Mobile Guroo has been tracking and helping to prevent WannaCry type attacks for our Fortune 500 clients and would like to share our knowledge and advice.
In brief, WannaCry impacted mainly desktops and servers this time but mobile is not far from the realm of a hacker’s reach! In fact, the same type of malware called ransomware is the most popular malware on Android devices. Read on to understand the similarities and how you can prevent a ransomware attack on mobile or feel free to reach out to us for a free assessment of your risks.
WannaCry in a Nutshell:
WannaCry is the latest global cyberattack that was first detected in Europe on Friday May 12th across Windows desktops and servers. It is a type of ransomware that illegally encrypts the computer’s files and locks out the owner until a minimum of $300 Bitcoin is paid to the perpetrator. The system and it’s data is virtually unusable until the files are decrypted, of which the hackers only have the keys to perform. Once paid, the perpetrators promise safe recovery and decryption of the files.
To add assault to injury, it is also a worm which can spread to other computers connected to the same network. It turns out, the WannaCry malware exploited a windows vulnerability that was leaked by the NSA. Microsoft released a security patch in March 2017 to address this vulnerability but those that did not apply the update (MS17-010) were vulnerable to the cyberattack.
Global Impact of WannaCry:
The global impact of WannaCry is unprecedented. 150 countries were impacted including the UK, Spain, India, Russia, China and the US - 200,000 computers in both organizations and government agencies were impacted. In the UK, the National Health Service was badly affected, in Spain, the largest telecommunications company Telefonica was affected; in Russia, the interior ministry was hit; and in the US, FedEx was also affected.
Temporary or permanent loss of user and/or company confidential data,
Disruption to business operations,
Financial losses incurred to restore systems and files, and
Financial losses due to harm to an organization’s reputation
What’s the Fix for WannaCry?
Microsoft released a security patch in March that fixed the vulnerability the hackers exploited. Computers that have been infected have not updated the operating system with the latest version. To ensure that you are not affected by the next cyberattack that takes advantage of this vulnerability, install the MS security patch! The MS17-010 update has been available for supported systems since March 2017, and was made available for Windows XP/Windows 8.0/Windows Server 2003 on May 12th.
If you require more details on WannaCry or are infected, see the US Government Fact Sheet: ICS-CERT Fact Sheet on WannaCry.
SO HOW DOES WANNACRY IMPACT MOBILE DEVICES IN YOUR ORGANIZATION?
WannaCry is a form of ransomware, which is the most popular malware seen on Android devices. Ransomware has affected Android devices since 2013 and each year since has become more sophisticated. As mobile devices are becoming more like mini computers, there is an increasing amount of data stored on these devices, which makes Android ransomware even more worthwhile an attack vector for hackers.
Most Android ransomware performs very similarly to WannaCry - once the malware is installed on the Android device, the user’s device is locked and also encrypted. The affected user cannot access their data unless they pay a ransom to the hackers. Ransomware locks the device and limits interactions to just the threat notifications and requested ransom/payment. Upon receipt of payment, via Bitcoin typically, the hackers promise to decrypt the data. Once decrypted, the user can unlock their device and access their data.
Overview of the types of Android Ransomware
- Android Defender
- Fake Avast
- Police ransomware
- Android Simplocker
- Android LockerPin
- Android Charger
How does a mobile device get infected with Ransomware?
The user installs a malicious app (APK file) on their Android device. Social engineering is the likeliest scenario for targeting a user and getting them to install the malicious APK typically via a phishing email.
For example, we saw with Koler.A, that the malware was embedded in a pornographic app. In some cases, the malware resembles the app name and the icon to a popular app such as a game. In other cases, the malware is embedded in existing popular applications, keeping the original functionality and making it easier to go unnoticed. (For the latter, to embed malware into an existing application, the app would have to be re-signed and submitted under a different developer account than originally signed).
Phishing emails have become very targeted and as such increase the likelihood of a user clicking on the link or attachment and installing the malicious app. Information included in the phishing emails often come from leaky mobile apps on both personal and company-owned mobile devices, which are able to mine personal and sensitive corporate data such as user information (passwords, email, phone numbers, etc), pictures, location tracking, call logs and even recordings via the phone’s microphone. More info on leaky and high risk mobile apps can be found in Appthority’s Enterprise Mobile Threat Reports.
EXAMPLE OF HOW RANSOMWARE GETS INSTALLED ON A BYOD/CORP ANDROID DEVICE:
Many mobile apps send both contact and calendar data to third party ad networks, this is often company contact and calendar info. As such, this information is out in the wild and can be used to craft a targeted spear phishing attack.
Here’s how: By selecting a recent calendar entry, the attacker can determine other meeting attendees. It is then a trivial step to devise an email which references the meeting, and which includes a malware-laden attachment with a file name that’s related to the meeting subject.
By matching contacts to meeting attendees, the attacker can write text suitable to the contact’s role and title. The email sender is spoofed so the email appears to come from the trusted meeting attendee, and the email text makes it look legit. Once the attachment is open, the initial stage of the breach has begun.
What can users & employees do to mitigate?
Backup your data: this is the single best thing you can do to defeat ransomware. If you are attacked, you can always do a factory reset on your device. You may temporarily lose your data but you can then restore it with your backup.
Download and install the latest OS updates as soon as they become available. These include important security updates that help keep your device and data protected.
Understand the risks of jailbreaking/rooting your device – either intentionally or as a result of an attack. Note that compromised devices registered to EMMS software like AirWatch will not be able to access corporate data and will be enterprise wiped.
Examine carefully any app installation request before accepting it to make sure it’s legitimate.
Avoid clicking on web links in emails that you do not recognize especially those taking you to third-party app stores.
Avoid side-loading apps (.IPA or.APK files) or downloading apps from third-party sources. Instead, practice good app hygiene by downloading apps only from Apple App Store and/or Google Play.
For Android, ensure that:
“Verify Apps” is enabled in Settings. This feature is enabled by default on Android devices and is designed to act as an additional layer of protection, scanning apps from third-party sources for known malware before you install.
“Untrusted Sources” is not enabled in Settings. This will prevent you from downloading apps from unofficial sources.
Read permission requests carefully when installing any apps. Be wary of apps that ask for permissions that seem unusual or unnecessary or that use large amounts of data or battery life.
Use known, trusted Wi-Fi networks or while traveling use only those that you can verify are provided by a trustworthy source. Avoid connecting to public hotspots.
What can IT Admins do to mitigate?
Ensure you have a Mobile Device Management/Enterprise Mobile Management system deployed which manages both Corporate and BYOD mobile devices. Ensure you are blocking users from connecting to third party app stores to sideload applications (note this applies to iOS but not all Android manufacturers). Ensure employees’ mobile devices have the latest OS and security updates applied, otherwise they should be blocked from Corp network access including Corp email, WiFi and VPN.
Ensure you have a Mobile Threat Defense solution deployed which detects malware and other high mobile risk apps (ie mobile apps that are sending contact/calendar info to external sources that could be used for social engineering and phishing emails).
Ensure that the Mobile Threat Defense solution leverages automated remediation, typically via the MDM/EMM integration, so that mobile devices with malware or other high risk apps are blocked from accessing the Corp network.
Educate your mobile users on mobile security best practices!
Legitimate and free decryption tools available here: