Messaging Anti-Abuse Working Group

Threat of Mobile Malware and Abuse

Alex Bobotek,
Co-Vice Chairman, MAAWG
Co-Chairman, MAAWG Wireless Special Interest Group

MobiCASE Mobile Security Workshop, October 28 2010

Attendees Reminder:
Press is present
• What you say may be reported

MAAWG | maawg.org | Washington D.C 2010

2
20 Years of Mobile Abuse

• 1996-1999: The birth of consumer mobile data

– Mobile abuse nearly non-existent

– Widespread paranoia

• 2000-2008: Steady growth

– Grew up with scattered spam, pranks and fraud

• 2009-2013: The mobile explosion

– The rise of mobile abuse

• 2014-2015: Fixed/Mobile convergence

Page 3
PART I: HISTORY
 Pre-2000 Issues
Threat AT&T Wireless Severity
Defense
EmailSMS cannons (e.g., accidental sysadmin script) Rate limiters, regex and L
address filters

Page 5
 2004 Issues
Threat Defense Severity
EmailSMS cannons (e.g., accidental sysadmin script) Rate limiters, regex and M
address filters

EmailSMS spam (mostly non-targeted) Brightmail Content filters M

Page 6
 2006 Issues
Threat Defense Severity
EmailSMS cannons (e.g., accidental sysadmin script) Rate limiters, regex and M
address filters

EmailSMS spam (mostly non-targeted) RBLs, Limiters, Anti-Harvest, H

Brightmail Content filters

Targeted WebSMS and EmailSMS spam RBLs, Limiters, Anti-Harvest, H

Cloudmark Content filters
Honeypots
Active monitoring

Page 7
 Web  SMS Spam: 7/2006 AT&T “Passport Holiday” Attack

• First sophisticated, high-volume, targeted SMS attack

SMS using custom-developed malware
• AT&T attacked: Replay of 2005 email attack on Verizon
• Directed against WebSend (www.cingularme.com)
• Used a network of open/hijacked PCs/proxies to hide IP
• Sample spam SMS (one of several morphing types):
FRM: Angela
SUB: absolutly
MSG: Congratulations, You just won a cruise to the Bahamas
PLUS $1000.00 Travel Cash! Call Now 8OO941O98O

• Delivered at a rate of about 5/s: ~ 300k total messages

reached subscribers phones
• Defense: cat-and-mouse game of writing filter rules

• With 62M+ subscribers

available, attackers will go to
great lengths to deliver spam
2007 Issues

Threat Defense Severity

EmailSMS cannons (e.g., accidental sysadmin Rate limiters, regex and address filters M
script)

EmailSMS spam (mostly non-targeted) RBLs, Limiters, Anti-Harvest, H

Brightmail Content filters

Targeted EmailSMS spam •RBLs, Limiters, Anti-Harvest H

•Cloudmark
- Content filters
- Honeypots
- Active monitoring
MobileMobile spam (Future) M
• Limiters, Anti-Harvest
• Spam feedback
- Honeypots
- Subscriber spam reporting
•Cloudmark (or competitor)
- Content filters
- Active monitoring

Page 9
 “Messaging Unlimited” Issue/Risk
• April 2007: New AT&T “Messaging Unlimited” rate plan replaces
3000/month “Messaging Extreme” as high-end messaging plan
• Prior to this, AT&T has had limited problems with MO spammers
• Spam techniques observed
– Banks of phones tethered to computers,
– Device-resident programs, and/or
– Aircard(s) Previous Offer: New Offer:
• New plan’s spam economics (Messaging Unlimited plan) is Messaging Extreme Messaging Unlimited
a 99% discount for spammers
– Old rate (116 millicents per unfiltered message) is in the Msg/month 3000 3067200
very high range of commercial spammers.
– New rate of 0.652 millicents per unfiltered message is well $/month 34.99 25.00
in the range of commercial spammers.
$/msg 0.011663333 0.00000652
.
 2009 Issues
Threat Defense Severity
EmailSMS cannons (e.g., accidental sysadmin Rate limiters, regex and address filters M
script)

