Seventeen companies reported data breaches in March, totaling 1,449,373,000 breached accounts. Major companies, including Saks Fifth Avenue, Coupa, and McDonald’s (Canada), experienced data loss. However, according to email marketing organization River City Media’s public reports, the organization took the biggest hit with 1.4 billion exposed email addresses. That’s over 96% of the total breached accounts for the month.

River City Media’s case highlights a very important point all individuals should know about data loss in today’s world: while any exposed data could spell trouble for the individual to whom it belonged, not all data loss or exposure is due to a malicious attack.

Sometimes companies make mistakes

There are a number of ways in which data is exposed that do not involve a nefarious actor breaking into a company’s systems and leaving with sensitive information.

Sometimes companies themselves have security vulnerabilities, misconfigured servers, or other problems that leave data open and unprotected. In the case of River City Media, the company reported that the email addresses were stored in a database that was improperly secured, thereby exposing the data for anyone to access.

Because these issues can go unnoticed for an unknown amount of time, the company may not know if anyone accessed that data during that period of time. Either way, a company will likely send an alert out to its customers.

Sometimes employees make mistakes

Another way companies might experience a non-malicious data breach is if an employee accidentally exposes  the data. For example, last month a Boeing employee accidentally emailed a spreadsheet to his spouse that contained sensitive personal information of 36,000 Boeing employees. Boeing reported this as a data breach because, while non-malicious, it still exposed confidential data.

It doesn’t matter how it’s exposed, breached data is still a problem

Whether an attacker steals the information or it’s leaked through other means, stolen data could still spell trouble for the impacted individual who used that service. In March, the top types of compromised data were (in order):

1. Individuals’ names
2. Dates of birth
3. Email addresses
4. Social security numbers

When used together, these pieces of information could lead to identity theft problems if the data landed in the wrong hands.

Stay up to date on the latest data breaches with Breach Report. Upgrade to Lookout Premium today to receive timely notifications about breaches that impact industries, companies, or even services you use.

Don’t already have Lookout? Download it today.

Today, Lookout and Google are releasing research into the Android version of one of the most sophisticated and targeted mobile attacks we’ve seen in the wild: Pegasus.

Read the full technical analysis here

A “cyber arms dealer” named NSO Group developed the Pegasus malware, which jailbreaks or roots target devices to surveil specific targets. Last summer, after being tipped off by a political dissident in the UAE, Citizen Lab brought Lookout in to further investigate Pegasus. In August 2016, Lookout, with Citizen Lab, published research about the discovery of the iOS version of this threat. What we discovered was a serious mobile spyware operation that has since been reportedly used to target Mexican activists, according to The New York Times.

Google calls this threat Chrysaor, the brother of Pegasus. For simplicity, we’ll reference this as Pegasus for Android. Names aside, the threat is clear: NSO Group has sophisticated mobile spyware capabilities across a number of operating systems that are actively being used to target individuals.

Lookout enterprise and personal customers are protected from this threat.

Finding the threat

In the course of researching the iOS threat, Lookout researchers mined our comprehensive  dataset and located signals of anomalous Android applications. We have sophisticated  and valuable insight into what is happening in the mobile ecosystem at any given point in time. Without the Lookout Security Cloud, Pegasus for Android most likely would not have been found.

After looking into these signals, we determined that an Android version of Pegasus was running on phones in Israel, Georgia, Mexico, Turkey, the UAE, and others.

What it does

The Android version performs similar spying functionality as Pegasus for iOS, including:

• Keylogging
• Screenshot capture
• Live audio capture
• Remote control of the malware via SMS
• Messaging data exfiltration from common applications including WhatsApp, Skype, Facebook, Twitter, Viber, Kakao
• Browser history exfiltration
• Email exfiltration from Android’s Native Email client
• Contacts and text message

It self-destructs if the software feels its position is at risk. Pegasus for Android will remove itself from the phone if:

• The SIM MCC ID is invalid
• An “antidote” file exists
• It has not been able to check in with the servers after 60 days
• It receives a command from the server to remove itself

It’s clear that this malware was built to be stealthy, targeted, and is very sophisticated.

How it’s different from the iOS version

The biggest distinction between the iOS and Android versions of Pegasus is the Android version does not use zero-day vulnerabilities to root the device.

