The Keystone of Modern Authentication in a Zero Trust World part 2 — How Secure Is Your Smartphone? Unveiling the Depths of Security & Integrity

In our previous blog post, we delved into the pivotal role smartphones play in our daily lives, particularly highlighting their indispensability as the go-to mobile device. We explored how, in the realm of multi-factor authentication (MFA), these devices have become the cornerstone for securing access to our digital lives, thanks to their sophisticated array of sensors capable of supporting various biometric authentication techniques. The ubiquity of smartphones, coupled with their advanced technological capabilities, positions them as the ideal candidates for MFA processes, ensuring a seamless blend of convenience and security.

However, this very reliance on smartphones for authentication has painted a target on their backs, making them prime targets for attackers. The irony is stark: the devices we trust to safeguard our digital identities are also the ones most coveted by those aiming to compromise them. This vulnerability has raised pressing questions about the security of modern mobile operating systems and the measures we can take to defend against MFA bypass and compromise attacks.

In this second part of the blog post series titled “Smartphones: The Keystone of Modern Authentication in a Zero Trust World”, we aim to shed light on the current state of mobile operating system security, diving deep into the strengths and weaknesses that define them. We will explore the landscape of threats facing our mobile devices and provide insights into how it is possible to fortify defenses against such vulnerabilities. By understanding the intricacies of mobile OS security, we can better navigate the challenges of protecting our devices from the evolving tactics of attackers, ensuring that our reliance on smartphones does not become our Achilles’ heel. Join us as we embark on this critical journey towards securing our digital gateways in the face of persistent and evolving threats.

Can we trust our phones?

As reported by Proofpoint, in 2023 we have witnessed a clear shift in the tactics of cyber attackers with a marked transition from traditional desktop-based malware and phishing to more mobile-centric strategies. This pivot is largely driven by the perception that both users and the operating systems of mobile devices are more susceptible to attacks compared to their desktop and laptop counterparts. Mobile phones, which have become repositories of highly sensitive personal information (as reported by Omdia in 2022 and represented in the image below), present a lucrative target for cybercriminals. These devices are equipped with an array of sensors and capabilities, ranging from audio and video recording to text messaging and GPS tracking, which could potentially be exploited to gather personal information about the victim.

A particularly alarming aspect of this shift in cyber threats is the attackers’ ability to exploit access to sensitive features like microphones and cameras, along with other sensors on mobile devices. This access not only enables them to replicate the victim’s identity for use in various attacks but also to employ deepfake technology to generate authentic-looking representations of the victim to be exploited in social engineering campaigns. Moreover, the integration of biometric sensors in mobile devices for user authentication introduces another layer of risk. Should attackers manage to seize control of a device, they could potentially extract biometric data, such as fingerprints or facial recognition patterns. This stolen biometric information could then be used to impersonate the victim across different platforms and services, breaching secure environments under the guise of legitimate access.

This evolution in cyber threats underscores the urgent need for heightened vigilance and enhanced security measures for mobile devices. As attackers refine their methods to exploit the vulnerabilities inherent in mobile platforms, understanding the risks and implementing robust security protocols becomes increasingly critical. The reality that mobile phones now serve as vaults for sensitive data and a gateway to personal identity highlights the pressing challenge of protecting against the sophisticated phishing and malware attacks that are becoming more prevalent in the mobile domain.

In the remainder of our discussion, we will then explore the foundational security features and architectural designs of Android OS and iOS, the two predominant operating systems in the mobile arena. We’ll then illustrate with real-world examples how advanced malwares and cunning attack methodologies have managed to exploit vulnerabilities within these systems before concluding with some insightful reflections and recommendations to bolster defense mechanisms against them.

Mobile OS security models

Before diving into real-world instances of mobile operating system vulnerabilities and the sophisticated malware that exploits them, it’s crucial to lay the groundwork by understanding the distinct security models implemented by these systems. As shown in the picture above, different mobile OS usually adopt unique approaches to safeguard users and their data. From open-source environments that prioritize flexibility, such as Android, to tightly controlled ecosystems designed for maximum security, such as Apple.

