Mobile and IoT attacks – SophosLabs 2019 Threat Report

As internet users migrate from desktop and laptop computers to mobile and Internet of Things (IoT) platforms, cybercriminals are making the journey with them.

The SophosLabs 2019 Threat Report has tracked this shift across a range of mobile threat types, most of which target Android.

The simplest tactic here is to try and sneak malicious apps past Google’s Play Store security checks on the assumption that some victims will download them before they are pulled.

Cryptominers
A good example from this year is the short but taxing boom in malicious cryptominers, which weren’t explicitly banned by Google until July.

Anyone unlucky enough to end up with a cryptominer on their phone – possibly hidden as a function inside another innocent-looking app – would have noticed their device’s processor straining under the load.

Phones that do this constantly would appear to have significantly reduced battery life when compared to identical models that do not have the miner code running on them.

Making detection harder, some of this activity could be called by the app from JavaScript-based cyptomining on an external website.

Mobile clickfraud

A parallel track for mobile cybercriminals is the lucrative industry of advertising clickfraud, again embedded inside apparently innocuous apps that simulate users clicking ads to generate revenue.

Long-established on desktop computers, clickfraud is a growing problem in the mobile space because the number of apps and devices makes it an inviting target.

As with cryptominers, spotting apps with this intention isn’t easy to do but the negative for mobiles is the same, battery and processor drain, while advertisers are charged for useless clicks, and the cost of online advertising is driven up.

Supply-chain compromise

In 2018, SophosLabs discovered a legitimate app supplied as part of the stock firmware image of a small phone maker that had been ‘Trojanised’ in the supply chain, before anyone purchased the device.

The app, Sound Recorder, had been modified to covertly intercept and send SMS text messages:

The malicious version of the app could have been inserted into the supply chain in a number of different places. It was never made available through any app store, only in a specific firmware image on a specific model of inexpensive Android phone.

Detecting let alone removing this type of malicious app is almost impossible until the equipment maker is aware of the compromise.

Internet of Things

One thing today’s IoT devices have in common is that they are typically left unattended. This means they are rarely, if ever, patched and often rely on default credentials – this might explain why SophosLabs saw a surge in attacks against IoT devices in 2018.

However, IoT malware is now evolving rapidly to target more capable devices such as home routers. Router compromise has been around for a while, of course, but common attacks during 2018, such as VPNFilter, offer clues as to its new ambitions.

VPNFilter could successfully attack dozens of routers from numerous vendors, and the botnet it built in the process looked every bit as potent as something that might affect PCs or servers.

The successors to the Mirai botnet of 2016 that borrow bits of its code – Aidra, Wifatch, and Gafgyt – are still alive and kicking. Wifatch is a particularly curious oddity, infecting vulnerable devices before warning their owners in vigilante-style to secure them against attack.

As for what’s next, SophosLabs reports that the IoT target list is expanding to include database servers, commercial-grade routers, and networked CCTV cameras and DVR systems.

Leave a Reply