In the course of researching the Pegasus for iOS, Lookout discovered three vulnerabilities Pegasus used to jailbreak the target device, and install and run the malicious software. We called these three “Trident.”

Pegasus for Android does not require zero-day vulnerabilities to root the target device and install the malware. Instead, the threat uses an otherwise well-known rooting technique called Framaroot. In the case of Pegasus for iOS, if the zero-day attack execution failed to jailbreak the device, the attack sequence failed overall. In the Android version, however, the attackers built in functionality that would allow Pegasus for Android to still ask for permissions that would then allow it to access and exfiltrate data. The failsafe jumps into action if the initial attempt to root the device fails.

This means Pegasus for Android is easier to deploy on devices and has the ability to move laterally if the first attempt to hijack the device fails.

Contacting the target

Lookout alerted Google to the presence of the malware and worked with the Google Security team to understand the overall threat. Google has since sent a notification to potential targets with information about remediating the threat.

Anyone who believes they may have come into contact with Pegasus for Android or iOS should contact Lookout at threatintel@lookout.com.

We have provided our full, technical research in a report Pegasus for Android:Technical Analysis and Findings of Chrysaor. If you are interested in the detailed story behind how we found Pegasus for Android and exactly what it does, read the full report here. You can also watch our webinar here.

“I think the time has come to skew expenditures more toward the future as opposed to what we’re seeing right now. There are still more non-mobile threats that are publicly reported than mobile threats, but that’s a temporary condition. People need to think about mobile and cloud and what’s coming and start the transition now. Otherwise they will not be in a better position when we get there; they’ll be in a far worse position,”

–Phil Reitinger, president of Global Cyber Alliance and former CISO

Enterprises are actively transitioning from desktop and server environments to mobile and cloud ones. This should come as no shock to anyone in an enterprise IT or security function. Mobile devices are in every employees’ hand. Corporate architectures are app-centric, with employees downloading mobile apps without IT vetting.

Cybercrime goes where the value is and the value is increasingly going to be in the data that sits in cloud services and the mobile devices that access them.

Paying attention now can help you be in a much better security position later.

The importance of the CIO-CISO relationship

In every business there must be balance. This is especially true when looking at the IT and security functions. Both teams should embrace and protect the technology their employees use to get work done, but sometimes these teams work against each other.

For example, if it is the  IT team’s goal to “keep devices up and working,” and a security team is mandated to “ensure all threats are stopped immediately,” the  IT team will  try to prevent devices from going offline while the security team will want to take devices offline to stop any threats from spreading and doing damage.. They work against each other.

In order to properly prepare for the future, “You need combined incentives so you’re not working against each other,” according to Phil.

This means creating balanced security policies that embrace usability and productivity by focusing on the mobile environment itself. In other words, security teams must gain visibility into the broad spectrum of threat vectors/risks associated with mobile device, while not blocking an employee’s access to important apps.

You are not going to be able to do everything you want and be compliant, too

Preparing for the future isn’t easy, but that doesn’t mean we can ignore the policies and regulations we have in place today. There are over 190 nations in the world and a growing number of them have privacy regulations.

This especially true when thinking about the mobile device and how much data can be access and transmitted through apps outside of the enterprise.

“There is virtually no way to do all the things that you want to do in terms of making sure your devices are appropriately monitored and still stay in line with all of the requirements — you’re going to have to make some compromises,” Phil explained.

His advice:

• Don’t collect more data than you really need and will actually use (both conditions must be met)
• Be very straightforward with employees and government agencies about what you’re doing

Mobile threats are real today, so start securing them for tomorrow

In the not-so-distant past enterprises looked at mobile risks as an employee getting his phone stolen. With threats like Pegasus, and the reality of remote attacks, we must have the same level of concern for mobile attacks as for the desktop environment.

The move to mobile and cloud acts as a forcing function for security and IT teams to evaluate their overall security posture. Embracing that these threats are already here will put your enterprise into a much stronger position when the mobile risks to your corporate data start inundating your organization.

Learn more about the state of mobile security from CISO and current CEO of TAG Cyber Ed Amoroso in his video on evolving architecture, insufficient MDMs, and dead perimeters.