Android operates as an open-source mobile operating system and relies on the Linux kernel for its core system security, employing user protection mechanisms that limit access to system resources and prevent their misuse. This foundational security feature facilitates the creation of an Application Sandbox environment where each application is isolated and assigned a unique user ID. This ensures that apps run in separate spaces with specific user permission controls, enhancing the security by segregating the processes.

Conversely, iOS adopts a more restrictive security approach. Unlike Android, iOS is a closed ecosystem; while developers can create and distribute apps, the underlying source code of the iOS platform itself remains proprietary and undisclosed by Apple. At the device level, security is reinforced through mechanisms such as passcode or PIN locks and the ability to remotely wipe the device via Mobile Device Management (MDM). System-level security in iOS is bolstered through a series of stringent measures including a secure boot chain, the Secure Enclave for processing sensitive data, biometric authentication methods like Touch ID, and controlled system software updates. At the data level, iOS employs a robust file encryption scheme, utilizing both hardware and software components to safeguard user data. Unlike Android, iOS devices are notoriously difficult to jailbreak, reflecting Apple’s tight integration and control over both hardware and software. This integration ensures that data encryption is always enabled and cannot be disabled by users, offering a consistent level of security across all devices.

In comparing the two, Android’s open-source nature offers flexibility and customization but requires users and developers to be more proactive in managing security settings. iOS, with its closed system, provides a more controlled and secure environment out of the box, trading off some degree of customization for enhanced security measures. This fundamental difference in approach to security between Android and iOS highlights the diverse strategies employed by each platform to protect users and their data. The table above presents an overview of fundamental security features implemented in both Android and iOS operating systems.

Mobile Threats

Despite modern mobile operating systems, such as Android and iOS, having advanced security architectures, the incidence of mobile threats continues to rise, as well as the number of different malware applications. As reported by Statista in the second quarter of 2023, adware emerged as the leading type of mobile malware globally, making up 52.09% of all detected mobile malware, a significant increase from its nearly 23% share in the preceding quarter. Risktool followed as the second most prevalent mobile malware, although its share dropped to just over 11% from approximately 30% in the previous quarter.

The table hereafter presents a classification of most common mobile threats, distinguishing them by their operational mechanisms and the distinct risks they pose. Viruses, for example, focus on self-replication and dissemination, undermining system integrity and user data. Spyware and trojans, by stealth and deception, compromise privacy and security. Rootkits and botnets reveal sophisticated control and stealth capabilities, emphasizing the advanced nature of threats that exploit deep system vulnerabilities or orchestrate wide-scale attacks. Ransomware, with its direct financial extortion through data encryption, contrasts with adware’s disruptive advertising and potential malware dissemination. Risk tools, while not outright malicious, underscore the subtleties of threats that might exploit user data or behavior without explicit harmful intent.

Over time, all the above malwares have significantly advanced and showed more sophisticated functionalities. Nowadays many of them can record both phone and app-based conversations, capture audio and video, and even erase phone data. They are capable of intercepting valuable information like app credentials and credit card numbers, and can facilitate further attacks, making the phone user a potential suspect in investigations.

A significant portion of current mobile malware leverages social engineering tactics. Malware like FluBot, TeaBot, and TangleBot utilize SMS phishing campaigns, meticulously crafting messages that impersonate legitimate entities such as delivery companies, healthcare institutions, or even financial institutions. These messages often contain malicious links or attachments that, upon user interaction, trigger the installation of the malware. Once installed, these programs frequently employ techniques like keylogging and form grabbing to capture login credentials, banking information, and other sensitive data entered by the unsuspecting user. This stolen information can then be used for unauthorized financial transactions, identity theft, or further malicious activities.

Another concerning trend observed involves malware striving to elevate their privileges on the infected device. Malware like TianySpy and KeepSpy exploit vulnerabilities within the operating system or installed applications to gain elevated permissions. This process, known as privilege escalation, grants the malware broader access to system resources, potentially enabling it to:

• Steal a wider range of data: By escalating privileges, the malware can access and exfiltrate additional sensitive information stored on the device, such as call logs, location data, and private messages.
• Install additional malware: Elevated privileges can allow the malware to install other malicious programs onto the device, further expanding its reach and capabilities.
• Disrupt device functionality: In some cases, malware with escalated privileges may disrupt essential device functionalities, rendering the device unusable or compromising its security posture.

