Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme.

PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this malware attacking banks in Brazil.

A hidden threat

Within IBM Trusteer, we saw several different techniques to hide malware from its victims. Most banking malware conceals its existence on the mobile device by hiding its launcher icon from the victim using the SetComponentEnabeldSetting application programming interface (API). However, since Android 10, that technique no longer works due to new restrictions imposed by Google.

To address this new challenge, PixPirate introduced a new technique to hide its icon that we have never seen financial malware use before. Thanks to this new technique, during PixPirate reconnaissance and attack phases, the victim remains oblivious to the malicious operations that this malware performs in the background.

PixPirate abuses the accessibility service to gain RAT capabilities, monitor the victim’s activities and steal the victim’s online banking credentials, credit card details and login information of all targeted accounts. If two-factor authentication (2FA) is needed to complete the fraudulent transaction, the malware can also access, edit and delete the victim’s SMS messages, including any messages the bank sends.

PixPirate uses modern capabilities and poses a serious threat to its victims. Here is a short list of PixPirate’s main malicious capabilities:

• Manipulating and controlling other applications
• Keylogging
• Collecting a list of apps installed on the device
• Installing and removing apps from the infected device
• Locking and unlocking device screen
• Accessing registered phone accounts
• Accessing contact list and ongoing calls
• Pinpointing device location
• Anti-virtual machine (VM) and anti-debug capabilities
• Persistence after reboot
• Spreading through WhatsApp
• Reading, editing and deleting SMS messages
• Anti-removal and disabling Google Play Protect

Thanks to its RAT capabilities, PixPirate can perform on-device fraud (ODF) and execute the fraud from the victim’s device to avoid detection by the bank’s security and fraud detection systems.

PixPirate infection flow

Most financial malware comprises one main Android Package (APK) file. This is not the case for PixPirate, which is built of two components: a downloader APK and the droppee APK. The use of a downloader app as part of a financial attack is not new; however, unlike most financial malware today that uses a downloader as a service, both the droppee and the downloader for PixPirate were created by the same actor.

In addition, the PixPirate downloader role in the infection flow of the malware is different from other financial malware. Usually, the downloader is used to download and install the dropped, and from this point on, the droppee is the main actor conducting all fraudulent operations and the downloader is irrelevant. In the case of PixPirate, the downloader is responsible not only for downloading and installing the droppee but also for running and executing it. The downloader plays an active part in the malicious activities of the droppee as they communicate with each other and send commands to execute.

Usually, victims get infected with PixPirate by downloading the PixPirate downloader from a malicious link sent to them through WhatsApp or an SMS phishing (smishing) message. This message convinces the victim to download the downloader, which impersonates a legitimate authentication app associated with the bank. Once the victim launches the downloader, it asks the victim to install an updated version of itself, which is, in fact, the actual PixPirate malware (the droppee). After the victim approves this update, the downloader either installs the droppee embedded in its APK or downloads it directly from the PixPirate command and control (C2) server. If the droppee is embedded in the downloader’s APK file, it is encrypted and encoded in the downloader “/assets/” folder, masquerading as a jpeg file to lower suspicion.

Next, the downloader sends a command to the PixPirate droppee to activate and execute it. On the first run, the droppee prompts the victim to allow its accessibility service to run. In the next stage, PixPirate abuses the accessibility service to grant itself all the necessary permissions it needs to run and successfully perform financial fraud.

After the malware gets all the necessary permissions it needs to run, it collects some information and data regarding the infected device to decide if this is a legitimate device and a good candidate for fraud (anti-VM/anti-emulator, which bank apps are installed on the device and so on) and then sends all this data to the PixPirate C2.

New hiding technique in the wild

Malware has always tried to hide and conceal itself from its intended victim. The most obvious and effective way is to hide the launcher icon of the malicious APK because most users do not look at the app settings screen to check which apps are installed, so they won’t notice the malicious app and will not try to remove it.

Traditionally, financial malware hides the launcher icon using the “SetComponentEnabledSetting” API. This technique does not require any permission to be granted by the victim. However, from Android 10, this technique became ineffective for malware and could not be used anymore. We will explain how the technique works using the FakeChat malware that also uses this technique.

The malware declares in the manifest the MainActivity that will be executed once the victim launches it by pressing its icon on the home screen of the mobile device.

In the following image, we can see in the FakeChat manifest the malware’s app tag and the path of the app icon in the icon value. Also, the manifest contains the MainActivity with the name “com.eg.android.AlipayGphone.MainActivity” with the action “android.intent.action.Main” and the category “android.intent.category.LANUCHER.” This activity will be run and executed once the user presses the app’s icon and launches the app.

In the first run of the malware, it makes the launcher icon disappear by calling the Android API “SetComponentEnabledSetting” with the following parameters:

• ComponentName: the component that represents the MainActivity related to the icon for launching the app.
• NewState: the new state of the component. In this case, the malware specifies the state “COMPONENT_ENABLED_STATE_DISABLED” to disable and hide the APK icon.
• Flags (optional): Value is either 0 or a combination of DONT_KILL_APP and SYNCHRONOUS.

In the following image, we can see how it is done programmatically:

From Android 10, all app icons are visible in the launcher unless it is a system app or it does not ask for any permission at all (look at the documentation and the guide). Those limitations made this technique irrelevant for malware from Android 10 and later. Therefore, malware could no longer hide its launcher icon and its existence.

PixPirate’s new innovative hiding technique

When examining PixPirate, IBM Trusteer detected a new technique to achieve the same goal that works in all Android versions to date. To accomplish the goal of hiding malware from the victim, the PixPirate droppee does not have a main activity; that is, it does not have an activity with the action “android.intent.action.MAIN” and category “android.intent.category.LANUCHER.” This change in behavior means that the app’s icon does not exist on the home screen of the victim’s device at all. However, this also presents a new problem. If the droppee’s icon does not exist on the victim’s home screen, how will the victim launch the app in the first place?

The new technique requires the malware to have two applications: in this case, the downloader and the droppee that operate together. The downloader is the app that runs. The downloader then runs the droppee, which would not be executed otherwise since its icon does not exist.

How the droppee runs

So, how does the droppee run? PixPirate built a mechanism that triggers the droppee to run when different events occur on the device.

In the following image, we can see the service used to launch the droppee replacing the activity (“MainActivity”) used in other apps and APKs. The service is exported and can be run by other processes running on the device. This service has a custom-made action triggered by binding to this specific service. The downloader uses this to create and bind to this service and run the droppee every time it is required.

The method works as follows:

• The droppee has a service called “com.companian.date.sepherd” exported and holds an intent-filter with the custom action “com.ticket.stage.Service.”
• When the downloader wants to run the droppee, it creates and binds to this droppee service using the API “BindService” with the flag “BIND_AUTO_CREATE” that creates and runs the droppee service.
• After the creation and binding of the droppee service, the droppee APK is launched and starts to operate.

The BindService API has the following parameters:

• The service intent “com.ticket.stage.Service”
• The flag “BIND_AUTO_CREATE” (0x01) that creates and binds to the service (if the service does not exist)
• ServiceConnection object that connects to the droppee service and consists of an interface to monitor the state of the application service

In this way, the downloader succeeds in triggering the droppee to run. The ServiceConnection object is used as an interface to maintain communications between the downloader and the droppee and allows them to send messages between themselves and communicate through this interface.

In the following image, we see the code from the downloader APK that creates and binds to the exported service of the droppee APK, which we saw in the previous image, to trigger the droppee to run and send it commands to execute.

This code must run at the first running and execution of the droppee, just after the downloader installs the droppee. Later, to maintain persistence, the droppee is also triggered to run by the different receivers that it registered. The receivers are set to be activated based on different events that occur in the system and not necessarily by the downloader that initially triggered the droppee to run.

This technique allows the PixPirate droppee to run and hide its existence even if the victim removes the PixPirate downloader from their device. PixPirate malware is the first financial malware observed by IBM Trusteer researchers that uses this technique to hide itself and its launcher icon so that victims won’t notice that malware is installed and running on the device.

Fraud modus operandi

PixPirate campaigns mostly target customers of banks in Brazil. It mainly attacks the Brazilian payment service called Pix, the standard instant payment platform in Brazil. Most of the banks in Brazil implement the Pix API to support Pix transactions from within the banking app itself.

What is Pix?

Pix is an instant payment platform that enables the quick execution of payments and transfers between bank accounts. Customers receive a Pix string or QR code that contains the amount to pay for services or goods to complete a transaction. Then, customers pay the Pix payment using their bank apps or through internet banking. They can pay or transfer money using Pix through their banking app.

The Pix payment service launched in November 2020 was heavily adopted by users and businesses in Brazil and broke records in the number of users, financial transactions, and volumes. In the following graph, we can see the number of Pix transactions (in thousands). In March 2023, it reached 3 billion transactions in a single month.

Financial transaction volume reached 1,250,000,000,000 Brazilian reals in March 2023, which is about $250 billion. By May 2023, the number of Pix users reached 140 million.

Pix fraud MO

PixPirate Pix fraud occurs by initiating a new Pix transaction from the victim to the fraudster’s Pix account or by changing the Pix details of the receiver of a legitimate Pix transaction initiated by the victim to the fraudster’s Pix details.

Technically, Pix fraud is performed thanks to PixPirate RAT capabilities gained by abusing the Android accessibility service. The malware monitors the victim’s activities on the device and waits for the user to launch a targeted banking application. On each accessibility event, it checks the type of event that occurred. If the event type is “TYPE_WINDOW_STATE_CHANGED,” it retrieves the name of the package of the app from the window. If the app is in the target list, the malware can start its malicious activities.

When the victim launches their bank app, the malware grabs and collects the user credentials and account info while the user enters their credentials to log in. The malware sends the stolen info and credentials to the attacker’s C2 server. The victim is not aware that the malware is stealing credentials as everything seems legitimate, as the malware hides itself and operates in the background.

When the malware decides to carry out the fraud, it pops up a new screen on top of the current screen of the device that hides the malware’s malicious activities from the victim. The malware launches the bank app (if it’s not running yet) and goes to the Pix page by pressing the app buttons programmatically. Once on the Pix transfer/payment page, the malware executes the Pix money transfer.

In the following image, we can see the different functions the malware calls to enter the relevant details and execute the money transfer (Pix details, amount, password and so on).

The main function responsible for the fraud is “strictPay_js.action.transfer,” which automatically executes the fraud. First, it calls SendPageNode(1) with the argument “1”. This function navigates to the Pix page in the banking application. The next function is sendBalance(), which consists of three subfunctions:

• inputPix(): Enters the Pix details for executing the Pix money transfer
• continue2Password(): The malware enters the stolen victim’s credentials
• waitUntilPassword(): Waits until the Pix money transfer is completed and validates that it was successfully executed

The same technique is used by PixPirate for the second Pix attack MO of intercepting the victim operations and changing the Pix details while the victim transfers the money without the victim knowing. PixPirate can manipulate both the target account and the Pix transaction amount.

If 2FA is needed as part of the banking flow, the malware can also intercept SMS messages that the user receives from the bank.

Automatic fraud capabilities

PixPirate fraud occurs automatically, as this malware contains code for all the different activities that are required to complete Pix fraud — log in, enter Pix details, enter credentials, confirm and more. PixPirate is not only an automated attack tool, but it also has the capability of becoming a manually operated remote control attack tool. This capability is probably implemented to manually execute fraud if the automatic fraud execution flows fail because the user interface of the banking app changes or if a new lucrative target presents itself.

The manual fraud is initiated by popping up an overlay screen on the victim’s device and disabling the user control on the infected device to hide the fraudster’s activities in the background. Next, the malware connects to the C2 and receives commands from the fraudster to be executed. This remote-control capability gives the fraudster control of the victim’s device, including accessing private information and manipulating applications on the victim’s device.

Stay up to date on PixPirate’s capabilities

With nuanced methods of staying hidden and the capacity for serious harm, PixPirate presents a troubling new threat on the malware playing field. We will discuss more on PixPirate’s functionality, capabilities and commands it can receive from the C2 server in part two of our PixPirate blog.

PixPirate IOCs:
Downloader: 019a5c8c724e490df29020c1854c5b015413c9f39af640f7b34190fd4c989e81
Droppee: 9360f2ee1db89f9bac13f8de427a7b89c24919361dcd004c40c95859c8ce6a79

The post PixPirate: The Brazilian financial malware you can’t see appeared first on Security Intelligence.

We may be only a short time into 5G deployments, but discussions of the impact 6G technology will have on our lives have already started. In late 2020, the Alliance for Telecommunications Industry Solutions created a new group called the Next G Alliance to “advance North American mobile technology leadership over the next decade through private sector-led efforts.” 

You have certainly heard of some of the founding members of this organization, such as AT&T, Ericsson, Mitre, Verizon and Booz Allen Hamilton. In other parts of the world, such as in Korea, Samsung Research founded the Advanced Communication Research Center in 2019. Its principal engineer leads the 6G Vision Group at the International Telecommunications Union – Radiocommunication. 

What Does 6G Do? 

When we talk about 6G, we’re talking about the use of the terahertz (THz) bands, a spectrum that has previously been used in high-resolution health imaging technologies. The technological possibilities are kind of wild: holographic communications, multi-sensory extended reality, 3D coverage, minimal latency and mobile hotspots in lieu of physical towers. The difference will truly be astounding. 5G operates at four to five times the speed of 4G, for a max speed of about 20Gbps, whereas 6G is intended to work at a speed of approximately 1Tbps.  That’s 50 times faster than 5G!   

The Samsung G6 Vision White Paper gives a sense of what the hyper-connected life could look like by 2030. If history holds true, 2030 is a good estimate for 6G deployment, based on an NTT DoCoMo White Paper that outlines the timing of 3G, 4G and 5G deployments.

Elsewhere, China has openly stated that they want to be the leader in 6G networks and patents, disclosing that Huawei started investing in the technology back in 2017. And countries such as the U.S. and Japan have created investment alliances to keep pace and offer open-source alternatives to country-specific led communication infrastructure. These are all good reasons to draw the conversation into the mainstream.

The Same 5G Challenges, Just a Whole Lot More of Them

With a better sense of what the hyper-connected future could look like, it’s worth looking at the challenges, which are surprisingly similar to the significant ones that come with 5G.

• Manageability. The leap from 4G to 5G meant more data, more bandwidth, more nodes, more endpoints, more alerts and a greater need for orchestration. That’s a lot of “more”, and we can expect plenty more of it with 6G deployments. More of everything, moving faster than ever, presents a significant increase in management challenges. 
• Supply chain. If the security operations center isn’t overwhelmed already, increasing supply chain issues (both on the software and hardware sides) will likely get them there. And 6G has every reason to be a supply chain nightmare. A mechanism to certify devices still does not exist, security-by-design development lacks widespread use and even policy and governance issues, such as who is responsible for what (e.g. private sector versus government), have not been finalized.
• Usage. Who really is the consumer in a 6G world? Is it us mere humans, the traditional end-users, or all the devices and artificial intelligence trying to pump out that holographic image for us to gaze upon? Furthermore, are we looking at a possible end to the wired environment?  Depending on the number of connections, the attack surface can easily become “everywhere”, and the users can be “everyone and everything”.

Security Realities in a Connected World 

The ubiquity of technologies like 5G in our lives poses a question: once these hyper-connected networks go fully online, do they become too big to fail? Consider the following questions: 

• What does the “perimeter” currently look like? Does it even exist anymore?
• What roles does the cloud play, especially as edge computing increases its presence in the market? 
• Where is the private/public divide in terms of networks, especially if we see higher adoption rates of private 5G networks?
• What are the privacy safeguards in place, and where do they come into the process? 
• Will all the generated data ever be destroyed? If so, how? If not, where does it get stored and what are the associated security risks?

6G Security and the Human Element 

6G presents an opportunity for deep integration of artificial intelligence and networking functions, meaning that the security and privacy functions will also become more closely integrated. Just as all aspects of operations will begin to roll into one, so will risk, security and privacy operations. This truly begs the question: where is the starting point? Do you build your network around zero trust and security principles, allowing the privacy issues to flow from there? Or do you start with the privacy program and then let that shape your security program?

Currently, our operations are set up to protect the enterprise. Your organization’s most valuable currency, data, is still, for the most part, behind the fortress. But in a hyper-connected world, that data becomes further distributed, right down to the individual user and device. Therefore, the future of cybersecurity in a 6G world may no longer be about protecting the business network, but rather protecting the privacy of the individual. Cybersecurity leaders would be wise to focus on protection methods to fortify the individual’s ability to minimize risk, even if machines do end up becoming the ultimate “users” after the 6G revolution.

The post It’s Not Too Soon to Start Talking About 6G appeared first on Security Intelligence.

Who stalks the stalkers? When it comes to Android security, stalkerware presents a double risk.

It’s common knowledge that mobile stalkerware undermines a target’s privacy. That’s kind of the point. A stalkerware incident often involves someone, such as a spouse, gaining physical access to someone’s smartphone and installing a monitoring app. They then use that software to remotely track what another person is doing on the device or spy on where they’re going.