If you want to learn more about mobile security and get a personalized look at the needs of your specific organization, get in touch with us today.

“You know, when a CSO thinks through priorities — it’s a tough job. [They need to] to balance the kinds of things that require a lot of intense concentration, real deep problems in infrastructure … with the day-to-day things that could be just as important.”

Ed Amoroso would know. Ed served for 12 years as CSO at AT&T and is now the CEO of TAG Cyber. He started his career at Bell Labs in Unix security R&D over 30 years ago.

So many tasks, so little time

A CSO’s job is a constant juggling process — balancing budget, human capital, time, effort, team energy, and many other factors. In recent years, mobile security has been added to the task list. However, as threats like Pegasus come to the surface and as employees use their personal devices to get their jobs done, mobile security is quickly becoming a much bigger priority.

Dealing with mobile security: an evolution

In recent history, a CSO (or perhaps one of her employees) dealt with the security of mobile devices through management. “MDMs are good!” Ed explains in the above video, but CSOs are now actively asking themselves new questions: Do I need to augment my MDM? Should I replace it?

Ed suggests stepping back and understanding the interconnectivity of attacks. Malware, vulnerabilities, risky employee behaviors, and network connections all play into a larger mobile attack surface. Security teams need a holistic sense of what they’re working with: how many mobile devices access corporate data? How reliant on mobile devices are employees? How could you enable their productivity by allowing them to use their mobile devices freely?

“You’ll make a better decision,” says Ed.

If you’re still doing perimeter security, you’re doing it wrong

“To date, we’ve had these perimeter architecture … you’re ‘inside the firewall’ and that’s the worst architecture that you could have in 2017.” – Ed Amoroso

Mobile devices and cloud services bypass the traditional firewall, making it ineffective. End-users, or employees, aren’t slowing down their mobile device usage either. They will do what they want to do: download apps, visit websites, maybe even gamble a little (you’d be surprised). A CSO wants to gain visibility and the ability to mitigate risks to their corporate data, not to become the blocker who says, “No.” CSOs who implement  the right kind of architecture, that embraces mobile security, becomes the corporate enabler — the person who helps people get their jobs done.

What to get a look into the future of mobile security? Check out this in-depth video from Phil Reitinger, president of Global Cyber Alliance and former CISO.

If you want to learn more about mobile security and get a personalized look at the needs of your specific organization, get in touch with us today.

The scammers abused the handling of pop-up dialogs in Mobile Safari in such a way that it would lock out a victim from using the browser. The attack would block use of the Safari browser on iOS until the victim pays the attacker money in the form of an iTunes Gift Card. During the lockout, the attackers displayed threatening messaging in an attempt to scare and coerce victims into paying.

However, a knowledgeable user could restore functionality of Mobile Safari by clearing the browser’s cache via the the iOS Settings — the attack doesn’t actually encrypt any data and hold it ransom. Its purpose is to scare the victim into paying to unlock the browser before he realizes he doesn’t have to pay the ransom to recover data or access the browser.

Lookout found this attack in the wild last month, along with several related websites used in the campaign, discovered the root cause, and shared the details with Apple. As part of the iOS 10.3 patch released today, Apple closed the attack vector by changing how Mobile Safari handles website pop-up dialogs, making them per-tab rather than taking over the entire app. We are publishing these details about the campaign upon the release of iOS 10.3.

An attack like this highlights the importance of ensuring your mobile device, or your employees’ mobile devices, are running up-to-date software. Left unpatched, bugs like this can unnecessarily alarm people and impact productivity.

Discovery event

This attack was initially reported to Lookout’s Support desk by one of our users running iOS 10.2. The user reported that he had lost control of Safari after visiting a website and was no longer able to use the browser. The user provided a screenshot (below) showing a ransomware message from pay-police[.]com, with an overlaid “Cannot Open Page” dialog from Safari. Each time he tapped “OK” he would be prompted to tap “OK” again, effectively putting the browser into an infinite loop of dialog prompts that prevented him from using the browser.

The user reported seeing the “Your device has been locked…” or “…you have to pay the fine of 100 pounds with an iTunes pre-paid card” messages and was no longer able to use the browser.

