Articles – CheckPoint

output_csWEt2

Check Point today disclosed details about a set of four vulnerabilities affecting 900 million Android smartphones and tablets that use Qualcomm® chipsets. The Check Point mobile threat research team, which calls the set of vulnerabilities QuadRooter, presented its findings in a session at DEF CON 24 in Las Vegas.

What is QuadRooter?
QuadRooter is a set of four vulnerabilities affecting Android devices built using Qualcomm chipsets. Qualcomm is the world’s leading designer of LTE chipsets with a 65% share of the LTE modem baseband market. If any one of the four vulnerabilities is exploited, an attacker can trigger privilege escalations for the purpose of gaining root access to a device.

Learn more: Download our QuadRooter report today.

Some of the latest and most popular Android devices found on the market today use these chipsets, including:

  • BlackBerry Priv
  • Blackphone 1 and Blackphone 2
  • Google Nexus 5X, Nexus 6 and Nexus 6P
  • HTC One, HTC M9 and HTC 10
  • LG G4, LG G5, and LG V10
  • New Moto X by Motorola
  • OnePlus One, OnePlus 2 and OnePlus 3
  • Samsung Galaxy S7 and Samsung S7 Edge
  • Sony Xperia Z Ultra

See if your device is at risk: See scan results like these for your Android device

How are Android devices exposed to this vulnerability?
An attacker can exploit these vulnerabilities using a malicious app. Such an app would require no special permissions to take advantage of these vulnerabilities, alleviating any suspicion users may have when installing.

Learn the technical details of QuadRooter: Download our report today.

What Android devices are at risk?
QuadRooter vulnerabilities are found in software drivers that ship with Qualcomm chipsets. Any Android device built using these chipsets is at risk. The drivers, which control communication between chipset components, become incorporated into Android builds manufacturers develop for their devices.

Since the vulnerable drivers are pre-installed on devices at the point of manufacture, they can only be fixed by installing a patch from the distributor or carrier. Distributors and carriers issuing patches can only do so after receiving fixed driver packs from Qualcomm.

This situation highlights the inherent risks in the Android security model. Critical security updates must pass through the entire supply chain before they can be made available to end users. Once available, the end users must then be sure to install these updates to protect their devices and data.

Protect Your Enterprise   |   Scan Your Personal Device

How can I protect employee’s devices from attacks using these vulnerabilities?
Without an advanced mobile threat detection and mitigation solution on the Android device, there is little chance a user would suspect any malicious behavior has taken place.

What are the risks if an attacker exploits the vulnerability on a device?
If exploited, QuadRooter vulnerabilities can give attackers complete control of devices and unrestricted access to sensitive personal and enterprise data on them. Access could also provide an attacker with capabilities such as keylogging, GPS tracking, and recording video and audio.

How can my employees protect their personal devices from QuadRooter?
Check Point continues to recommend that organizations encourage employees to follow these best practices to help keep Android devices safe from attacks:

  • Download and install the latest Android updates as soon as they become available. These include important security updates that help keep your device and data protected.
  • Understand the risks of rooting your device – either intentionally or as a result of an attack.
  • Examine carefully any app installation request before accepting it to make sure it’s legitimate.
  • Avoid side-loading Android apps (.APK files) or downloading apps from third-party sources. Instead, practice good app hygiene by downloading apps only from Google Play.
  • Read permission requests carefully when installing any apps. Be wary of apps that ask for permissions that seem unusual or unnecessary or that use large amounts of data or battery life.
  • Use known, trusted Wi-Fi networks or while traveling use only those that you can verify are provided by a trustworthy source.
  • End users and enterprises should consider using mobile security solutions designed to detect suspicious behavior on a device, including malware that could be obfuscated within installed apps.

For users who use their personal Android devices for work purposes, Check Point also recommends the following considerations:

  • Enterprises should deploy a mobile security solution that detects and stops advanced mobile threats.
  • Contact your mobility, IT, or security team for more information about how it secures managed devices.
  • Use a personal mobile security solution that monitors your device for any malicious behavior.

