M+E Connections

The technology marketplace is flooded with new companies each week with new offerings, and it’s become hard to know what is pure marketing and solid solutions vs. bad actors up to no good, according to Sean Kalinich, senior security architect at Richey May.

When you’re trying to secure content and “you’re looking to ensure that it’s not transferring in and out of areas, there’s an often overlooked area in just about every organization – and that tends to be mobile device security, he said April 23 at the Anti-Piracy and Content Protection Summit in Las Vegas, during the session “What’s in a Name?: How Richey May Defines a Scan, Pen Test, & Assessment.”

During the session, he focused on how to help studio partners sort through what is being offered and how to best use those solutions to secure Hollywood.

As we look at the way “attackers view networks, we often think about the end point, the laptops, the servers, all of those things. And one of the areas that’s left untouched is that mobile device,” he noted.

However, “in the last year, we’ve seen an increase in mobile banking malware, and what is happening [is] it isn’t that the applications that are being delivered to your phone are actively malicious; it’s that they’re asking for different permissions,” he noted.

“One of the big permissions is going to be … can they access the accessibility services? Can they access things such as screen reading? Can they access replay of keyboard functions or, in the case of an Android phone, do you actually have something that’s so embedded into the device it can replay stored images for facial recognition and it can replay stored biometric information such as a fingerprint,” he warned.

In essence, what has happened is that the mobile device – be it a smartphone or tablet – has become “kind of that de facto computing component that transfers between the corporate world or the professional world and your personal world, [so] that’s becoming an area that we’re seeing threat actors begin to target,” he explained.

“If you look at what your average organization is doing to protect those, most of what you see is mobile device management” (MDM), he noted. However, he warned: “That’s intended just to demand the device. It’s not intended to secure the device. It doesn’t provide active anti-malware and it doesn’t give you any kind of additional security other than, if the device is lost or stolen, you can track it down or you can actually wipe it.

Because of that, “we’re seeing a number of pivots that are starting to take precedence and even take the forefront in the threat actor community, specifically for the mobile device,” he said.

In only the first few months of 2022, there have been more than 60 applications following that “particular pattern,” that have been identified and removed from the Google Play Store, he said.

“We’re not even all the way through April and we’ve seen this,” he said, noting “there have been over 500,000 plus downloads of these particular applications, the majority of which are currently banking malware, although we’re starting to see communication between some of the banking malware groups for mobile devices and your initial access broker groups.”

That is what he called a “dangerous bit of communication because it means that now they’re looking to complete that cycle,” he said. “They’re looking to complete that access chain and in fact, Google actually identified one information gathering application that had over 94 million installations active since 2018, he noted.

The good news? Google did “finally remove the application from the Play Store,” he said.

But mobile devices are the “bridge between the personal world and the professional world [and] everybody has a smartphone,” he pointed out. “Everybody has a data plan that can handle their needs, their consumption needs. And of course, we’re also getting our corporate email corporate communications, he said, adding people are on Microsoft Teams, Slack and Zoom also. “So it becomes a perfect opportunity for a threat actor, not only to capture credentials, which exist on your phone, but also take control of the device that is often responsible for your multi-factor authentication,” he said, pointing out it’s “what gets the SMS message [and] it’s what has that request for that biometric replay in order to log into office 365, Microsoft 365 and the Google Cloud platform, Amazon Web Services [and] all of that,” he said.

By capturing the mobile device, a bad actor can “gather a lot more information, a lot more detail than perhaps a protected laptop or something else where you may have a more advanced or what we call next-gen anti-malware solution,” he explained.

“Your typical phone might have something that’s free” when it comes to security, something provided by the cell service provider, such as AT&T, he noted. But they are “only doing a basic scan,” he said, explaining: “They’re looking to compare this application to a list of known bad applications based on the hash. They’re not looking for pivots and memory. They’re not looking to see if this particular application is going to request additional access, such as on Android, you have the accessibility services. And so they’re basically blind to these.”

Right now, he noted, “there are only a couple of fully fledged anti-malware solutions” for mobile: One is Sentinel One and the other is Microsoft’s advanced threat protection for mobile device that “can look for these pivots and look to see if the app is performing in the manner that it’s not supposed to.”

That is a “very narrow window,” he said, noting it’s “often it’s likened to a PC back in the 90s – that’s how exposed some of these devices are.”

He’s seen “pieces of software that are pieces of malware that they put on the phones designed to capture information in transit,” he said. “This is very good for banking malware but it also can be used to gain access to other areas and in other attack profiles, not just banking,” he pointed out.

“So, while right now the good news is it’s focused on the financial world predominantly, it will spill over and we’re already seeing the beginnings of that to where it will roll over into other areas,” he warned, predicting: “Your standard breach and your standard penetration isn’t just going to end up with a phish to capture somebody’s credential. You may see an SMS phishing event that tries to capture not only their credentials there, but also seeks to suggest that they should download this application.”

Something he found “extremely interesting when … looking over some of the malware samples that are out there is that there are a number – I believe it’s 13 right now – that were disguised as anti-malware apps, including some that were not free, that you would pay $10, $15 for. And it would say, ‘Hey, I’m going to go ahead and take care of all of this.’” And so it’s able to often get through the Google Play Store and Apple’s app store, he pointed out.

Although extra permissions in order to protect the device from a malicious pivot will be requested, he added: “That’s a brilliant way of getting a malicious piece of software that doesn’t have necessarily malicious code on the day you install it, but then allowing it to make communications back to command and control servers. So then it can pivot and download those things out” later.

To view the presentation, click here.

The 2022 Anti-Piracy and Content Protection Summit was presented by Richey May Technology Solutions, with sponsorship by Convergent Risks, NAGRA, Verimatix, BuyDRM, EZDRM and Vision Media. Produced by MESA, in association with the Content Delivery and Security Association (CDSA), the media partner for the show was Piracy Monitor.

To learn more about CDSA visit: https://CDSAonline.org

To find out more about upcoming MESA events or to get involved as a sponsor please contact Evie Silvers at [email protected].