Abuse of pop-ups in Mobile Safari

The scammers abused the handling of pop-ups in Mobile Safari in such a way that a person would be “locked” out from using Safari unless they paid a fee — or knew they could simply clear Safari’s cache (see next section). The attack was contained within the app sandbox of the Safari browser; no exploit code was used in this campaign, unlike an advanced attack like Pegasus that breaks out of the app sandbox to install malware on the device.

The scammers registered domains and launched the attack from the domains they owned, such as police-pay[.]com, which the attackers apparently named with the intent of scaring users looking for certain types of material on the Internet into paying money. Examples range from pornography to music-oriented websites.

The attackers effectively used fear as a factor to get what they wanted before the victim realized that there was little actual risk.

The attack, based on its code, seems to have been developed for older versions of iOS, such as iOS 8. However, the abuse of pop-ups in Mobile Safari was still possible until iOS 10.3. An endless loop of pop-ups effectively locks up the browser, which prevents the victim from using Safari, unless she resets the browser’s cache. iOS 10.3 doesn’t lock the entire browser up with these pop-ups, rather it runs on a per-tab basis so that if one tab is misbehaving, the user can close it out and/or move to another one.

Quick fix

Before the iOS 10.3 fix was available, the victim could regain access without paying any money. Lookout determined the best course of immediate action for the user who initially reported it was to clear the Safari cache to regain control of the browser. (Settings > Safari > Clear History and Website Data) Once a person erases all web history and data, effectively starting Safari as a fresh app, the ransom campaign is defeated.

To clear browser history on iOS: Settings > Safari > Clear History and Website Data

Preventing the attack

Individuals are strongly encouraged to protect their iOS devices against this attack and take advantage of a number of other security patches that Apple made available in iOS 10.3. See https://support.apple.com/en-us/HT207617 for details. Lookout users will be prompted to update their operating system to 10.3 if they have not already done so.

Investigation into the campaign

The attack utilized JavaScript that appears to be reused from an earlier attack, based on the following comment it contained:

“saved from url=(0070)http://apple-ios-front.gq/29300000/index.php?DATARE=Vylet%3A30_15%3A29”

This attack was documented previously on a Russian website. The JavaScript included some code that specifically set the UserAgent string to match an older iOS version.

“’Mozilla/5.0 (iPhone; CPU iPhone OS 8_0_2 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12A366 Safari/600.1.4’”

The attack code creates a popup window, which infinitely loops until the victim pays the money. The ransom is paid by sending, via SMS, an iTunes gift card code to a phone number displayed on the scam website. The pop-up window error dialog on newer versions of iOS is actually the result of Mobile Safari not being able to find a local URL lookup, so it fails, but keeps presenting the dialog message due to the infinite loop in the code. The JavaScript code is delivered obfuscated, but was de-obfuscated by our analysts to determine its intent.

The JavaScript we obtained from the pay-police[.]com domain was slightly obfuscated using an array of hex values to masque behavior of the code. The pop-up attack on newer versions of iOS appears to DOS (denial of service) the browser.

Obfuscated array of JavaScript commands

The code on this page also runs the following script before executing the obfuscated code:

<script type=”text/javascript”>navigator.__defineGetter__(‘userAgent’, function () { return ‘Mozilla/5.0 (iPhone; CPU iPhone OS 8_0_2 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12A366 Safari/600.1.4’; });</script>

The group involved in this campaign has purchased a large number of domains that try to catch users that are seeking controversial content on the internet and coerce them into paying a ransom to them.

Some of the additional URLs we found that were serving the malicious JavaScript included:

• hxxp://x-ios-validation[.]com/us[.]html
• hxxp://x-ios-validation[.]com/ie[.]html
• hxxp://x-ios-validation[.]com/gb[.]html
• hxxp://x-ios-validation[.]com/au[.]html
• hxxp://x-ios-validation[.]com/nz[.]html

Each site would serve up a different message based on the country code identifier. The sites, presumably, are used to target users visiting from different parts of the world. Each message has a separate email address for the target to contact, which appear to be country-specific and part of a wider phishing campaign.

The phishing domains and email addresses for each payload:

• U.S.: us.html networksafetydept@usa[.]com
• Ireland: ie.html justicedept@irelandmail[.]com
• UK: gb.html cybercrimegov@europe[.]com
• Australia: au.html federaljustice@australiamail[.]com
• New Zealand: nz.html cybercrimegov@post[.]com

Lookout researchers continue to monitor this and other related campaigns, as well as work with platform providers to address security concerns as they arise.