EmailSMS spam (mostly non-targeted) RBLs, Limiters, Anti-Harvest, H

Content filters

Targeted EmailSMS spam •RBLs, Limiters, Anti-Harvest H

• Content filters
• Honeypots
• Active monitoring
• Subscriber spam reporting
SMS/MMS security hole exploits • Protocol filters M/H
• Limiters, Anti-Harvest
• Content Filters
• Honeypots
• Active Monitoring
MobileMobile spam/virus • Limiters, Anti-Harvest M
• Spam sensing
- Honeypots
- Active monitoring
- Subscriber spam reporting
•Content filters

Page 11
#1 Issue of 2009: EmailSMS Smishing

FRM:STERLING
MSG:Sterling Alert.
Unusual activity – Call
now at 1-(877)-345-4671

Page 12
2010 Issues
Threat Defense Severity
EmailSMS cannons (e.g., accidental sysadmin script) Rate limiters, regex and address filters M

EmailSMS spam (mostly non-targeted) RBLs, Limiters, Anti-Harvest, Content H

filters

Targeted EmailSMS spam •RBLs, Limiters, Anti-Harvest H

- Content filters
- Honeypots
- Active monitoring
SMS/MMS security hole exploits • Protocol filters (planned) M/H
• Limiters, Anti-Harvest
• Content filters

MobileMobile spam/virus • Limiters, Anti-Harvest M

• Spam sensing
• Content filters

SIM Boxes ??? ?

Roaming fraud IMEI Analysis?
Spam Location Analysis?
International and long distance fraud Pro-active investigation of discount
providers?

Mobile botnets are extremely rare (or non-existent)

Page 13
Mobile-Originated SMS Abuse
• Spammers connect phones/aircards to PCs
• Mostly prepaid (anonymous) SIMs with unlimited messaging
• Assessment: > 50% of spam generated by < 5 spammers
• ~0.1% of US SMS is MO spam
• >500% annual growth rate
• Defense: SIM shutdown and inter-carrier blocking
• Spammer countermeasure: Buy many SIMS & swap to limit daily per-SIM
volume

[Graph redacted]

Page 14
 Mobile malware

Mobile is on the rise

1600

1400

1200

1000

800

600

400

200

H2 2004 H1 2005 H2 2005 H1 2006 H2 2006 H1 2007 H2 2007 H1 2008 H2 2008 H1 2009 H2 2009 H1 2010

Cumulative number of malware signatures -- Source: Kaspersky Lab, October 2010

PAGE 15 | Kaspersky Lab PowerPoint Template | 14 October 2010

How to Have Fun and Make Money With SIM Boxes

Entry Level: Cheap/Anonymous Mobile Access

• Architecture
– SIMs with unlimited MTM voice and/or SMS
– “SIM Box” computers (hold 250+ SIMs)
– Internet VOIP or tunnels
• Products
– Cheap long distance calls between mobile networks
– Cheap MT Messaging
– Voice spam

Growth Option: Virtual Access for Roaming Subscribers

• Architecture
– Offer cut-rate roaming to subscribers
• “Remote IP SIM Access” mobile device application installed
• VOIP client mobile device application installed

– “Virtual SIM Box” computers

• Products
– Worldwide “take your phone and roam over IP”
– Worldwide “virtual cell phone” (leave your phone at home)
– Voice
– MO & MT Messaging
– Fraudulent use of roamers’ accounts (e.g., spam)

Page 16
PART II: THE FUTURE
What does the future hold?

