As our last post on evaluating mobile technologies mentioned, we are releasing a blog series to bring the community up to a collective understanding of the mobile threat landscape, explain our current thinking on evaluating mobile security products, and solicit feedback on both mobile threats, as well as evaluation methodologies for the domain.
This post explores the first of four mobile threat scenarios, specifically malicious application threats against mobile devices. In addition to describing the threat, we outline potential approaches for evaluating mobile security product capabilities, challenges that exist, and areas where we could use community input.
We invite feedback from the community on all aspects of this research, whether better insights into the threats that need to be defended against, types of products to evaluate, or how to evaluate technologies against these threats. Please reach out to the ATT&CK Evaluations team (firstname.lastname@example.org) with any comments or questions you might have to help shape our future work in this space.
Malicious applications, of which examples can be found in ATT&CK’s software entries, are a common vector used by adversaries to gain access to targeted mobile devices. The behavior of malicious applications will vary depending on the adversary’s intent, but often applications will request and abuse permissions to access the device sensors (e.g., microphone, camera, location services) and data (e.g., contact lists, call logs).
Mobile applications may be installed from the platform app store (e.g., Google Play Store or Apple App Store) (T1475) or from elsewhere (a practice commonly known as sideloading) (T1476). Fortunately, devices default to only allowing installation of applications from the platform app stores. However, users may be tricked into overriding this behavior. In some cases, users may deliberately choose to do so, for example to install desired applications that are not otherwise available (e.g., Fortnite for Android was previously only available through sideloading). Sideloaded apps are generally riskier than apps installed from the official app stores, since they have not necessarily been subjected to the same level of scrutiny as official apps.
In our pilot evaluation effort, we tested the ability of mobile threat defense (MTD) products for iOS and Android to detect the presence of sideloaded apps. On Android specifically, we also tested the ability of MTD products to analyze the behavior of the sideloaded apps. Additionally, for both iOS and Android we verified the ability of enterprise mobility management (EMM) products to set policies on devices that prevent users from sideloading apps.
On Android, we sideloaded a mock malicious app called UploadDataApp, created as part of a prior MITRE project assessing the effectiveness of mobile app vetting solutions. The app performs malicious and privacy violating actions including capturing received SMS messages, capturing audio from the device microphone, tracking the device location, and accessing the device’s contact list, call log, and calendar entries. It exfiltrates all of this data to a specified web server.
On iOS, we sideloaded apps found on the iosninja.io web site, which contained iOS apps signed with keys associated with enterprise distribution certificates. One challenge we encountered in our pilot effort is that iOS prevents apps (including MTD agents) from even obtaining an inventory of other apps installed on the device. By detecting if the device is configured to trust 3rd party app developer or enterprise distribution certificates (without which sideloaded apps cannot run), MTD agents can determine whether sideloaded apps may be present and report identity information found in the distribution certificates but cannot identify the apps themselves. (EMM products can use Apple’s mobile device management protocol to obtain app inventory from devices.)
Another challenge we faced on both Android and iOS is that the operating systems severely restrict the ability of mobile security applications to monitor the behavior of other applications running on the device. Mobile security products may instead analyze application behavior on a separate instrumented device under the control of the vendor, somewhat analogous to dynamic analysis sandboxes used by endpoint security products for traditional computers (PCs). However, this approach may not replicate the same conditions as a real user device.
In our pilot effort, we did not test the ability of products to address apps distributed through the official app stores, because we did not want to potentially violate their terms of service or risk releasing malware into the wild. Examples exist of malicious apps distributed through the official app stores, as well as apps that have unwanted behaviors that do not rise to violating the app store rules. We are open to suggestions on appropriate evaluation tests to perform to cover these cases. One possibility would be to identify apps that exhibit unwanted behaviors (such as collecting sensitive information) yet are still present on the app stores, then test the ability of products to detect the presence of such apps on mobile devices. In addition to MTD products, other mobile security products such as mobile application vetting solutions could be in scope for this threat scenario as well.
The below table describes a potential test plan for evaluating the capabilities of mobile security products to prevent or detect sideloaded malicious applications. We would appreciate input from the community.
Table: Potential test plan for malicious application threat scenario
As the above table represents, different opportunities to defend exist at each step of the attack — whether the install process, observing application behaviors, or analyzing network traffic. Similar to defenses on traditional PCs that instill antivirus, endpoint detection tools, and network detection tools, the mobile security space can similarly be functionally diverse. We believe that also similar to the PC security stack, it’s important to look at the depth of security, to ensure that if the first line fails, you maintain some level of security, and similarly test across the space.
This first post explored Malicious Applications — both from a high-level threat as well as evaluation perspective. But tackling all dimensions of this mobile threat is daunting. What aspects of this threat are you most interested in? Do you rely on limiting app downloads to trusted app stores, or does your organization look beyond at application or network data to get insights as to what those installed apps are doing?
In our next post, we will introduce another threat scenario to continue the dialogue on mobile threats. Until then, we hope to hear from you on your observations of mobile threats, and we welcome conversations in this often overlooked and growing attack surface.
© 2021 MITRE Engenuity. Approved for Public Release. Document number AT0011