This increase in customer orders drove Lookout to triple our billings year over year in 2016 compared to 2015 for Mobile Endpoint Security. To date, more than 150 enterprises, including top financial services institutions, technology leaders, healthcare providers, professional services firms, and large government agencies, are using Lookout Mobile Endpoint Security. Lookout also more than tripled the number of channel partnerships year over year, and we’re now working with over 80 distributors globally, including new partnerships with Carahsoft, Docomo, Ingram Micro, CDW, SHI, Synergie, and Netrix.

Due to the increase in cybersecurity incidents in 2016 we saw a corresponding increase in stories in the media. You can find a cybersecurity story in the news on television, in online publications, or newspapers every day. However, the primary catalyst for change in the enterprise mobile security market is a combination of increasing demand from employees for mobile productivity tools, and a rapidly evolving threat landscape driven to maliciously take advantage of largely unsecured mobile endpoints.

Why enterprises are choosing Lookout

In 2016, major Global-2000-ranking companies made significant investments in Lookout solutions to solve their mobile security challenges. We’ve now assembled an impressive list of large enterprise reference customers who choose to put their trust in Lookout for three main reasons: our superior comprehensive solution; our uniquely massive data set of mobile threats; and our sustainability due to the strength of our balance sheet.

Let’s take a closer look at why enterprise CISOs are choosing Lookout:

Our superior comprehensive solution

The biggest issue that CISOs have is an unmanageable number of security products that have been piecemealed together. Lookout solves this challenge for CISOs by being a comprehensive solution for mobile security they can get from a single vendor.

CISOs also know they can’t just protect their company’s data from any one threat, they have to protect themselves from a host of different threats and to do that, they need a comprehensive solution. Only Lookout offers threat remediation that is the result of ten years of research and development, together with a very effective app-risk solution, and the strongest product roadmap of any mobile security vendor.

How do I know it’s the strongest product roadmap?

In the last 12 months, Lookout has made a huge investment in R&D. In fact, we invested more in research and development in the last 12 months than any of our competitors have raised in the history of their companies. Those competitors are not going to be able to have a roadmap as impressive and as comprehensive as the roadmap we’ve put in place.

Beyond the financial investment, Lookout is able to deliver a superior solution because of our deep roots in mobile security innovation. The history of innovation at Lookout began with our founders finding a vulnerability in Nokia phones in 2004, grew to company-wide hackathons that produce working concepts in 24 hours that eventually make their way into our products, and has led to over 100 patents — more than half of which have been issued in the past two years, across the entire Lookout architecture — from malware correlation technology to user experience and data leakage detection.

Our uniquely massive data set of mobile threats

Modern threat management is all about data. It’s a big data problem. The bigger the data set, the more effective a solution is at identifying and protecting against threats. Lookout has the biggest data set in mobile security as a result of our consumer user base, which is generated from a network of over 100 million sensors. Those sensors acquire 90 thousand apps every day, contributing to a corpus of over 40 million apps, and enabling Lookout to auto-convict over 5 thousand new pieces of malware each day. To put those numbers in perspective, Lookout has been acquiring apps since 2009, before any competing companies even existed.

The best explanation I’ve heard for the value of our unique data set came during a recent meeting with the CISO of a Fortune 50 company. He said, “Those millions of consumer users, those sensors that you call them, I understand how they provide threat indicators and signals back to a big data set. You process that big data using machine learning algorithms and add the human component from your Research and Response team. That’s the value proposition I see in Lookout.”

The strength of our balance sheet

Mobile security is a constant, fast-moving battle between the good guys and the bad guys. New threats appear all the time and enterprises need to partner with a company that’s capable of making an investment to stay ahead of the bad guys.

No enterprise security team wants to evaluate multiple solutions, go through proofs of concept, and consume resources on testing only to do it all over again a year from now because a vendor has closed its doors.

Only Lookout delivers investment protection that enables enterprise security leaders to trust that we are a long term strategic partner. Lookout has taken more than $280 million in venture funding and our priority is investing in R&D. The investments we made last year, and the tens of millions of dollars we’re planning to invest in calendar year 2017 are significant proof of where Lookout will be 12 months from now.

