allegedly targeting the major UK banks. This Spy Eye version is a tweak of the Zeus crimeware kit that grabs web-form data within browsers. This new Trojan, doesn’t intercept or divert email messages, rather hides the fraudulent transactions, masks the amount of the transaction, and puts forward a fake balance, ensuring that victims are unaware of anything being amiss on their account. Its work can be briefed as: 1. Spy Eye steals the debit card data by employing a man-in-the-browser attack on an online banking session. 2. The fraud is committed with the debit card data. 3. Thirdly, the Spy Eye initiates a post-transaction attack and hides the fraudulent transactions from the victim, when he logs in to his account the next time Here’s detailed description of how it goes down: Step 1 – Malware Post-Login Attack - Credentials Stolen: a. The victim’s machine is first infected with any Man in the Browser malware (e.g. Zeus, Spy Eye, Carberp), with a suitable configuration. b. The fraudulently configured malware asks the customer for debit card data during the login phase (HTML injection) – e.g. card number, CVV2, month and year of expiry, etc. Step 2 – Fraudster Commits Fraudulent Activity: c., The cybercriminals then create a card-not-present transaction fraud by making a purchase or transferring money over the telephone or the internet using the customer’s debit card details. d. The fraudulent transaction details are immediately fed in to the malware control panel by the fraudster. Step 3 – Malware Post-Transaction Attack with Fraud Hidden from View:
Figure 4 MitMo Attack Cycle ( nakedsecurity.sophos.com/.../spyeye-bank-trojan-hides-its-fraudfoot.)
222
International Journal of Advanced Research in Engineering and Technology (IJARET), ISSN 0976 – 6480(Print), ISSN 0976 – 6499(Online) Volume 4, Issue 3, April (2013), © IAEME 3.32 Case Study: Android Trojan records calls Cyber Criminals [11] have increased the functionality of Android Trojans. Earlier versions of mobile malware strains for Google's mobile platform were able to log the duration and numbers of incoming and outgoing calls. The new malware goes a step ahead by capturing the whole content of conversations before storing them on the SD-slot memory card of infected Android phones. The hackers then upload these conversations to a server, according to the tests carried on the malware by the security researchers at CA in a closed environment On installation, the malware drops a 'configuration' file containing the key information about the remote server and the parameters.’ This as-yet-unnamed malware cannot install by itself. It needs to be installed by the victims who consider it to be a prototype of some sort, a game or a tool that they can use against their spouses to keep track of their activities. The Victims, tricked into installing it, would need to agree to install the application, grant it permissions to record audio, read the state of a phone and prevent it from sleeping. 3.31 NEW Drive-By Android Trojan Attacks Mobile Users Android.Notcompatible [11], an Android Trojan horse program getting installed via a partial drive-by download has been identified as a threat by Symantec. Though Symantec gives Android.Notcompatible its lowest risk level, very Low, the main concern is that it might be copied by other hackers to use the technique in other attacks. Drive-by downloads—the malware that installs itself without the user's knowledge--typically occur when a website is visited. Android.Notcompatible pretends as a genuine system update under the name "com.Security.Update". The images below show the download and installation. Taking the program to be a genuine update by its pretence, the infected users approve installation. After being installed on a phone, Android.Notcompatible monitors all incoming and outgoing data including the personal one, sends its copies to the attacker through a proxy code. Android.Notcompatible spreads via URL redirects injected into the HTML of innocent bystander sites. The users who allow installation from unknown sources are most susceptible. Users who download apps from Google Play are safe from this or any other threat. The following sites have been identified as Android.Notcompatible hosts, by Symantec. (The "http" part of the addresses is bracketed to prevent accidental launches of infected sites.):
• • • •
[http://]androidbia.info [http://]androidjea.info [http://]gaoanalitics.info [http://]androidonlinefix.info
3.4 Case Study: Scumbags get sneaky with new self-robbery Trojan A particularly sneaky banking Trojan equipped with a self-robbery tricks that traps victims into transferring funds into the accounts controlled by cyber crooks or their partners has been developed by the malware-peddlers[12]. The users of the infected machines, on logging in to the bank site, get a fake message alerting them of a mistaken credit to their account, asking the user to revert the said amount to unfreeze their account. Trojan falsely inflates displayed account balances on infected machines, besides offering a pre-filled online transfer form in order to make the ploy more plausible. All these make the victim trust and transfer the said amount without getting it confirmed from the bank. While previous banking Trojans, like the URL Zone Trojan displayed fake balances on infected machines, this latest strain of malware is an evolution of this line of attack. As the period of time involved in banking fraud increases the risk of the fraud being tracked down, the fraudsters find it safer tricking victims into transferring funds themselves rather than employing money mules to force entry to the compromised accounts. Fraudsters can thus quickly loot accounts, before the compromised accounts are suspended or login credentials changed.
