Mobisec

06/03/2023

Thank you F**T IIT DELHI for organising Defence Expo & Demo Day and providing an opportunity to mobisec Technologies to pitch our solution and seek valuable feedback from senior military officers, bank executives and stakeholders in cybersecurity domain. It was great fun and team Mobisec enjoyed it thoroughly. Thank you Major General CS Mann (VSM), AVM (Dr.) Devesh Vatsa (VSM) (retd.) Advisor DSCI, Commodore (Dr.) RK Rana Honorary Senior Adviser F**T, Commodore Arun Golaya, and Prof Kolin Paul Head School of IT for your valuable suggestions.

10/08/2022

⚠️Workshop Alert! 💳Smart Cards in Action👊

💡Build, burn & run security applications on smart cards + Learn to write real World applications for smart cards with the JavaCard Tech, & interact with your machines during the Workshop by Dr. Rajesh

🎟️Discover more & grab your tickets to the ➡️https://bit.ly/3P81AMZ

04/06/2022

Flubot takedown

Good news: An international law enforcement operation involving 11 countries takes down Flubot malware that was spreading like wide fire since 2021, declares Europol.

In a nutshell:
What is Flubot?: An Android malware that spreads through SMS. The message entices smartphone user to click a link in SMS that installs a malicious app.

How Flubot affects me?: Steals passwords, online banking details and sensitive information from user’s smartphone. Accesses contact list to further spread itself.

How can I identify Android malware & protect myself?: Malware that disguises itself as an app could be difficult to spot. However, get suspicious of an app if (a) If you tap an app, and it doesn’t open (b) If you try to uninstall an app, an error message shows up instead. If you think an app may be malware, best is to reset the phone to factory settings. However be aware that on reset you loose all data/ apps as well.

, , ,

This technical achievement follows a complex investigation involving law enforcement authorities of Australia, Belgium, Finland, Hungary, Ireland, Spain, Sweden, Switzerland, the Netherlands and the United States, with the coordination of international activity carried out by Europol’s European Cy...

05/12/2021

Securing the enterprise managed mobile devices is essential to have a robust cybersecurity posture. Cybersecurity & Infrastructure Security Agency (CISA) has recently published Mobile Device Cybersecurity Checklist for Organisations [1]. It is a good go-to checklist for safeguarding enterprise-managed mobile devices from various threats. Enterprises should use mobile threat defence solution to ensure that patches/ updates are automatically applied as soon as they are released, device security/ trust is maintained, security vetted apps only reach the devices, and threats progressing through network are detected & prevented. The checklist is recommended as a good start point for enterprises in improving mobile security.
[1] https://lnkd.in/gcbKMrcp

25/11/2021

Indian banking users are being targeted by Drinik Android malware since past three months to steal their banking account and debit card details. The people are lured to divulge their banking account details on pretext of Income Tax refund.

As a modus operandi, a SMS with phishing link is sent to targets. On clicking the link, mobile user is taken to a fake website pretending to be the Income Tax Department website. The user is provided with a form to enter personal & banking details as well as download and install Income Tax Refund app. The Refund app masquerades as the Income Tax Department app for receiving tax refunds. On installation, the app asks user to grant permissions like SMS, contacts, call logs, etc. While the user is engaged, the malicious app sends the fed data and data stored on the phone such as contacts, call logs and SMS to attacker’s system. The attack moves a step ahead by providing login page of the user’s banker (from 27 Indian banks being targeted) to capture login credentials. The targeted campaign poses a serious risk to money and privacy of smartphone users.

Caution by users to NOT clicking unknown links and to NOT installing unknown apps can be a saviour.

More importantly, as said in Bhagavad Gita: Chapter 16, Verse 21:
त्रिविधं नरकस्येदं द्वारं नाशनमात्मन: |
काम: क्रोधस्तथा लोभस्तस्मादेतत्त्रयं त्यजेत् || 21||
There are three gates leading to the hell of self-destruction for the soul—lust, anger, and greed. Therefore, all should abandon these three.
Thus, resisting greed would render the attack futile.

However, it is easier said than done. For this type of sophisticated attack, having a technological solution, such as a self healing system for mobile devices as being developed by mobisec, would provide a much needed security and relief.

30/10/2021

Extraneous functionality is a functionality that was not intended to be released, however left enabled in an app in public release. For example, a developer may accidentally include a password as a comment or two factor authentication bypassed for testing finds its way in release version.

Extraneous functionality that may provide access to backend systems is often seek by attackers. The attackers examine log files, configuration files, and the app binary to discover hidden switches or any test code. The impact from extraneous functionality includes exposure of how backend systems work and unauthorised ex*****on of high-privileged actions.

Manual code review is most effective to identify extraneous functionality. Automated static and dynamic analysis tools may be useful in identifying log statements and other issues.

04/10/2021

Reverse Engineering a mobile app is analysing the app (as obtained from app store) to extract information about its original string table, functions, control flow and source code. Generally binary inspection tools such as IDA Pro, Hopper, otool and strings are used for the purpose. As an example attack scenario, consider the attacker discovers jailbreak detection code in the app and uses this knowledge to disable jailbreak detection by modifying the mobile app binary.

Most mobile apps are susceptible to reverse engineering. Use of obfuscation tools to obfuscate the app code is an effective deterrence against reverse engineering. As part of security testing of mobile app, susceptibility to reverse engineering should be tested.

11/09/2021

Code Tampering is modification of an App to create a malicious version. The attacker generally hosts tampered Apps in third-party app stores or tricks users to install the App via phishing attack. This exploitation is quite prevalent because of its ease and control it provides to an attacker.

The tampering could be a direct change in the App binary or replacement of system APIs to intercept and execute malicious code. Its impacts are severe ranging from unauthorised new features, identity theft to frauds for personal/ monetary gain to spying.

A good remediation strategy is to build a capability in the App itself to detect code integrity at runtime. Detecting whether the android device is rooted or not before running the App is also recommended.

31/08/2021

Code quality issues though common within most mobile apps are mostly benign. However, a code quality issue through which ex*****on of foreign code within the mobile app’s address space becomes possible could be risky. The vulnerabilities arising due to poor code quality are exploited by feeding specially crafted inputs. Typical attacks usually exploit memory leaks and buffer overflows..

Code quality issues can be avoided by maintaining consistent coding patterns, sanitising user inputs, and exercising caution while using buffers and unsafe functions. Code review, static code analysis and fuzzing are recommended to discover and fix poor code quality issues.

22/08/2021

Authentication is identifying an individual whereas Authorization is checking that the identified individual is authorized to perform particular action in an app. An attacker login to target app as a legitimate user often having normal/ low privilege. By exploiting poor or missing authorization, attacker executes privileged/ administrative functionalities which are not entitled to him. Insecure authorization may result in destruction of systems or access to sensitive information.

To prevent insecure authorisation— (a) Use backend system’s data to grant roles and permissions to an authenticated user. Don’t rely on information that comes from mobile device or from user request. (b) After successful authentication, immediately perform the authorization to grant access to entitled functions only.