What’s not so widely known is that stalkerware vendors don’t always code their apps correctly.

For instance, ESET found over 150 errors in 58 stalkerware Android apps. Those issues not only further compromised targets’ Android security and privacy, they also put the snoopers themselves at risk.

Read on to learn which weaknesses appeared most frequently in the apps surveyed.

Android Security Stalkerware Problems at a Glance

Out of the 158 issues ESET found, the most common type was insecure transmission of users’ personally identifiable information. This category accounted for 22 vulnerabilities, ranking higher than storing sensitive information on external media and exposing sensitive user information to unauthorized access, which account for 19 and 17 weaknesses, respectively.

The fourth most prevalent problem, at 17 weaknesses, was server leak of stalker information. ESET found that several stalkerware apps kept information about those using the app to track someone. It also stored a victim’s data on a server — even after the stalker requested that the service delete their information. That data might have included more information about the tracker in the event that they had an existing connection with the target.

Sometimes, victims’ information remained on a stalkerware service’s servers even after the snooper removed their account.

ESET reported the Android security and privacy issues to the stalkerware vendors as part of its 90-day responsible disclosure policy. As of reporting, only six responded by fixing the issues, while seven said that they were working on a fix. One vendor decided not to fix the reported issues; the rest didn’t respond.

The Growth of Stalkerware

ESET’s researchers also found that Android stalkerware detection increased by 48% between 2019 and 2020. This growth has continued into 2021. For example, Avast observed a 93% increase in the volume of spyware and stalkerware app detection over the first two months of the year. That’s compared to the same time period in 2020.

In response, some digital defense groups took action. For instance, the Coalition Against Stalkerware developed a standard definition of stalkerware, which encouraged research into the way it spreads. They also created TinyCheck for the purpose of detecting stalkerware apps, which can pose threats to Android security as well as to other brands of smart phones, in a more efficient manner.

How to Defend Against Stalkerware

The issues discussed above highlight the need for organizations to defend themselves against stalkerware. One of the ways they can do that is to educate their employees about what to look for. For example, smart phone users should delete unused apps and look for strange changes on their devices. In addition, never leave your devices unattended.

In the event organizations discover stalkerware installed on a connected device, they need to approach removal carefully. The best thing to do is to not notify the victim in a way that could be discovered on the compromised device. Instead, they should speak to the victim in person and proceed from there.

The post Android Security: Over 150 Security and Privacy Issues Found on Stalkerware appeared first on Security Intelligence.

In the last hour, I’ve used my phone to take pictures of my teenagers, spy on my dogs while I was out of the house, pay my electric bill and watch a funny video. Then, while buying some new dish towels (yet another use), I used my phone as an identity document without even realizing it — and I may have increased my cell phone security risk at the same time.

Why Cell Phone Security Matters at Work

Because I forgot my password to the online store, I had to reset my password. When they sent a code to my cell phone for multifactor authentication, I clicked on the link without a second thought. I clicked on it and went on my merry way to buy the new towels. While I’ve been a long-time fan of two-factor authentication because research shows it reduces attacks, especially credentials and brute force attacks, I recently learned that the process has some downsides. By clicking on the link, I used my phone to verify my identity. That allowed the company to tie my phone to the account, which creates a risk.

As long as I don’t change my phone number, it’s not much of an issue. But if I do change my number, it will eventually be assigned to someone else. That someone could take over my accounts. A recent study by Princeton University found that 100 of the 259 phone numbers they tested had linked login credentials on the internet, and that mobile carriers have weaknesses that make recycled numbers vulnerable. You may think that you’d eliminate the risk by wiping your old cell phone free of data. However, you also have to delete the phone number from all the websites that are connected to it. Those could number in the hundreds.

How Abandoned Numbers Increase Risk

Reading the recent study made me start thinking about cell phone security, and specifically the risk abandoned cell phone numbers cause businesses. Any time an employee accesses the network or a business-related account from their mobile phone, their phone becomes an identity document. If an employee accessed their email, a criminal now has access to their email server. They might even have access to all customer information, if the employee updated the company customer relationship management software from their phone. Or, imagine if the employee used their phone to access a corporate account on a retail site. Now, a cyber criminal can go shopping on the company dime. Or worse, steal any credit card information that’s saved.

Why Change Phone Numbers?

When I first read about this vulnerability, I brushed it off. Most people don’t change their phone numbers very often. I’ve had the same number for 13 years and plan to have it for the rest of my life. The prospect of changing it after all these years would be a major headache. But I realized that there are some very valid reasons that people change their phone numbers, including:

• Divorce
• Being stalked or harassed
• Leaving a job where the phone number belonged to their employer.

The expected long-term increase in remote working changed everything. Employees are likely to use their personal mobile phones for business more often than they did before the pandemic. That increases many different types of cybersecurity risks for companies. Businesses need to address this cell phone security issue and create a plan for reducing their risk. It may be tempting to say employees must only use work phones to access sensitive data. But, all your employees are not likely to comply. The better route is to figure out a way that works for your employees and keeps your organization safer.

