Spear Phishing Goes Mobile

New Attack Targets Android; Other Devices at Risk

A recent spear-phishing attack involving a Trojan designed to target Android devices offers an important reminder of the emerging threat of mobile malware, says Kaspersky Lab researcher Kurt Baumgartner.

"This is the first Android Trojan that we've seen in the wild being used in this manner," says Baumgartner, a researcher who monitors malware.

The spear-phishing attack and Trojan, discovered by Kaspersky Lab, involved an APK - a program for Android that allows users to download Gmail attachments to their devices.

When Kaspersky Lab reviewed the Trojan, researchers found that it had the ability to report back information about the user.

"When we reversed the Trojan, we saw functionality to pull out contacts - contact lists both on the phone and the SIM card of the device," Baumgartner says in an interview with Information Security Media Group [transcript below].

"We saw it maintaining functionality to pull out call logs and SMS messages," he explains. "They wanted to also know the geo-location of the phone and then, finally, the phone data."

That information, Baumgartner says, is "golden" for attackers. "When lists of contacts and details are pulled off a device, those contacts are the next in line [for attack]," he says.

While mobile malware is in the beginning stages, Baumgartner says organizations need to be concerned. Mobile device users can begin to protect themselves by adding additional security packages to their devices to protect from malicious downloads.

During this interview, Baumgartner discusses:

  • Spear-phishing schemes that cross the mobile and online channels;
  • Mobile malware trends for 2013 and 2014;
  • Why personally identifiable information is becoming easier for fraudsters to compromise.

Baumgartner joined Kaspersky Lab in 2010 and is responsible for monitoring the malware landscape across the Americas and enhancing Kaspersky's technologies. Earlier, Baumgartner was vice president of behavioral threat research at Symantec - PC Tools, ThreatFire, chief threat officer at Novatix and a threat analyst at SonicWALL.

Android Trojan

TRACY KITTEN: Kaspersky Lab recently discovered an Android Trojan that's being used to target high-profile Tibetan activists. What can you tell us about this attack, as well as how and when it was identified?

KURT BAUMGARTNER: The incident involved an Android Trojan that was being sent out from a compromised e-mail account from a high-profile Tibetan activist. The novel thing about this attack is that the attachment itself was an Android Trojan that could be installed on an Android device and used to collect and perform surveillance activity on a target.

Spear-Phishing Trends

KITTEN: From what I know, these attacks started with spear-phishing, which is an increasing concern for organizations across the board. If we look at spear-phishing generally, what trends would you say have fueled spear-phishing's growth?

BAUMGARTNER: Spear-phishing itself is generally a pretty effective way of delivering malware in targeted attacks. Some of the trends that have pushed attackers to using spear-phishing techniques have been that some of the other technologies actually protecting against other known techniques, like watering-hole attacks or network infiltration, those venues of attack have been more effectively shut down in my opinion. It becomes increasingly effective to use spear-phishing as a form of getting in.

Use of Social Media

KITTEN: How would you say that social media or other online channels are being used to exploit or help to fine-tune some of these targeted e-mail attacks?

BAUMGARTNER: Spear-phishing is pretty reliant on having precise data about the target you're trying to hit. Social media and other forms of online services provide attackers with a goldmine of information that will help them craft e-mails or craft the attachments in such a way that it will help convince or persuade the victim to open the attachment or to run the attachment on their computer. Sometimes that does come in the form of LinkedIn profiles and the connections that that person maintains on LinkedIn. It could be simply a website talking about an organization and its membership list or the people who run that organization and how to get a hold of those people or the people around them. Sometimes it's as quirky as a church group and its parishioners or the people running the organizations. With NGOs, it can be back-office people and their daily routine or their daily schedule. All of these sources of information really help an attacker craft the spear-phish that they're sending to their targets.

Android Attack Details

KITTEN: I'd like to talk about this most recent attack that was identified by Kaspersky Lab. The spear-phishing attack included an APK attachment, a malicious program for Android. How did this attack actually infect the Android devices that it targeted?

BAUMGARTNER: The attack, as we saw it, we prevented it pretty early on. With this incident, what we found was an e-mail account that was being used to send the spear-phish out to other members. A partner of ours provided one of these attachments to us, and I believe that we haven't confirmed that the actual Trojan made it to an Android device before we got it and analyzed it. But in order for this Trojan to get on a device, the user would actually have to hook up their Android device to a PC, drag over the APK file, and run it from the phone or the mobile device itself.