Where can I learn more about QuadRooter?
The Check Point mobile threat research team has compiled a report that includes a detailed analysis of each vulnerability and how attackers can exploit these on Android devices. Also available is a free QuadRooter scanner app on Google Play, which can tell you if these vulnerabilities exist on your device.

DIY Attribution, Classification, and In-depth Analysis of Mobile Malware

The security research community has been dealing with malware attribution and classification for decades. The benefits of this process for PC-based malware are myriad and well known. Check Point has followed the same process for multiple malware campaigns during the last year, including Volatile Cedar, Rocket-Kitten, and the Nuclear Exploit Kit.

In fact, the PC malware research field is so mature that many security-savvy enterprises now have their own internal teams of cyberanalysts. These teams conduct in-depth malware research as part of their incident response and threat intelligence duties with a focus on their organization’s specific needs, domains, and adversaries.

However, the tools, skills and knowledge used in the world of PC malware haven’t fully evolved to serve these analysts when it comes to mobile malware. This puts them and the organizations they serve at a disadvantage. Classifying, attributing, and performing in-depth analysis of mobile malware is more critical than for PC malware because:

  • The mobile ecosystem is far more dynamic, so cybercriminals are constantly evolving the tools they use to keep up. They’re also looking for sustainable, scalable business models that generate revenue through fraud while defeating security enhancements introduced by Apple and Google on a regular basis.
  • Attribution and malware family categorization reveals trends in the broader cybercriminal community. This helps enterprises deploy appropriate defenses before a trend turns into an epidemic. ElevenPaths details an excellent example of how it was able to categorize and attribute two malware campaigns discovered by Check Point – BrainTest and HummingBad. It explains how rooting and placing a backdoor on Android devices is a technique now used by multiple distinct malware families authored by at least two distinct groups of Chinese cybercriminals.
  • Proper malware risk categorization is of particular importance for mobile threat defense in Bring Your Own Device (BYOD) deployments. If an employee installs aggressive adware on a device, would that be enough to block access to corporate email on its own? What if the adware roots and places a backdoor on a device? What if the adware doesn’t root the device but provides access to a group that generates rootkits? These are difficult questions to answer without the proper context and categorization.

While Check Point’s  Mobile Threat Prevention Advanced Response Team (ART) addresses concerns like these on a daily basis as part of the service it provides, many customers would like to have these capabilities in-house to run their own investigations in parallel or off-line.

Enter the world of Tacyt

Tacyt is an intelligence-led tool for the monitoring and analysis of mobile threats. Developed by ElevenPaths, a Telefónica company, Tacyt provides professionals and security experts with big data technology for easy mobile app environment investigation. It is the first off-the-shelf, enterprise-grade service that cyber analysts can use to conduct full investigations, including mobile malware research, attribution, categorization, and monitoring.

This innovative tool allows analysts to search, match, and investigate different parameters (metadata) of iOS and Android apps that Tacyt obtains thanks to its powerful cross-market and cross-platform search engine. The solution enables the analyst to identify potential “singularities,” a concept which refers to whatever data – technical or circumstantial – that makes the app or its developer – as a person – singular or unique from others within a reasonable margin of error. Additionally, it comprises indicators of compromise (IoCs), properties, and identifiers from the app, building up a unique app big data set with a historical record of over 6 million current and past versions.

Tacyt is easy to use, provides a sleek interface, and has an extensive set of APIs for automation. Also, reports can trigger alerts on specific app properties, extending the use-cases to brand protection and campaign monitoring.

Check Point Mobile Threat Prevention and Tacyt

Check Point Mobile Threat Prevention and Tacyt complement each other. Mobile Threat Prevention provides the highest level of security for iOS and Android smartphones and tablets. It scores mobile threat risks and feeds this information into mobile device management (MDM) compliance engines in real-time. Using this information, an MDM can automatically trigger appropriate reactive security measures like blocking a device’s access to corporate email or other sensitive systems.