Reducing Cell Phone Security Risks From Discarded Numbers

The issue gets sticky since the employee is using their own mobile phone. You have a bit more control if you pay a portion or all of their cell phone bill or have a bring-your-own-device (BYOD) security policy. While you cannot totally eliminate the risk, here are some ways you can reduce your risk. They’ll at least have a better picture of it, in terms of abandoned phone numbers:

1. Know who is using personal phones to access work accounts. You are at the highest risk when you don’t have a full picture of possible vulnerabilities. It’s almost certain that your risk has increased in this area since the pandemic began. You can’t know for sure until you gather the data. Require each employee to report what devices they use to access business-related servers and accounts. Make sure employees know they aren’t going to be in trouble for doing this. You just need to know how they are accessing what they need for work so the business can protect itself.
2. Update your BYOD policy to include abandoning phone numbers. If you don’t yet have a BYOD policy, creating one should be your first priority. If you have a BYOD policy in place, update it with any changes that make sense based on your post-pandemic work arrangement. This is especially important if you allow a permanent fully remote or hybrid work environment. Be sure to include a requirement that employees notify the company if they are abandoning a phone number they used to access business accounts. Your cybersecurity team can meet with employees as appropriate. From there, they can evaluate the risks each employee’s phone may incur and decide the best plan to mitigate the risks.
3. Make sure corporate-owned phone numbers are only recycled internally. If some employees are using phones your business owns, you have control over what happens with them. Because the risk forms when someone outside the company obtains those phone numbers, make sure you don’t abandon those numbers. Instead, reassign them to the next person who needs a corporate phone number.
4. Park the phone number. You can also pay an outside service a few dollars a month to keep the number active. That way, the carrier cannot assign it to another person or business. While this works pretty easily for corporate phone numbers, you can also offer to pay for this service for employees who are changing their personal phone numbers.
5. Provide corporate phones for high-risk employees. If you have employees who regularly access accounts that are high-risk, such as ordering from retail sites, consider purchasing corporate phones specifically for their use. This tactic should only be used in rare situations, since most employees’ phones can be kept secure using mobile device management and other protections.

Cybersecurity often involves balancing security with productivity, which is especially true when it comes to cellphone security. You want employees to be able to work from wherever they need to, but also keep your company’s data and infrastructure secure. By taking the time to understand and prevent risks from abandoned numbers, you can reduce your vulnerabilities and risk.

Find out more about unified endpoint management solutions  

The post Are Your Employees’ Old Phone Numbers Creating Vulnerabilities? appeared first on Security Intelligence.

Cybersecurity awareness programs can be like painting the Golden Gate Bridge: by the time you think you are done with the current job you practically have to start over. There’s a constant stream of new threats and the double whammy is that they are penetrating deeper into organizations making every employee and device or “thing” a potential risk.

Yet most users probably consider themselves security-minded. They would argue that they are not actively sending sensitive data to malicious recipients, knowingly clicking strange links or downloading attachments from unknown senders. But it happens all of the time. In fact, according to a recent study from Wandera, “15% of organizations had at least one device using an app that leaked password data.”

Another unintentional risk is that those same employees may be putting companies at risk by accessing company data on a personal device running an outdated version of an operating system while connected to the public Wi-Fi. They may also have installed risky applications, repeatedly attempted to visit blocked sites on the corporate browser or attempted to log in from multiple unexpected locations.

With proper unified endpoint management (UEM) policy and compliance rules in place, many of these risks can be proactively avoided. Most organizations enjoy a level of trust between the employees and the UEM administrator. In many cases, there’s no need to take drastic action until it becomes apparent there is a pattern of bad user behavior.

Keeping Good Security Hygiene 

So, what makes for good security hygiene? Understanding and continuously evaluating behavior — and adjusting security measures accordingly — is the best way to keep your organization secure. This way also prevents interrupting the productivity of those security-minded users.

You don’t have to look through dozens of reports to find users doing risky behaviors in an effort to identify the worst offenders. You need a way to quickly understand the most common risks to your company. It is most important to know whether a user is a repeat offender or an average employee making a mistake. Doing that manually in an organization with hundreds or thousands of devices simply is not feasible.

This is where user risk management can help.

What is User Risk Management?

At its most basic level, user risk management is a UEM capability that aggregates risky user behaviors. It logs malicious app installs, unsecured network connections, strange login locations, failed access attempts, unpatched or outdated operating systems and the like. From there, it assigns a user risk score based on defined parameters.

Not worried about login locations since your business thrives on remote work? Keep it out of the score. You only need to care about behaviors that have the most impact on your organization.

Once these scores are created, the system ranks users by which ones present the most imminent threat. That could be a malicious insider or an employee who clicks on every email link with reckless abandon.

After those threats are uncovered, actions can be taken, typically in the form of strong conditional access policies requiring tokens, biometrics or other factors to authenticate. In the case of the hypothetical malicious insider, though, access can be blocked outright while an investigation is conducted.

While user risk management lives within an organization’s UEM platform, its aim is to pull from data sources across the entire security stack. Security information and event management, identity-as-a-service and endpoint detection and response tools can have their logs consolidated within the user risk engine. This allows for a multi-dimensional picture of users as they go about their day interacting with corporate systems.

Is This Good for the User Experience?

Since user risk management is continuously evaluating the behavior of users on their devices, those users who are not presenting a risk to the business are not hindered by access obstacles like their riskier counterparts. Instead, employees who act responsibly can have as frictionless an experience as the UEM administrator chooses to provide.

The other side of the coin with continuous evaluation is that security becomes adaptive. The ‘clean-nosed’ employees can quickly fall into the trap of clicking on a phishing link or downloading a banned app on their personal device, moving them from green to red. At that point, they go from minimal friction to immediate quarantine.

Conversely, the employee who was previously in the red can shift back to green, gaining back permissions and privileges that had been suspended.

This is a great way to administer a Zero Trust security model. While user risk management isn’t the one-size-fits-all method typically used in Zero Trust’s ‘never trust, always verify’ philosophy, it can contribute to that approach. By continuously monitoring, an organization is never turning a blind eye and fully relying on trust. Rather, it is constantly verifying that the user can be trusted until the time comes when the trust is broken.

IBM Launches User Risk Management

IBM Security MaaS360 with Watson is announcing the general availability of user risk management. MaaS360’s risk management philosophy aligns with everything outlined above. It supports zero trust initiatives and is designed to ensure a satisfying user experience.