KITTEN: I think you've answered my next question, and that was: did the attack only infect devices when the e-mails were opened on these Android devices themselves or when they were opened on the PCs? It sounds like these were probably e-mails that could have been opened either place.

BAUMGARTNER: I think the initial source or the e-mail account where these e-mails were coming from wasn't necessarily being accessed from an Android device itself, but it was being used to send out e-mails with these attachments.

Cross-Channel Attacks

KITTEN: What trends would you say Kaspersky Lab is seeing in cross-channel as well as cross-platform attacks, such as those that target and compromise PCs as well as mobile devices?

BAUMGARTNER: This is the first Android Trojan that we've seen in the wild being used in targeted attacks in this matter. We have seen OSX, and we've seen other operating systems being attacked in a more precise targeted-attack fashion with spear-phish and very convincing, persuasive, timely content in order to get these victims to open up and interact with the messages. We have been seeing a broader span. We've seen development not just against Windows, but now we're seeing Mac OSX being regularly targeted as a part of targeted attacks. And now, not only are we seeing malware that collects information from the devices themselves when they're attached to Mac OSX or to Windows devices, but now we're finally seeing the Trojans coming out of a prototype stage and into the wild and being actually run on the mobile devices themselves.

Unique Attack Characteristics

KITTEN: I know that you caught this attack early, this most recent attack that was aimed at Android. But can you talk at all about how unique this most recent attack was?

BAUMGARTNER: In a sense, these spear-phishing attacks and targeted attacks against NGOs and activist groups like this, that piece isn't totally new. When you look at malware that's going to be delivered to mobile devices, it's something that hasn't been seen before. At least it's not publicly documented, and it's certainly in the beginning stages. The APK file itself isn't being delivered with an exploit; it requires some level of interaction, but the attackers went ahead and made sure that the name of the APK file had to do with a conference that the victim was a part of. They're aware of what they're doing and [what] the technical complexity is, and the hurdles aren't being completely addressed with the delivery of the malware itself and the development of the malware. But it's new and unusual to see a Trojan like this being delivered in this manner that will run directly on the mobile device.

Items Targeted in Attack

KITTEN: In this particular attack, once installed, this malicious program secretly reports the infection to a command-and-control server, and then harvests information that's stored on the mobile device. What were some of the details that the program targeted from these mobile devices?

BAUMGARTNER: When we reversed the Trojan, we saw functionality to pull out contacts, so contact lists both on the phone and the SIM card of the device. We saw it maintaining functionality to pull out call logs and SMS messages. They wanted to also know the geo-location of the phone and then, finally, the phone data. They wanted to be able to uniquely identify the phone and pull out the phone number, the OS version, the phone model and the SBK of the phone itself.

KITTEN: Once data like this from the phone is compromised, such as details related to contacts, how is it used to spread the attack?

BAUMGARTNER: Contacts are golden nuggets of information for attackers. In this case, because we caught it so early on, it seems the chain was broken at that point. But commonly that's what we'll see. When lists of contacts and details are pulled off a device, those contacts are the next in line. They're definitely going to be examined and then targeted accordingly.

Call Logs, Geo-Location

KITTEN: You've also mentioned call logs and geo-location. How are those bits of information used to spread the attack, or why would taking that type of information be concerning?

BAUMGARTNER: That's a concern because, as attacks are interrupted later on, when you look back you can find that call logs can be abused because the attackers know who and when contacts are being communicated with. If the attackers are upping their game - and they have been - they know when they should be sending someone an e-mail message, text or something to further their attack to the victim's contacts. They also want to know who might be at this conference. As the initial victim's contacts are being hit, they want to know [if] those people [are] meeting up at a conference, when they leave, how they come and go, or how frequently they come and go. All of those are nuggets of information for attackers trying to penetrate an organization.

KITTEN: Do you see some of this as an emerging attack trend, fraudsters stealing multiple bits of data from mobile devices to wage future campaigns, and these campaigns could be targeted attacks that employ channels that go beyond mobile?