When combined with Tacyt, the joint solution allows customers to conduct in-depth research into any incidents Mobile Threat Prevention detects. This provides full context and a better understanding of the exposure to cyberthreats on mobile devices supported by the enterprise. Telefonica, which chose Check Point Mobile Threat Prevention as its mobile security offering for its enterprise customers, offers this joint solution today.

For more information, check out ElevenPaths and schedule a demo of Check Point Mobile Threat Prevention today.

Hack In The Box: Mobile Attackers Are Listening In

While most mobile attacks require some level of interaction with the user, Man-in-The-Middle (MiTM) attacks can achieve their goal without the user ever knowing they occurred. This type of attacks allows attackers to eavesdrop, intercept and alter traffic between your device and any other counterpart.

There are several ways by which hackers can execute such attacks, the most prominent of which is using a spoofed hotspot. Many attackers establish fake hotspots with names similar to legitimate hotspot names, for example, “Starbucks Coffee” instead of “Starbucks.” Unaware, the user connects to the malicious hotspot. Once the user tries to connect to the server, the hacker uses his control over the hotspot to attack the user.

Having access to the Internet is critical for on-the-go professionals, so the convenience of open Wi-Fi hotspots often outweighs the risk these connections may not be safe. For hackers, spoofing or taking control of a hotspot is easy, and does not raise any alert for users.

The familiar alert and warning signs on PCs and laptops are far more subtle and easily overlooked on mobile devices. Small screen sizes can hide web addresses, making it harder to validate the address the browser is pointing to. Moreover, some MiTM attacks can be conducted without even triggering these subtle signs.

Once an attacker gains control over a device on a hotspot, spoofed or legitimate, he can initiate several malicious activities, including intercepting or altering the communication, and even installing a malware on the device. All of this is possible even if the communication is encrypted. The hacker can either use fake certificates or downgrade the communication link so that he can access the actual information passing through.

Some users disregard the threat MiTM attacks pose, stating they are not likely to actually happen. However, we fend off MiTM attacks on a regular basis, as we have done earlier this year when hackers tried to attack a senior executive at a large financial company.

So, how is it possible to protect users against MiTM attacks? The answer for these attacks is using a behavioral analysis that can detect rogue hotspots and malicious network behavior and conditions, and automatically disable suspicious networks to keep devices and your data safe. You can defend your device even further by using a solution capable validating the integrity of secure connections to detect compromises.

Two additional pro-active features implemented by advanced threat prevention solutions are honeypots and VPNs. A cloud-based honeypot is a system set up to attract and identify attackers who try to penetrate your network. A VPN (Virtual Private Network) can be dynamically triggered on the device to protect the privacy and integrity of communications and minimize the impact of an attack.

A comprehensive solution capable of protecting you against MiTM attacks should include the following features:

  • Use behavioral analysis to detect rogue hotspots and malicious network behavior.
  • Automatically disable suspicious networks to keep devices and your data safe.
  • Validate the integrity of secure connections to detect compromises.
  • Use a cloud-based honeypot to attract and identify attackers.
  • Use on-device remediation to trigger dynamically a secure VPN that protects the privacy and integrity of your communications.

To learn more about the major threats facing mobile devices in the enterprise, read our CISO’s Guide to Mobile Security.

tca-malware-101-icon

CallJam Android Malware Found on Google Play

Keeping Android smartphones and tablets safe from malicious apps is a constant battle for enterprises, end users, and for Google. Despite Google’s efforts to prevent cybercriminals from infiltrating Google Play, the Check Point mobile research team has discovered new Android malware there it calls CallJam.

CallJam malware includes a premium dialer to generate fraudulent phone calls as well as a rough adnet capable for displaying ads forcibly to its victims. The malware is hidden inside the game “Gems Chest for Clash Royale” which was uploaded to Play in May. Since then, the game has been downloaded between 100,000 and 500,000 times.

Check Point notified Google today about the malware which remains on Google Play as of this morning.

On Their Best Behavior: Securing iOS and Android in the Enterprise

In today’s business environment, using mobile devices isn’t just a business requirement, it’s an employee expectation. But for some organizations, these devices present security challenges that prevent or limit their ability to support a fully mobile enterprise. It’s not enough that they just deploy or manage iOS and Android devices, they also need to defend them against advanced attacks with confidence.