• Argument #1: The mobile abuse threat is overblown

“there is no monoculture for mobile operating systems. There are at
least four major mobile operating systems (iPhone, BlackBerry, Android
and Symbian) and one minor one (Windows Mobile, which is falling
fast). If you are writing malware, which one do you write for? Answer:
none of them”

Andrew Jaquith, senior analyst, Forrester Research

• Argument #2: Hell is rising

“There are nearly 600 million of them worldwide, naked and
unprotected. We need to prepare for the inevitable onslaught. Of
course, smartphones are going to be the targets of criminals. Any other
conclusion is naive, reeks of hubris and merely amplifies the industry's
past errors that have cost us all dearly. ”

Rob Smith, CTO & CEO, Mobile Application Development Partners

Botnet Non-Mobile Email Spam Example:
Canadian Pharmacy
• Criminal Organization (glavmed.com, aka “Canadian Pharmacy)
– Shipping effective but counterfeit drugs
– Revenue > $150 million per year
• Advertising by spam
– Pays 40% commission to “partners”
– “Partners” send 2.5B email spam messages/day
• Sales through dodgy web sites
– 100 new domains per day
– 15 uniquely branded websites
– Modifying content and URL domain every 15 minutes
– Use of ‘zombie proxies’ in HTTP path – hide the real web sites
• Relies on “Botnet” network of infected PCs
– For spamming
– For hiding real websites behind infected proxy websites
• Spammers get 40% commission for directing web traffic to Canadian Pharmacy
– $.00008/msg

Source:
Cisco/Ironport

19
Mobile Spam Risk: following the email pattern
• Mobile abuse today resembles email spam
in 2000
– Direct spamming: spammer-owned
nets/devices
– At most 100s of direct spammers
• Mobile Botnet (mobot) risk is growing
• Easily developed -- the necessary
businesses, markets and funding exist
• Spammer’s business case is good
• Mobile infection is becoming easier
More users download mobile apps to “open”
phones
Growth in PCs with cell data/messaging
capabilities
• Email-like evolution of mobile spam won’t
take 8 years
• Mobile data businesses and users are at
risk of attack by well-funded spammers
investing $50k to make millions by
developing mobot networks
What Causes Abuse?
• People and businesses looking for ways to get
money irrespective of ethics and laws
“Where should I hack today?”

• Pranksters
– Individuals and/or groups motivated by ego

• Political players
– Individuals motivated by ego
– State actors
– Non-state actors

• Accidents/errors
Hypothesis:
Economic Models Predict Abuse
• Abusers are primarily businessmen looking for
ways to get money irrespective of ethics and laws

• Ability to monetize
– Value of an infected device
• Vulnerability
– Cost to infect a device

• Both are leveraged by advanced markets for goods

and services
– Criminal infrastructure
– Criminal networks
– Toolkits/Specialists
– Large numbers of less-skilled players
Hypothesis Validation:
Does it explain history?
• PCs are widely abused, Macs aren’t
– Explanation: market share

• 9 of top 10 mobile virus threats affect Symbian OS

– Explanation: 2010 smart phone market share (Canalys)
• Symbian – 40%
• Blackberry – 18%
• Android – 16%
• Apple – 15%
• Windows Mobile – 7%
– Value of an infected device

• Mobiles not widely infected

– Higher cost to infect a device
– Lower value of infected device
So What Are the Trends?
• An Amazon Payments executive at the
2010 Mobile Shopping Summit said
– that mobile commerce is expected to grow from
$2.4 billion this year to $23.4 billion by 2015, an
875 percent increase.
• Those figures are based on projections from
Coda Research Consultancy.

• Admob (May 2010) reports:

– Users across all [mobile] platforms are
highly engaged with apps; iPod touch
users even more
– Android and iPhone users spend 79-80
min/day using apps, 100 min iPod Touch,
89 min webOS
– Android and iPhone users download ~9
new apps/month, ~12 iPod touch, ~6
webOS
Criminal networks and services are being leveraged

[intelligence – not for public dissemination or publication]

25
 Prediction

• Value of infected device will rise with increased

use of mobile devices, especially in money transfer
applications
– When mobile use nears or surpasses PC levels, look out

• Cost of infection will decrease with increased

mobile use, especially in SW downloads
– Explanation: easier to infect/deceive

• Positive business cases exist

– Mobile Zeus Trojan (TAN stealing)