We study MITER ATT & CK. Mobile Matrices: Device Access. Part 3
Links to all parts:
Part 1. Initial access to a mobile device (Initial Access)
Part 2. Persistence and Escalation of privileges
Part 3. Obtaining credentials (Credential Access)
Part 4. Protection bypass (Defense Evasion)
Part 5. Discovery and Lateral Movement
Opponents use various methods of capturing passwords, tokens, cryptographic keys and other credentials to implement unauthorized access to the resources of a mobile device. Obtaining legitimate credentials by an adversary allows you to identify and obtain all the permissions of a compromised account in a system or network, which makes it difficult to detect malicious activity. Given appropriate access, an adversary can also create legitimate accounts for their use in an attacked environment.
The author is not responsible for the possible consequences of applying the information set forth in the article, and also apologizes for possible inaccuracies made in some formulations and terms. The published information is a free retelling of the content.ATT @ CK Mobile Matrices: Device Access .
Description:Android Accessibility Features is a toolbox for people with disabilities. A malicious application may use Android accessibility features to obtain sensitive data or perform malicious actions. The fact is that the APIs that provide accessibility services allow you to access the contents of the interfaces the user interacts with (for example, reading or creating an email, editing a document, etc.). This functionality provides the ability of people with disabilities to work with public mobile applications. Such OS functionality also attracts malware authors,
Protection recommendations: OS version Android 7.0 and higher includes additional protection against this technique. Before allowing the application to be installed in a corporate environment, it is recommended that you check it for possible abuse of accessibility features or implement the Mobile App Reputation Service to identify known malicious applications.
Description: In Android prior to version 4.1, an attacker could use a malicious application that has READ_LOGS permission to obtain private keys, passwords, and other credentials and confidential data stored in the device’s system log. In Android 4.1 and later, an attacker can only access the log after successfully escalating privileges on the OS.
Protection recommendations: If you are a developer of mobile applications, then you should not write sensitive data to the system log of production applications.
Starting with Android 4.1, applications cannot access the system log (except for the entries added by the application itself). With physical access to the device, the system log can be obtained via USB using the Android Debug Bridge (adb) utility .
Platform: Android, iOS
Description: An attacker can try to read files containing confidential or credentials (private keys, passwords, access tokens). This method requires either elevated privileges in the OS or the presence of a target application in the system that stores data in an insecure way (with insecure access rights or in an insecure place, for example, in an external storage directory).
Protection Recommendations:Make sure that the applications you use do not store sensitive data with insecure rights or in an insecure place. Android and iOS provide the ability to store credentials in hardware in an isolated place where they will not be compromised even if privileges escalate successfully. Android 7 provides higher default file permissions in the application’s internal directory, reducing the possibility of using insecure rights.
Description: Android Intent or Intent is an interprocess messaging object with which one application can request an action from a component of another application. A malicious application may register to receive intents for other applications and then receive confidential values, such as OAuth protocol authorization codes.
Protection Recommendations:The process of testing applications for potential weaknesses should include identifying the unsafe use of Intents. Mobile application developers should use methods to ensure that intentions are sent only to the appropriate destination (for example, use explicit intentions, check permissions, verify the certificate of the target application or use App Links (a function by which a user is redirected to a link to the target application bypassing the application selection dialog box ), added in Android 6.0. For mobile applications using OAuth, it is recommended that you follow best practices .
Platform: Android, iOS
Description: Malicious applications may try to capture sensitive data stored in the device’s clipboard, for example, passwords copied / pasted from the Password manager application.
Protection recommendations: In a corporate environment, it is recommended to implement processes for checking applications for vulnerabilities and unwanted actions, application installation restriction policies, and Bring Your Own Device (BYOD) policies that impose restrictions only on the enterprise-controlled part of the device. EMM / MDM systems or other mobile device security solutions can detect the presence of unwanted or malicious applications on corporate devices.
Platform: Android, iOS
Description: Malicious application may collect confidential data sent in SMS messages, including authentication data. SMS messages are often used to transmit multi-factor authentication codes.
The Android application must request and receive permission to receive SMS messages during installation or execution. Alternatively, a malicious application may try to elevate privileges to circumvent this protection. iOS applications cannot access SMS messages during regular operation, so the enemy will need to first perform an attack on privilege escalation.