Understand your level of risk

A recent survey of security professionals showed 75% of companies allow personal devices to connect to corporate networks. Workers use these same devices to download personal apps and email – exposing business networks to phishing scams and malware infections. Just one compromised device can let cybercriminals steal sensitive information, or even spy on closed-door meetings using device microphones or cameras.

Is your business ready for the next mobile breach? Find out!
Download: Gartner Market Guide: Mobile Threat Defense solutions

Discovering a breach takes an average of six months, according to a 2015 Ponemon Institute report, and a response to fix one another three months. This means once breaches are found, the damage is already done. Remediation can be costly, as is the damage to brand reputation. Even if the damage is under control, a company may not know which vital trade secrets were compromised until their competitive advantage is lost.

Find your mobile exposure points

Embedded malware or infections of multiple types of malware like credential stealers, keyloggers, mRATS, and unauthorized root kits put sensitive data at significant risk. Unknown or “zero-day” malware can be particularly difficult to find – until it’s too late. Quarantining infected devices from the company network and assets is key. Only after users are informed and the threats removed can they touch the network and assets again.

Keeping devices and data safe from these kinds of cyberattacks requires advanced behavioral analysis that senses and stops attacks before they can start. But these solutions also have to be easy to use, simple to manage, and they can’t have any impact on device performance or battery life.

Cover your assets

One of the ways to do this is by deploying a lightweight app to monitor device behavior. Then, to keep devices performing optimally, a powerful cloud engine should work with the information the app collects to evaluate risks in apps, networks, and on devices – including the operating system and kernel code vulnerabilities.

Your bottom line is always important, so keeping an eye on implementation and ongoing maintenance costs is critical. Solutions should be delivered with standard, best-practice configurations that an organization can modify to fit its individual security needs. Better still, vendors should offer professional services that help offload these tasks if resources aren’t readily available or unknowledgeable.

Maintain a well-oiled machine

Keeping the solution operating its best, especially at scale, means it needs to be kept up-to-date at all times. So app updates on devices should be carried out automatically through the Apple App Store and Google Play. Updates and new features of the solution’s management console and analysis engines should also be performed automatically in the cloud.

With a comprehensive solution like this, organizations can arm themselves against tomorrow’s threats – ones that Mobile Device and Enterprise Mobility Management (MDM and EMM) solutions on their own can’t satisfy. Add to that integration with SEIM solutions and IT and security professionals can have a complete view of the threat landscape across their entire network.

Think your EMM or MDM is all the protection you need? Think again.
Download: Gartner: When and How to Go Beyond EMM to Ensure Secure Enterprise Mobility

Naturally, investing in mobile threat defense has practical advantages like enhancing or extending the life and the value of existing MDM and EMM solutions. Integration enables dynamic policy adjustments based on behavioral risk analysis of individual devices. The result is a level of security that ensures devices organizations provide, and the personal devices employees use for work purposes, are secure. Perhaps more importantly, this level of protection is the best way to safeguard valuable company data from exposure.

Jeff Zacuto is a San Franciscan, gadget geek, and senior mobile security marketer at Check Point Software Technologies. His 15 years of experience with mobile technology, security and compliance gives him a unique perspective on the needs and expectations of IT and security professionals, end users and corporate executives.

 

Learn more about Check Point Mobile Threat Prevention

Check Point Mobile Threat Prevention analyses mobile threat risks at the app, network, and device level using a lightweight app and powerful cloud engine. This design allows for more comprehensive protection from known and unknown threats, and shifts resource-intensive analysis to the cloud to minimize any impact on user experience and device performance.

It’s is easy to install and manage, reducing the time and cost associated with implementing, deploying, and maintaining new solutions. It also leverages the power of the Check Point ThreatCloud and the expertise of the Check Point research team which has nearly three decades of industry-leading, world-class cybersecurity knowledge and support.

Gartner Recognizes the Importance of Mobile Threat Defense

HummingBad. Stagefright. QuadRooter.

