Mobile device hackers step up from simple attack methods to stealthy chain attacks

by Doug Olenick @ SC Media

Cyber-criminals have moved to a new level when attacking mobile devices replacing their simplistic attack methods with sophisticated and stealthier models that now use chain attacks instead of one of the older one-trick pony hacks that simply tried to elevate privileges, according to Checkpoint.

Oren Koriat, a member of Checkpoint’s mobile threat research team, wrote in a blog that the reason cyber-criminals have switched to using chain attacks is they are much more dangerous and harder to detect. A typical chain attack can contain up to five separate elements, each of which is responsible for a portion of the overall attack. Some familiar elements are:

  • A dropper, which initiates the attack by downloading or unpacking the next link in the chain.
  • The exploit pack, which enables code execution with higher privileges, typically root privileges and allows the malware to access the device’s sensitive resources.
  • The malicious payload, which can be any number of ransomware variants, malware that steals information, or banking Trojans.
  • Chain attacks sometimes include persistency watchdogs that stop the malicious app from being removed.
  • Finally a backdoor is installed that will open the device to remote code execution.

Koriat noted the many benefits malicious actors gain by structuring their attacks in this manner.

“This means that individual chain attacks are more likely to be successful, but also that cyber-criminals can easily tweak or upgrade an attack that has only been partially identified and understood.  Chain attack link structures lend themselves to being built with a more modular code, which makes it simpler for the malware to later evolve and accustom itself to new systems, targets and geographic regions.  It is a very adaptable attack form,” Koriat said.

However, the very fact that chain attacks depend upon all the links firing correctly means each link is also the malware’s greatest weakness. Koriat wrote, in order to break the chain the potential victim needs a solution in place that can detect and defeat each link independently. One suggestion is to have security in place that not only detects, but then separates potential malware out for further inspection.

“One potential answer to this is to implement a security solution that automatically quarantines all attempted downloads – whether apps or attachments emailed to the device – and inspects them in the cloud for possible malicious behaviors,” he said.