223
International Journal of Advanced Research in Engineering and Technology (IJARET), ISSN 0976 – 6480(Print), ISSN 0976 – 6499(Online) Volume 4, Issue 3, April (2013), © IAEME 4 CONCLUSIONS This survey concludes that Mobile phones are not secure unless the user is well aware of the risks. They can be attacked and used for various fraudulent purposes, not normally identified by users. This paper explores some vulnerabilities, and explains how they may be exploited. Finally, the case studies expose consequences of attacks on mobile phones by malware. The lack of security awareness [15] among cell phone users and their carelessness are the two prominent risk factors that fall the users prey to the fraudsters. It is extremely important to understand that a smart phone is far more than just a phone and cannot be treated like one of ordinary standards. Unlike the previous generations of cell phones, that were least susceptible to Bluetooth hijacking, the modern smart phones are prone to the same risks as PCs, equipped with Bluetooth or internet features. New attack vectors will increasingly be exploited by fraudsters as online banking services use these devices as second authentication factors given the convergence between PCs and cell phones. Recommendations for a secure mobile banking:
• • Check rating, user reviews, and comments for each mobile application you download. Avoid low rated, new applications, and bad reviews. Carefully evaluate the permission requested by Android applications when you install them. Applications that ask for access to text messages and other sensitive information should raise a red flag and further researched before you download it Have your PC protected with online banking security software such as Trusteer Rapport that can be downloaded from your bank's website. This software rules out the possibility of MitMo attacks by restricting fraudsters from controlling the web channel. Regularly install updates on your mobile device Enable access protection measures such as a PIN or password (if possible). Configure the smart phone to automatically lock after a minute or so when being idle. Before installing or using new smartphone apps or services, check their reputation. Only install applications from trusted sources. Pay attention to the security permissions requested by every application and service you install. Keep your operating system and software applications up to date. Disable features not in use: Bluetooth, infrared or Wi-Fi. If you have Bluetooth enabled, set your device to be hidden and password-protect it. Make regular backup copies of your important files. Encrypt sensitive information whenever possible. Use call and SMS encryption software. Whenever possible, do not store sensitive information on the smartphone. Make sure it is not cached locally. Erase all information from the smartphone once you get rid of it. In the event your phone is lost or stolen, inform your service provider and give them your device‘s IMEI number to block it. You can also use remote or automatic deletion of data (after several failed login attempts). Monitor the smartphone for anomaly detection. Check your account activity frequently to detect fraud. Be aware of the risks associated with these devices and use them correctly
•
• • • • • • • • • • • • • • • • •
224
International Journal of Advanced Research in Engineering and Technology (IJARET), ISSN 0976 – 6480(Print), ISSN 0976 – 6499(Online) Volume 4, Issue 3, April (2013), © IAEME
REFERENCES
[1] http://www.en.wikipedia.org/wiki/Mobile_phone [2]en.wikipedia.org/wiki/Mobile_virus [3]http://www.theregister.co.uk/2011/02/22/zeus_2_factor_authentication_attack/ [4] www.eweek.com/.../Zeus-Trojan-Mobile-Variant-Intercepts-SMS-Pas. [5] www.thinkdigit.com/Mobiles.../ZeuS-Trojan-now-affecting-BlackBer [6] www.networkworld.com/.../zeus-trojan-back-and-targeti... - United States [7]www.theregister.co.uk/2011/10/06/banking_trojan_steals_sms/ [8] www.trusteer.com/.../first-spyeye-attack-android-mobile-platform-no. [9]nakedsecurity.sophos.com/.../spyeye-bank-trojan-hides-its-fraud-foot[ 10]http://www.theregister.co.uk/2011/08/02/android_malware_records_calls/ [11]www.informationweek.com/byte/news/232901415 [12] http://www.theregister.co.uk/2011/07/29/tricky_banking_trojan/] [13] http://www.theregister.co.uk/2011/02/22/oddjob_banking_trojan/ [14]www.informationweek.com/news/security/vulnerabilities/229219049 [15] http://www.scribd.com/doc/57779895/CNCCS-Smart-Phone-Malware [16] K.Sangeetha and Dr.K.Ravikumar, “A Framework for Practical Vulnerabilities of the Tor (The Onion Routing) Anonymity Network”, International Journal of Computer Engineering & Technology (IJCET), Volume 3, Issue 3, 2012, pp. 112 - 120, ISSN Print: 0976 – 6367, ISSN Online: 0976 – 6375 [16] A.Edwinrobert and Dr.M.Hemalatha, “Behavioral and Performance Analysis Model for Malware Detection Techniques”, International Journal of Computer Engineering & Technology (IJCET), Volume 4, Issue 1, 2013, pp. 141 - 151, ISSN Print: 0976 – 6367, ISSN Online: 0976 – 6375
225
