WAP Warfare – Safeguarding Against Vulnerabilities in Connected Devices

Publication date: 26 November 2018
Article type: Blogs and Articles

WAP WarefareEvery corporate device needs to be protected against the various mobile malware threats, says David Emm

A virtual cyber war is taking place. With hackers constantly trying to outwit cybersecurity defences with ever-changing threats and tools, businesses are now forced to regularly review their security strategies – and if they do not do so, they risk becoming extremely vulnerable to cyber-threats. In this age, every connected device is vulnerable to cyberattacks, with the rise of bring your own device (BYOD) increasing the threat vector.

Mobile malware plays a significant and growing role in a cybercriminal’s attack arsenal. And with more organisations supplying company phones and tablets, hackers have new endpoints to target and opportunities to profit from.

Mobile malware can result in the loss of money and sensitive data and allows attackers access to corporate networks. Put simply, every corporate device needs to be protected against the various mobile malware threats, which include the following:

Targeted campaigns
Mobile crypto-currency mining is a growing threat. It doesn’t just provide huge financial opportunities for cybercriminals; Kaspersky Lab is also seeing it used as part of targeted, prolonged campaigns that can affect many victims. Some existing mobile malware apps are being modified to include this functionality.

The ransomware Trojan Rakhni is a case in point. This malware loader chooses which component to install depending on the device. The malware, which we have seen in Russia, Kazakhstan, Ukraine, Germany and India, is distributed through spam mailings with malicious attachments. One of the samples we analysed masquerades as a financial document. When loaded, this appears to be a document viewer. The malware displays an error message explaining why nothing has opened. It then disables Windows Defender and installs forged digital certificates. The malware checks to see if there are Bitcoin-related folders on the computer. If there are, it encrypts files and demands a ransom. If not, it installs a crypto-currency miner. Finally, the malware tries to spread to other computers within the network.

One of the most noteworthy discoveries this year was Skygofree, one of the most advanced mobile implants that Kaspersky Lab has ever seen. It has been active since 2014 and was designed for targeted cyber-surveillance. It is spread through web pages, mimicking leading mobile network operators. This is high-end mobile malware that is very difficult to identify and block, and the developers behind Skygofree clearly used this to their advantage - creating and evolving an implant that can spy extensively on targets without arousing suspicion.

WAP clickers and crypto-mining
Kaspersky Lab researchers have recorded an increase in the amount of mobile Trojan clickers that are stealing money from Android users through WAP-billing, a type of direct mobile payment with no additional registration. As soon as someone clicks on the pages with paid services, and once a subscription is activated, money from a victim's account flows directly into the hackers’ accounts.

Some of the discovered WAP-clickers also had modules for crypto-currency mining. The rise in price of crypto-currency makes mining a far more profitable business, even though the performance of mobile devices is not that good. Mining results in rapid battery consumption, and in some cases even device failure. Kaspersky Lab also discovered several new Trojans posing as useful applications that were mining crypto-currency on an infected device. As crypto-currency mining continues in 2018, there will likely be a rise in new miners and techniques.

Mobile ransomware programmes
The number of mobile ransomware programs is declining; the number of people attacked with mobile ransomware fell by 22.5% from 130,232 in 2016-2017 to 100,868 in 2017-2018.

However, despite this decline in the total number of people impacted, mobile ransomware Trojans remain a serious threat, because they have become much more technically advanced and more dangerous than ever before.

Mobile ransomware remains both simple and effective, with its capabilities and techniques almost unchanged – and still posing significant threats to both consumers and businesses.

Why rooting software is still a threat
The number of victims attacked by rooting malware in 2017 decreased compared to the previous year. However, this threat is still among the most popular types of malware - almost half of the Trojans in our top 20 rating belong to families that can get root privileges. The decrease in their popularity amongst cybercriminals was probably due a decline in the number of devices running older versions of Android – the malware’s main targets.

In recent times, rooting malware has been the biggest threat to Android users. These Trojans are difficult to detect, boast an array of capabilities, and have been very popular among cybercriminals. Once an attacker has root access, the door is open to do almost anything. Their main goal is to show victims as many ads as possible, and to silently install and launch the apps that are advertised.

Mobile advertising Trojans
Mobile advertising Trojans, the former top mobile malware threat from 2016, continue to aggressively infect devices, but hackers have been forced to change their techniques over the past 12 months. Some Trojan families have started to use monetisation schemes involving paid SMS and WAP-billing services to preserve and increase profits.

This shift was triggered by the overall decrease in the number of mobile devices running older versions of Android, which are the main targets of Trojans. This is primarily because the common vulnerabilities they exploit are usually patched in the newer versions of the system.

As a result, creators of advertising Trojans are increasingly confronted with devices on which they cannot gain a foothold. This provides the victim with the chance to get rid of this malware once it starts aggressively displaying ads or installing new applications.

To reduce the risk of infection from today’s evolving threat landscape, stay protected and avoid endpoint infiltration, Kaspersky Lab advises businesses to do the following:

  • Manage mobile devices, so that personal and business data is separated if the business has a BYOD policy.
  • Restrict what apps can be installed on corporate devices.
  • Provide a secure VPN for staff to connect remotely to the corporate network.
  • Always implement the latest updates to your operating system and apps.

Kaspersky Lab also has the following top tips for individual employees:

  • Exercise caution when receiving emails from people or organisations you don’t know, or with unexpected requests or attachments.
  • Always double-check the integrity and origin of websites before clicking on links. If in doubt, call the service provider to verify.
  • Secure all corporate devices (including mobile phones and tablets) with passcodes or biometric protection (i.e. thumbprint access on smartphones)

David EmmDavid Emm is Principal Security Researcher, Kaspersky Lab