In a nutshell, MaaS360 user risk management can be defined by three major pillars:

• Identify insights: Through its Watson integration, MaaS360 uses artificial intelligence analytics to help quickly uncover risks and trends as they pertain to enrolled users and devices.
• Monitor security health: By providing individual risk scores based on UEM data — as well as data from third-party security sources — a holistic picture of a user’s security health can be developed.
• Enforce compliance: Ensuring that highly risky users are dealt with swiftly and, in many cases, through automated actions, organizations can cut down on time spent resolving issues. That in turn lets them move on more quickly to the investigation and retrospective stage of the threat response.

Interested in learning more? Register for the webinar where you will hear directly from MaaS360 customers about their experience from the user risk management beta program as wells as from IBM Security product experts feature details and the roadmap for the future.

The post Loving the Algorithm: User Risk Management and Good Security Hygiene appeared first on Security Intelligence.

If you or your employees access protected information with authentication codes sent to a cell phone, you might want to rethink your plan. Two-factor authentication (2FA) using text messages can fall prey to phone authentication scams.

That’s not to say 2FA itself is a problem. You should keep using it, and many groups have turned to it to prevent threat actors from using stolen account credentials. Malicious actors may still try to grab authorized users’ credentials for their own purposes. In fact, the unauthorized use of credentials accounted for 29% of all attacks in 2019, X-Force IRIS observed.

So why is short-message service (SMS) 2FA not as secure as it looks? What other kinds of mobile-based multifactor authentication (MFA) can you use instead?

SIM Jacking: The Problem With SMS-Based MFA

SMS-based MFA is particularly vulnerable to a SIM swap-phone authentication scam, says Alex Weinert, group program manager for identity security and protection at Microsoft. This is one of several types of social engineering attacks. In this case, a threat actor contacts a mobile service provider and pretends they are one of their customers.

First, the attacker claims to have lost their device. They ask the cell phone carrier to transfer the targeted customer’s SIM card to a device under their control. Many mobile service providers require customers to set up PINs to protect their accounts against a SIM swap attempt. But that doesn’t prevent customer service workers from feeling the tug of compassion and agreeing to help them out anyway. If this works, the attacker can use their device along with the transferred SIM card to receive SMS-based MFA codes. This gives them all they need to compromise a protected web account.

Phone company employees can cut down on phone authentication scams on their end, too. They could check whether the caller really uses their service. Several free services online are able to look up the cell phone carrier of a mobile number.

Attackers used this tactic against a major social media company in 2018. They were able to access user emails, internal files, source code and other data. To do this, the attackers intercepted the SMS-based MFA codes for some of the company’s accounts with cloud and source code hosting providers. Further investigation showed the attackers had targeted some of the company’s employees with SIM hijacking attacks. In response, the social media company first notified a small number of users who might have been affected. Next, they worked with law enforcement to prevent a similar incident from happening in the future.

What Safe Phone Authentication Might Look Like

The threat of a SIM swap scam needs to be addressed. But it doesn’t mean users should turn away from their mobile devices for MFA. It also doesn’t mean they can’t use SMS text messages for phone authentication. Instead, they could set up a Voice over Internet Protocol (VoIP) phone using a service, such as Google Voice. This provides an alternative to using the phone number assigned by their mobile service provider. These services are free to set up, and give users the ability to use a phone number tied to a major email system like Gmail.

The advantage is that they can protect those accounts using strong passwords and their own forms of MFA that don’t depend on the fallibility of human customer support agents. That way, someone can’t just gain control over a person’s phone number with a fake sob story about having lost an account. An attacker would need to compromise their victim’s email account first.

One potential problem with this method is that not all web services accept VoIP for phone authentication purposes. In response, users can avoid SMS-based MFA altogether by turning to an authentication app, such as Google Authenticator or Microsoft Authenticator. These and other programs like them aren’t tied to a cell service provider. They’re bound to the device itself, meaning a SIM swap won’t have any effect. An attacker would essentially need to steal the user’s device to obtain an MFA code. With that fact in mind, users who choose this method should make sure they’ve removed that phone authentication app from their mobile device before they get rid of it.

Safe Phone Authentication Across the Connected Workforce

Employers can help their workers use safe MFA phone authentication methods by settling on a MFA plan and writing it into their security policies. Then, use security awareness training to educate users about these policies. At the same time, employers can use Mobile Device Management to standardize vulnerability management, MFA and other security functions across their entire connected workforce.

The post Beyond Text Messages: How to Secure 2FA Against Phone Authentication Scams appeared first on Security Intelligence.

Under the federal Electronic Visit Verification mandate, care providers for people with disabilities or the elderly confined to their homes will need to check in and out with a device equipped with GPS. It isn’t a security risk mandate per se, but the use of connected devices for this could add some risk.

What is Electronic Visit Verification?

As a result of the 21st Century Cures Act, the federal Electronic Visit Verification (EVV) mandate requires electronic proof of every Medicaid-funded visit for personal care services (PCS) as of Jan. 1, 2021, and will require electronic proof for home health care services by Jan. 1, 2023. The Cures Act requires independent, electronic visit verification for certain types of Medicaid visits.

The use of smart phones for this check-in (whether through programs where employees can bring their own device (BYOD) or end-of-life devices) leads to the problem. As states prepare to comply with this mandate, several state requests for proposals have proven that a GPS-enabled smartphone is the preferred method of EVV deployment.

Why? Smartphones enable providers to deliver care in any approved location, while also capturing the required GPS location.

Key Ways to Prepare

While there are countless smartphones on the market, many consumer phones do not often meet the technical or security needs for a compliant EVV program. Those that do are often too costly for EVV purposes.

There are three basic options for health care providers to deploy a successful EVV program:

• Leverage a BYOD setup.
• Purchase new devices from your cellular provider.
• Use low-cost specialty devices.

Adoption of EVV has stalled because all three of these approaches fail to meet providers’ needs for a cost-effective, secure and easy-to-use solution.