Mobile malware and vulnerabilities have been making headlines well over the past year, and attacks are becoming a more common way for cybercriminals to steal sensitive data. We believe this trend – one that our research team encounters daily – is illustrated in the Gartner Market Guide for Mobile Threat Defense Solutions.*

This rise in the sophistication and volume of mobile malware and continued exposure to unknown vulnerabilities demonstrates how Android and iOS devices simply arent secure on their own.

The Mobile Threat Defense Market is Growing Rapidly

Mobile malware and vulnerabilities aren’t all that different than their cousins in the PC world. We’ve seen how today’s mobile malware imitates techniques introduced by PC malware. As mobile threats develop, more companies should adopt mobile security solutions designed to keep pace with this evolution.

Is your business ready for the next mobile breach? Find out!
Download: Gartner Market Guide: Mobile Threat Defense solutions

According to Gartner, “by 2018 fewer than 15% of organizations will have mobile threat defense (MTD) in place, which is an increase from fewer than 5% today.” We believe if the number of organizations implementing MTD solutions triples by 2018, it becomes that much harder for cybercriminals to infiltrate and exploit mobile devices, and gives them even less motivation to do so.

The time to act is now. If organizations don’t do something soon to stop mobile malware in its tracks, we’ll soon face a problem on a much wider scale, like the one we encounter already for PCs today.

Organizations Need Across-the-Board Protection

Cybrercriminals focus on three main vectors to conduct attacks on mobile devices:

  1. Networks: Network attacks allow cybercriminals to handpick their targets, minimizing the potential risk of discovery and focusing their efforts only on the specific objective. Cybercriminals can easily set up a fake hotspot, or hijack an existing one.
  2. Apps: App-based attacks provide cybercriminals with the greatest capabilities, enabling them to compromise virtually any target. Malicious apps can be found in a number of Both the Apple App Store and Google Play have been contaminated with malware. The situation is even worse in third-party app stores which have even less control over the apps they host.
  3. Device: Both iOS and Android are riddled with exploits developers constantly struggling to patch. These exploits exist everywhere, from the kernel through the chipsets to the OS. From the moment an exploit is discovered to the moment it is patched, cybercrminals can use it to attack defenseless users.

Accordingly, Gartner says “MTD solutions provide security at one or more of these four levels:

  • Device behavioral anomalies —MTD tools provide behavioral anomaly detection by tracking expected and acceptable use patterns.
  • Vulnerability assessments —MTD tools inspect devices for configuration weaknesses that will lead to malware execution.
  • Network security —MTD tools monitor network traffic and disable suspicious connections to and from mobile devices.
  • App scans —MTD tools identify “leaky” apps (meaning apps that can put enterprise data at risk) and malicious apps, through reputation scanning and code analysis.”

Check Point Mobile Threat Prevention combats threats all four of these levels to help keep mobile devices and data safe. It uses static and dynamic threat analysis to detect malicious and leaky apps. It detects and blocks jailbreak or root attempts which can undermine a device’s built-in protections, and it blocks network attacks and malicious network connections.

MDM and EMM Solutions Are Enhanced by Mobile Threat Defense Solutions

Mobile devices on your network can vary widely between makes, models, and operating systems. That makes MDM and EMM valuable IT assets that help to control your mobile environment.

However, the security these solutions provide can always be enhanced through integration with existing EMMs or MDMs, providing additional value without interfering with existing solutions.

We believe Check Point Mobile Threat Prevention meets these requirements and integrates easily with major EMM and MDM solutions, providing a more secure mobile environment. It protects mobile users and an organization’s data from network-, app-, and device-borne attacks and works with existing security infrastructure to extend value and effectiveness.

To get one step ahead of mobile malware, organizations should consider implementing advanced mobile security solutions that can thwart malware and vulnerabilities before these can infiltrate their networks.

*Gartner Market Guide for Mobile Threat Defense Solutions, John Girard, Dionisio Zumerle, Published: 28 July 2016

Like us on Facebook here. | View our website here.