A summary of the above malware techniques and features has been published by Proofpoint in a study from 2022 and is reported hereafter.

When talking about malwares, it is usually difficult to express their dangerousness due to their complexity and multifaceted nature and to the fact that sometimes their details are not disclosed. However, some key factors that can be used to help defining how dangerous a malware can be are as follow:

• Exploit complexity: The sophistication of the exploits used to gain access to a device, with zero-click exploits generally considered more complex than those requiring user interaction.
• Range of capabilities: The breadth of functionalities the malware possesses, such as data exfiltration, system manipulation, or self-propagation.
• Evasion techniques: The malware’s ability to bypass security measures and remain undetected.
• Target specificity: Whether the malware is designed for a broad range of devices or specifically targets a particular platform or vulnerability.

Among the malwares listed in the above table, MoqHao and BATRA are the newest ones (2019 — present). These Android malware specialize in credential theft, employing techniques like keylogging and form grabbing to capture sensitive information entered on compromised devices. This stolen data could include login details for social media platforms, email accounts, or even banking applications, putting online identities at risk. MoqHao, also known under aliases Wroba and XLoader, is attributed to a group named Roaming Mantis (aka Shaoye), driven by financial incentives and believed to be operating out of China. It leverages ingeniously crafted SMS phishing schemes to bait users with package delivery notifications containing malicious links that execute different actions based on the device’s operating system.

Recently (February 2024) MoqHao has gained new notoriety as McAfee Labs have identified a novel variant which exhibits autonomous execution capabilities, bypassing the need for user interaction upon infection and thus enabling malicious activity to start automatically upon app installation. The recent adaptations of MoqHao demonstrate an alarming sophistication as the malware distribution strategy has also been refined with the use of URL shorteners to mask the true destination of the links in the SMS, thereby increasing the attack’s probability of success. This is complemented by content sourced from the bio fields of fabricated Pinterest profiles, specifically created to lend credibility to the smishing messages.

The current version of MoqHao possesses capabilities for covert data extraction, such as gathering device information and user data, while also having the ability to manipulate device functions like Wi-Fi and silent call execution. Additionally, this new version employs a novel use of Unicode strings in application names. By utilizing this method, certain characters are presented with a bold typeface, leading users to mistakenly identify the app as “Chrome” based on its visual similarity. This tactic could potentially undermine detection methods that rely on matching the app name (“Chrome”) with its corresponding package name (“com.android.chrome”).

McAfee has communicated these vulnerabilities to Google, prompting efforts to integrate countermeasures in upcoming Android releases.

Conclusions

In conclusion, our journey through the intricacies of mobile OS security — spanning the architectural fortifications of Android and Apple’s ecosystems, the dissection of prevalent mobile threats, and the exploration of advanced countermeasures — reveals a nuanced battlefield. While it’s indisputable that smartphones have become central to our digital existence, they also present a tantalizing target for cyber threats, evolving in sophistication and impact.

However, the landscape is not devoid of solutions. The field of cybersecurity is replete with advanced attestation and monitoring mechanisms, engineered to scrutinize device behaviors and validate the integrity of their operations. These technologies serve as a critical line of defense, enabling the detection and mitigation of unauthorized activities or compromises on our personal devices.

In the forthcoming blog post, we will navigate the intricacies of such defensive techniques. We aim to elucidate how these mechanisms function to safeguard our devices, offering a granular view of their operational principles and the protective cocoon they weave around our digital interactions.

*** This is a Security Bloggers Network syndicated blog from Stories by Excalibur on Medium authored by Excalibur. Read the original post at: https://medium.com/@xclbr/the-keystone-of-modern-authentication-in-a-zero-trust-world-part-2-how-safe-is-your-smartphone-b5ae1798aed2?source=rss-c33ef172a8fe------2