Mobile device management software is only as secure as the device it is on, and both are easily intercepted.
Speaking to SC Magazine, Lacoon Mobile Security CEO Michael Shaulov demonstrated a technique of delivering a mobile remote access Trojan (mRAT) to both Android and iPhone devices that allows for total interception of the device and the mobile device management software and its apparently secure content.
In a demonstration, Shaulov showed that dropping a targeted attack with the mRAT will allow access to the microphone, geolocation and contact details. Shaulov said: “The software for this can cost £29 and there is a huge amount of software available.
“We found that in Israel in October 2012, one in every 1,000 infected users was with an mRAT and for a targeted threat it is quite scary.”
In the attack, a link is sent by SMS claiming to be a game that is packaged with the malware. This malware, once downloaded, exploits a vulnerability in the phone to get root access to the device that allows all communication to be seen by a third party and if they want, listen to all conversations, which are downloaded to an email account of the attacker's choosing.
Shaulov also warned that if an infected device were to be connected to a network-connected device, this could cause others to be infected too.
In terms of bypassing the mobile device management software, Shaulov said that if the victim is running such an application then it can be intercepted. “All encrypted emails and documents are placed here and it doesn't matter which vendor technology you use, they all work in the same way,” he said.
“All data is encrypted, all communication is encrypted and if the device is jailbroken or rooted then the mobile device management software will not work and alert the administrator.”
He explained that mobile device management software will not be able to detect this, and the console can be bypassed as the malware has a higher privilege than the software. “It will work on every container wrapper,” he said.
“The mobile operating system has a sandbox and the attacker can do whatever they want. The secure container is as secure as the operating system itself. The mobile device management software has static policies and can be bypassed and it doesn't provide visibility or assess risk in real-time.”
To mitigate the problem, Shaulov recommended building layered protection, be able to assess risk in real-time, be able to do behavioural analysis and understand the vulnerabilities in every platform. In this test, a leading mobile device management software was used, along with a Samsung Galaxy S3 and an Apple iPhone 4.