BAUMGARTNER: Definitely. They're exploring how they can improve it. [That's] what we're seeing here. A few months ago we saw a prototype on a few servers that had the nascent stages of development for Android Trojans, but it was never seen in the wild. Here we actually see it being deployed, and definitely in the past, where we've seen malware that simply runs on a PC and pulls information in from a mobile device and then they can further attack, that sort of information definitely gets reused.

Another thing that's interesting about this attack is that it crosses organizations. Multiple organizations that in the past hadn't necessarily worked together were all coming together at this specific event, and, identifying how closely those organizations that may not in the past have worked very closely together, identifying who's in whose contact list and how frequently they're communicating would be of interest to an attacker later on.

Risk to other Mobile Devices

KITTEN: This most recent attack is only affecting Android devices. Is there concern that this particular attack could spread to other mobile devices?

BAUMGARTNER: Right now, with the size of the malware and how quickly it stopped, I'm not completely concerned that the attackers are furthering this particular incident. But in the future, definitely that's a concern. It wouldn't be terribly difficult to port this to other platforms, and we've seen that sort of thing happening in the past where malware that specifically targets the collection of specific types of data from a Windows machine gets ported to OSX or Linux. That's happened in the past. So definitely we expect that to come down the pipe.

Protecting against Mobile Attacks

KITTEN: What recommendations do you have to offer about protection that Android users and others should be employing when it comes to these types of attacks?

BAUMGARTNER: Android users frequently use something called sideloading, taking an APK file that's not from the Google Play store or some of the other better-known markets and installing it on their device, pulling it from a local server or another location that may not be all that trustworthy. In order to do that, Android users have to flip a setting on and off on their phone and they have to allow software to be installed from untrusted sources. Number one, most Android users shouldn't be doing that. They should be a little more careful with identifying and recognizing the source of the Android software they're installing on their phones. There are some security packages out there for Android phones, and I think some are more effective than others, but there's definitely a layer of security that they can add to their phone. There's more functionality and more features being added to these security suites, including behavioral-level protection, that are really helpful when it comes to the unknown or the targeted attack vectors.

Malware Evolution

KITTEN: From a higher level, what would you say about malware's evolution generally? How focused should organizations be on mobile malware for the remainder of 2013 and even into 2014?

BAUMGARTNER: We're at the beginning stage of malware that's directly running on mobile devices. This is pretty new. But as far as its delivery and how it's being used in targeted attacks, organizations do need to be concerned. We're still early on with Android and with iPhone malware, but the offensive security research groups have been developing exploits that are hitting WebKit or the web browsers that are running on Android. That's certainly being developed. Investment has been done, and the fruits of the research are coming forward. We're in the early stages, but it's definitely something organizations will have to have addressed in 2014. But 2013, we're still in an early stage here, but it's going on. It's here. It's something that definitely needs to be addressed.

KITTEN: Obviously, this is a concern that organizations across the board should be focused on, but what would you say about the role banking institutions play here where employee and customer or member protections are concerned?

BAUMGARTNER: Banking organizations are in a special place because financial transactions and all of the data that go along with the activities of NGOs, of human rights groups and some of these other sensitive organizations, that's all maintained within these banking organizations, quite a bit different from the financially motivated cyber-attacks, the more traditional cybercrime. These attacks and the attacks that could be leveled against the banking organizations are much more persistent, and the organizations have to be aware that they're working against an attacker set that's much more determined and much more persistent than what we've seen in the past.

KITTEN: Before we close, are there any final thoughts that you'd like to share about malware generally or some of these attacks that are more focused on mobile devices?

BAUMGARTNER: We've uncovered a few schemes that have been focusing in an interesting way on gathering data and pulling data off of victims' mobile devices. Early in the year, we looked at Red October, and that was another scheme that installed a piece of malware to a user's workstation. From the workstation, any device that was plugged in would be detected and identified, even down to the manufacturer of the mobile device. That had been going on for maybe a year, two years, where they developed this technology and deployed it against their victims and carried out the operation based on data they were pulling from mobile devices. But that attack didn't run the malware right on the Android devices. This one is a step further into the mobile world, so it's a novel technique in the sense that it's being deployed right now as a part of a spear-phishing scheme. We expect to see more of that, and we do expect it to broaden to other technologies, unfortunately.

Around the Network