Smelling an mRAT: Defeating targeted attacks on enterprise mobiles

Commercial mobile surveillance kits are a growing security threat. Michael Shaulov looks at the scale of mRAT infestations, and how to avoid them.

Michael Shaulov
Michael Shaulov

You're never more than a few metres away from a rat, as the adage puts it. And when it comes to mobile security, it seems that mRAT infestations are starting to become a problem. mRATs, or mobile remote access Trojans, are commercial mobile surveillance kits that are usually marketed for monitoring children's mobile usage and for helping to ensure online safety. However, they can also be used for espionage and other malicious purposes in the enterprise.

An mRAT can be downloaded invisibly via a user-requested program, such as a game, or sent as a link in an email or text message. They can also be added to devices manually when the person installing it has physical access to the mobile device. As they give administrative control of the device, they can enable keylogging, turn on video cameras and recording functions on mobiles, and much more.

It's this powerful set of capabilities which makes mRATs attractive to an attacker. They can bypass security controls in mobile device management (MDM) systems, giving them the potential to eavesdrop on calls and meetings, to extract information from corporate emails and text messages, and to track the location of executives. They can also intercept communications in third-party applications. In fact, in late 2014, a surveillance mRAT that infected iOS as well as Android devices targeted supporters of Hong Kong's Occupy Central movement. That mRAT was spread and shared unwittingly through links sent and received in WhatsApp.

mRAT population grows

How significant a threat are mRATs to enterprise security? In an effort to better understand and quantify the risk they present, Check Point and Lacoon recently conducted a study of the communications of over 900,000 mobile devices through Wi-Fi access points at large enterprises. Over several months, researchers looked for the data traffic patterns and signatures of several different known mRATs as they communicated with their ‘command and control' servers. The analysis found that on average, over one in 1000 devices globally were infected – but in some countries, such as the US, infection rates were as high as one in 500 devices. Infections were also evenly distributed between Android and iOS mobiles – unlike a majority of mobile malware.

While this may not seem like a high proportion of infections, it's worth noting that in many cases the mRATs were sending traffic from mobile devices across enterprise Wi-Fi networks for periods of weeks or months. What types of sensitive data could have been stealthily siphoned from just a single executive's infected device during that time?

In effect, mRATs are the mobile equivalent of the spear-phishing attacks against conventional networks that have claimed high-profile victims such as Target, Neiman Marcus, Anthem and Sony Pictures. They serve as stepping stones into enterprise networks, enabling attackers to target specific organisations and even individuals within those organisations in order to gain stealthy access to sensitive corporate data.

What's more, the potential for these attacks is only going to get bigger. In 2014, Check Point's third annual mobile security survey of 700 enterprises showed that the number of personal devices connecting to networks had more than doubled in 72 percent of organisations over the past two years. 44 percent said they do not even attempt to manage corporate information on employee-owned mobiles – giving hackers a wide and ever-growing choice of exploitable devices.

Trapping mRATs

So how should businesses approach identifying existing mRAT infections, stopping further infections and preventing the risk of breaches via this vector? What's needed first is an integrated approach to mobile security that can extend protection to any device, wherever it's being used. Second, on-device remediation is needed to block actively any activity or traffic generated by existing mRATs.

To protect devices outside the corporate perimeter against new mRAT infections, security can be delivered to the device as a cloud-based service, using an encrypted VPN tunnel. This prevents suspicious file downloads and blocks access to malicious websites. As well as enabling corporate security policies to be extended to all devices for easier management, it can also cut off communications from any existing mRATs already on devices by blocking access to the mRAT command and control server.

In terms of on-device security, organizations should deploy solutions that can identify any suspicious behaviour from an app, on a device or in the network to find and mitigate the impact of mRATs. In many cases, an mRAT may not be detected by conventional mobile anti-malware; however, specialist solutions can perform risk assessments on devices and provide active protection capabilities to block and mitigate threats.

In conclusion, mRATs are powerful tools that can enable hackers to infiltrate and harvest data from employees' mobile devices – many of which remain largely unmanaged and unprotected. For this reason, enterprises should look at measures for controlling the population of mRATs and cutting off their communications, before they start a data-stealing plague.

Contributed by Michael Shaulov, Head of Mobility Product Management at Check Point.