Protection Recommendations:In a corporate environment, it is recommended that applications be pre-scanned for RECEIVE_SMS permission. If this permission is detected, the application requires a detailed analysis.
Description: Malicious applications or other attack vectors can be used to exploit vulnerabilities in code that run in a Trusted Execution Environment (TEE). The adversary can then gain the privileges that TEE has, including the ability to access cryptographic keys or other sensitive data. To attack TEE, an adversary may first need elevated OS privileges. If not, then TEE privileges can be used to exploit OS vulnerabilities.
Protection recommendations: Check the application for known vulnerabilities. Security updates. Using the latest OS versions.
Platform: Android, iOS
Description: A malicious application can register as a device keyboard and intercept keystrokes when a user enters sensitive data, such as username and password.
Protection recommendations: Applications are rarely registered as keyboards, so those applications that do this should be carefully analyzed during the preliminary check. Both iOS and Android require the user explicit permission to use third-party software keyboards. Users are advised to exercise extreme caution before granting such permission (when requested).
Platform: Android, iOS
Description: An attacker can capture incoming and outgoing traffic or redirect network traffic to pass through an enemy-controlled gateway to obtain credential and other sensitive data.
A malicious application may register as a VPN client on Android or iOS to gain access to network packets. However, on both platforms, the user must give consent to the application to perform the functions of a VPN client, and on iOS, the application requires special permission from Apple.
Alternatively, a malicious application may try to elevate privileges in order to gain access to network traffic. An adversary can redirect network traffic to a gateway controlled by him by establishing a VPN connection or changing proxy settings on the attacked device. An example is the ability to redirect network traffic by installing a malicious iOS configuration profile ( link to source ).
Security Tips : Carefully review the application that requests VPN access before allowing it to be used. Traffic encryption is not always effective, because an adversary can intercept traffic before it is encrypted. Both iOS and Android visualize the establishment of a VPN connection in the upper status bar of the device.
Description: URL schemes (as Apple calls them) are URL handlers that can be invoked by the Safari browser or used by an application to call another application. For example, the tel: scheme can be used to launch the Phone application and dial a specific number by placing the corresponding HTML code on the landing page:
Skype scheme: start a Skype call ":
iOS allows applications from different developers to share the same URL schemes. A malicious application can maliciously register using the URL scheme of another application, which will allow it to intercept a call to a legitimate application and use the phishing interface to obtain user credentials or OAuth authorization codes.
Protection recommendations: During the analysis of application security, check for the presence of potentially dangerous URL schemes. Give preference to programs that use universal links as an alternative to URL schemes (this is a link that the user redirects to a specific installed application).
Platform: Android, iOS
Description: UI substitution is used to trick the user into providing confidential information, including credentials, bank details or personal data.
UI substitution of legitimate applications or device functions
On both Android and iOS, an adversary can impersonate the user interface of a legitimate application or device function, forcing the user to enter sensitive information. The limited display size of mobile devices (compared to a PC) may make it less possible for the user to provide contextual information (for example, displaying the full website address) that could alert the user to danger. An attacker can also use this technique without being present on a mobile device, for example, through a fake web page.
Substitution of a legitimate application
A malicious application may completely repeat the target application - use the same name, icon and be installed on the device through an authorized application store or delivered in other ways ( see application delivery techniques ), and then request the user to enter confidential information.
Abuse of the OS’s capabilities to interfere with a legitimate application
In older versions of Android, a malicious application may use regular OS functions to interfere with a running application. We are talking about the obsolete ActivityManager.getRunnigTasks method (available on Android prior to version 5.1.1), which allows you to get a list of OS processes and define a foreground application, for example, to launch a fake dual interface.
Protection recommendations: In a corporate environment, it is recommended to conduct application checks for vulnerabilities and unwanted actions (malicious or violating confidentiality), implement application restriction policies or Bring Your Own Device (BYOD) policies (bring your own device) that impose restrictions only to the enterprise-controlled part of the device. Training, trainings and user guides will help to support a certain configuration of corporate devices, and sometimes even prevent specific risky user actions.
EMM / MDM systems or other solutions for protecting mobile devices can automatically detect unwanted or malicious applications on corporate devices. Software developers usually have the ability to scan application stores for unauthorized applications that were sent using their developer ID.
It is recommended to use only the latest versions of mobile operating systems, which, as a rule, contain not only patches, but also have an improved security architecture that provides resistance to previously undetected vulnerabilities.