How Does Electronic Visit Verification Work?

A BYOD environment relies on each employee to own a device that meets baseline standards for this project — the right make and model, operating system (OS) version and not jailbroken or rooted. It also ensures employee privacy and protected health information (PHI) remains secure. A BYOD program must be built to ensure all privacy laws, both employee and patient, are protected. Other costs from the ongoing management, employee payback and how complex it can be to roll out a BYOD model, and roll it out well, have made this approach expensive.

Purchasing new devices and carrier services guarantees the devices are uniform and allows a provider to develop a detailed EVV program. However, the capital costs that often come with buying new hardware and the recurring data plan payments have made this method too costly at scale.

Devices that have been sourced as EVV-use-only devices in the past have been the lowest-cost option. As a result, these devices are often past end-of-life before they have even been purchased and deployed. In this state, these devices no longer receive any OS updates, patches or app updates. These devices must be configured by hand, and there is no way to provide updates to apps or the OS without removing every device from the field one by one. These end-of-life devices do not support wireless updates.

The security and compliance risks here are obvious. Without being able to update these devices, there can be no security fixes, new functions, or app improvements made to these devices without manual work. This increases the potential for PHI and compliance violations.

What Can Providers Do?

Providers are now tasked with building their own mobile practice that does a lot of things at once. First, it needs to comply with the EVV federal mandate and state programs. Next, it also needs to make fiscal sense and allow for an effective long-term strategy. Three main pillars that should be the foundation for every provider’s mobile strategy are protection, compliance and cost.

1. State EVV Programs Require Excellent Device Security and Control

Protection for any health care app must be a primary focus. In this case, secure and accurate client and location data must be processed through the EVV app. That data must remain separate from any other personal accounts or apps on the device. The most effective way of doing this is to leverage an OS enterprise management solution like Android Enterprise. With it, both OS and app updates can be performed without the end user having to do anything. Use of the device is limited — users cannot use the device as a hotspot, access the internet or factory reset the device.

2. Software must be compliant With the Electronic Visit Verification Federal Mandate

As state programs decide how to comply with federal rules, providers need a way to electronically check in on visits starting this year. They need to be able to make changes quickly and for a sensible cost. Providers need to build a mobile practice that can deploy right away but is flexible enough to adjust over time without needing major costs and changes.

3. Consider all costs that come with using an EVV solution.

Providers should make sure to account for potential hidden costs. When choosing a BYOD program, they should ensure data reimbursement for end-users and deployment and maintenance costs are included. Providers should look for options that allow them to build a solution for low recurring costs, which includes data, device upkeep and hardware costs, while avoiding larger up-front costs. This will allow long-term cost planning and pivoting as needs change over time.

Solutions for Today

In order to continue to serve patients at the highest level and remain compliant with federal guidelines, providers will need to continue to invest in this area. Groups that develop cost-effective, flexible and long-term EVV plans will be the most successful now and into the future.

One cost-effective and compliant solution is a device built just for Electronic Visit Verification, like the LINK smartphone. These devices address the three main needs for providers — security, compliance and cost — by including cellular data plans and mobile protection along with hardware leases.

Learn more about addressing the federal Electronic Visit Verification mandate using mobile security technology.

The post The Importance of Mobile Technology in State Electronic Visit Verification (EVV) Programs appeared first on Security Intelligence.

QR codes are very common today, enough so that attackers are discovering ways of using them for profit. How can QR codes be used this way, and what can you do to boost QR code security and protect against these scams?

What Are QR Codes Used For? 

QR codes — short for “quick response codes” — were born in 1994 as a way for Japanese auto parts maker Denso Wave to track parts in car factories. These two-dimensional barcodes enable a smartphone camera to read up to 4,000 characters of information instantaneously. 

After growing in use and breadth of application for decades, QR codes are having a moment. In 2020, consumers and businesses embraced touchless solutions. App-centric payment companies, charities, nonprofits and point-of-sale systems used online QR code generators as a way to make customer portals that avoided button pushing and credit card exchanges. 

The largest tech companies are embracing QR codes in a big way. Silicon Valley companies (and others) are finding QR codes useful for self-service information in retail stores, transactions and other uses. Most interestingly, they’ll also become useful for augmented reality. QR code stickers on an object or wall or table can serve as both an anchor in 3D space for virtual reality objects and the source of the data. 

Smart displays can now support QR codes for scanning grocery items to add to a shopping list. Social networks have embraced QR codes for linking to personal profiles. There’s no question QR codes are now totally mainstream. 

A survey by MobileIron found that 84% of respondents had scanned a QR code before, with a third having done so in the prior week. Which raises the question: are QR codes safe?

QR Code Security Issues

They can be. QR codes are convenient — and uniquely powerful for criminals. 

Essentially, they can serve as URLs, offering the same kind of risks as opening a malicious website on a phone. But unlike a URL, people are less likely to recognize a malicious QR code. Beyond URLs, it also benefits the bad guys that most people don’t know that a QR code can write an email or text message or make a phone call. More than one-third of respondents in the MobileIron survey say they are not concerned about the security risk of using QR codes. 

Threat actors can deliver malicious QR codes via instant messages, social media, email, SMS — you name it. And QR codes can initiate action on smartphones, such as launching a payment app and making a payment, adding a contact or following a malicious account on social media. They can also divulge the victim’s location or add a malicious Wi-Fi network.

Dynamic QR codes are a special risk. The data stored on them can be changed after they’re generated, or they can present different data to different types of devices. 

The rise of QR codes also coincides with the rise of cryptocurrency, to unhappy effect. Bitcoin addresses are often conveyed via QR codes, which is far more convenient than typing out a long Bitcoin address. QR codes inject data, and Bitcoin is data, so the abuse of QR codes to steal Bitcoin was an inevitability. 

