Threat Level: green Handler on Duty: Bojan Zdrnja

SANS ISC: Mobile Malware: Request for Field Reports - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Mobile Malware: Request for Field Reports

At my last two speaking engagements, I asked a simple question: "'Have you, or anyone you know been infected with malware on you smartphone?"  So far, no one has raised their hand.

I'd like to ask the same question here, since there's a much wider audience of people who have the skills/instinct to notice such an infection.

If you, or someone you know (no friend of a friend reports, please) have witnessed a mobile malware infection in the wild please leave a comment below or send in a report via our contact page.

Kevin Liston

292 Posts
ISC Handler
I do not think I have been infected, but how would I know? How about a few pointers as to what to check for?
Kenneth

11 Posts
Good point Kenneth. I worry when I hear customers who are extremely confident none of their users were infected "because no one complained". How can we detect Malware on Smart Phones and Blackberries? Are there any tools or techniques out there?
Kenneth
6 Posts
The most obvious clue would be (assuming one is allowing phones to connect via wifi) IPs assigned to phones triggering alerts in various network intrusion detection sensors (snort, FireEye, etc). Of course that presupposes that the malware is using WiFi and not restricting itself to using the cell service.
Brent

115 Posts
I haven't personally been infected, however I can see infected Android devices that get on our wireless guestnet trying to communicate back to a C2 server.
Brent
3 Posts
I think mobile malware is another scam by the antivirus companies for making money. Almost every report of some new malware only affected Russian or Chinese phone services.

So with that note...if you live in other countries, and suddenly you see Text/Phone calls going to foreign countries, then your phone may be infected.

Just my 2-cents
HackDefendr

65 Posts
I have seen one Android device on my network that triggered the IDS system. The "interesting" part for me, was that this was a personal device connected to the network on a rogue AP! We shutdown the AP asap, and informed the employee that their phone may be compromised (and slapped them on the wrist for the AP!!)
Shawn

29 Posts
Every month or so we see an iPhone with the rickroll worm.

And we had a case where it was suspected that the rooted android did laek sensitive mails or passwords ...
Jens

42 Posts
I got hit with a drive-by download on my Nexus 7 (didn't install - default settings prohibited install due to its untrusted origin). Turns out it is basically a wrapper for a browser instance that makes a call via an IFRAME to hxxp://lemon-brain.info/sfr/and_deai_sefrex.html . The package is setup to allow usage of pretty much everything that can be accessed by an A
ndroid app - GPS, camera, contacts, etc. It also includes a JS API library (Apache Cordova) that can access these functions via the Webview. All in all its a neat little setup that could potentially allow a bad to tailor functionality on the fly as long as the Android device has Internet connectivity (and the app is running).
Anonymous

Sign Up for Free or Log In to start participating in the conversation!