Tips for Avoiding QR Code Scams

Users have several ways to minimize the risk of QR code scams and QR code security issues. 

• If anyone appears to send a QR code, contact the supposed sender and ask if they sent it. 
• Look out for URL-shortened links appearing after scanning a QR code, which can hide malicious URLs. 
• Organizations: Deploy a mobile defense solution that blocks phishing attempts, exploits, phone take-overs and unauthorized downloads. 
• Embrace multifactor authentication in place of password access to applications and cloud resources. 

These days, it’s important to cover all your bases when it comes to mobile data protection. Defending against pervasive and growing malicious QR codes should be on the top of that list. 

The post QR Code Security: What You Need to Know Today appeared first on Security Intelligence.

Digital attackers uploaded 17 versions of the Joker malware family to Google’s Play Store in September 2020 as part of an ongoing effort to target Android users.

How the Attackers Bypassed Google’s Vetting Process

The Zscaler ThreatLabZ research team found on Sept. 24, 2020, that digital attackers had concealed the Joker malware versions in applications ranging from PDF scanners to Android keyboards and photo collage programs to translators.

In its study of the malicious apps, the firm found that digital attackers used one of three techniques on each occasion to evade detection by Google’s vetting systems.

The first scenario involved the download of the Joker malware payload from a URL sent over by the attackers’ command-and-control (C&C) server. The apps did this by using string obfuscation to conceal the C&C address in its code.

As for the second scenario, the malicious app dispensed with a C&C address and opted for a stager payload URL encoded in its code. The malware downloaded the stager payload in the form of an Android Package or a Dalvik executable file. This stager then retrieved the final payload URL, downloaded the payload and ran it.

For the third and final scenario, the infected app contacted its C&C server to retrieve a stage one payload URL and download the payload. This payload then obtained a stage two payload that functioned exactly as the first. That payload included a hardcoded URL for downloading the final payload.

At that point, the Joker malware got to work. It stole SMS messages and contact lists and signed the victim up for premium wireless application protocol services.

Those apps had garnered about 120,000 downloads at the time Zscaler discovered them.

Zscaler’s researchers notified the Google Android Security team about the malicious apps. Because of this, Google’s personnel removed the apps from the Play Store.

Other Recent Attacks Involving Joker Malware

The malware attack described above wasn’t the first time in 2020 that Joker made headlines. Back in February, Check Point Research found that a few new samples of the spyware and premium dialer family had infiltrated Google’s Play Store. Those samples garnered more than 130,000 downloads at the time they were found. They all appeared on Check Point’s radar at the same time as a new click malware family called Haken.

Just a few months after, Check Point once again detected Joker samples hiding in the Play Store. This time, however, they spotted the malware using an old trick from the PC threat world — concealing a dynamically loaded hex file — to evade Google’s detection. A couple of months later, Pradeo found six more apps infected with the malware. Then, at the end of September, Zimperium reported on the discovery of 64 Joker variants within the span of less than a month.

How to Defend Against Mobile Malware

Organizations can help defend against types of malware like Joker by abiding by mobile security best practices. For instance, they can use their comprehensive vulnerability management programs to keep all mobile devices up to date and to limit app installations to trusted developers on official marketplaces. Security teams can enshrine these practices into their organization’s security policies to augment those measures. They also can use ongoing security awareness training to educate the workforce about the importance of following those guidelines.

Simultaneously, organizations can consider using advanced security solutions that use AI to spot threats that prey upon mobile devices and/or other connected assets in an attempt to infiltrate the corporate network.

The post Joker Malware Hits Google Play with 17 Variants appeared first on Security Intelligence.

Digital attackers used Minecraft-themed fleeceware apps in the Google Play Store to prey on millions of Android users.

Surfing the Fleeceware Wave

Avast reported seven fleeceware apps to Google Play in mid-November. Most of those apps claimed to offer Minecraft-related skins, maps and/or mods for the popular game. Others offered skins for other games or advertised themes and wallpapers for Android devices.

Using those disguises, all of the apps managed to attract more than 100,000 people before Avast discovered them. Five of them boasted more than one million downloads. All of the apps Avast discovered were still up on Google’s Play Store at the time of this blog.

What Is Fleeceware?

A fleeceware app isn’t traditional Android malware in the sense that it doesn’t contain malicious code. Instead, the threat comes from excessive subscription fees that it might not clearly advertise to mobile users. Fleeceware entices a victim into downloading an app that interests them. Then, the developer counts on the user forgetting about the program and/or failing to notice the actual subscription fee.

These developers target younger users who might not pay attention to the subscription’s details. The developer fleeces the victim by tricking them into paying money for something they might not want, they might not know they have or they might have gotten elsewhere free of charge.

Fleeceware on Google Play

This wasn’t the first time fleeceware found its way into Google’s Play Store. In January 2020, SophosLabs revealed it had detected more than 20 fleeceware apps hiding out in the Android marketplace. Those apps gained a collective total of over 600 million installations. One of those apps charged users $3,639.48‬ annually, or $69.99 per week, for displaying daily horoscopes.

A few months later, Google updated its policies to ensure that users understood the full price of an app subscription, when free trials and introductory offers end and how to manage their app subscriptions.

That didn’t stop some people from attempting to get around Google’s policies. In August 2020, Google removed some fleeceware apps for failing to include a dismiss button and for displaying subscription information in small, light fonts.

Mobile Security Best Practices

Organizations can help defend their users against fleeceware apps, such as the ones described above by using Mobile Device Management (MDM) to limit the functionality of apps installed on corporately owned mobile devices. They can also use ongoing security awareness training to reinforce compliance with their security policies. Include a list of allowed mobile apps and app marketplaces that employees can use on their mobile devices.

The post Minecraft-Themed Fleeceware Apps Hide Steep Fees appeared first on Security Intelligence.