Lookout is the only mobile security company with the proven scale to address both today’s and tomorrow’s mobile threats — and the only company that enterprise security leaders can count on to be around in 5 years.

What I’m excited for in 2017

I’m excited for three major initiatives in 2017: deepening our partnership with Microsoft, enabling U.S. government departments to secure mobility through our FedRamp Ready status, and furthering the trusted relationships we’ve built with hundreds of customers and enterprise CISOs.

The unique, deep integration we’ve built with Microsoft Enterprise Mobility + Security delivers conditional access by feeding real-time threat intelligence into EM+S. Customers who deploy this joint solution are able to establish a global security policy for employees where if a mobile device is found to be non-compliant due to a mobile risk identified by Lookout, access to corporate resources is blocked by Microsoft EM+S, and the user is prompted to resolve the issue with one-step guidance from Lookout before they can regain access. I’m very excited to see more enterprises deploy the combined Microsoft + Lookout solution in 2017.

To become the first mobile security solution to achieve FedRAMP Ready status, Lookout went through rigorous testing, demonstrating it meets the stringent technical requirements mandated by FedRAMP. This status makes it easier for federal agencies to adopt Mobile Endpoint Security, and update their defenses with the right kind of armor for the new cyber war frontier on mobile.

Finally, I look forward to continuing to meet customers face-to-face, and building strong relationships. To me, that has always been the most powerful way to earn the trust from our customers that Lookout is going to deliver the security that they need to bring to their enterprise.

Attackers successfully breached 15 companies from a wide range of industries including retail, transportation, government services, hospitality, technology, gaming, and more. Among them, the biggest names included popular music festival Coachella, restaurant chain Arby’s, and the InterContinental Hotel Group. In the process, attackers were able to compromise nearly 7 million accounts, according to public reports of these incidents.

Though there was a large distribution of impacted industries this month, two familiar trends occurred. First, we saw yet another successful attack against a healthcare institution. Second, attackers put point-of-sale systems in their crosshairs again, this time impacting Arby’s. We saw a large number of attacks against healthcare institutions and point-of-sale systems in 2016, a trend that has seemingly stuck.

The types of data stolen

In February, customer names, as well as email addresses both topped the list as the most-often stolen pieces of data, each impacting roughly 46 percent of the companies.

Attackers also stole passwords in 26 percent of the breaches, as well as financial information in 26 percent of the breaches.

In the case of CloudPets, a company that creates stuffed animals that can send and receive voice messages, criminals stole nearly 2.2 million voice recordings from kids and parents, in addition to over 820,000 email addresses.

Staying safe

Watch out for phishing attacks. In many cases, criminals will use contact information as a way to gain more sensitive information. If your email or phone number is stolen, watch for suspicious emails and text messages that seem to be asking for more information that you’re comfortable giving. You can always contact the company in question directly if you’re ever worried.

Companies will also periodically put out new information about a breach via blog post or email, or even offer a telephone number (or other form of contact) to impacted customers. Take advantage of the opportunity to gather as much information about the situation as possible.

When financial information is in question, it’s important that data breach victims monitor their bank accounts and credit cards for fraudulent activity. Contact your bank or credit provider if you see anything that looks odd.

Stay up to date on the latest data breaches with Breach Report. Upgrade to Premium today to receive timely notifications about breaches that impact industries, companies, or even services you use.

Don’t already have Lookout? Download it today.

The graphic above appears in Gartner’s report, Market Guide for Mobile Threat Defense (MTD) Solutions*. I believe a comprehensive mobile security solution must cover all four of these quadrants and enterprises should look for single solutions that cover all aspects addressed by MTD + MARS.

In my conversations with CISOs, I repeatedly hear that one of the biggest issues they have is too many security products. They usually express different versions of, “I’ve got 50 different vendors and 50 different security products, and I simply can’t afford the personnel that I need to manage 50 different products.” I’m happy to share that at Lookout, our Mobile Endpoint Security solution is already a united single offering with capabilities that are usually considered separate parts of Mobile Threat Defense (MTD) and Mobile App Reputation Solutions (MARS) products.

The difference between MTD and MARS

Gartner defines the mobile threat defense category as: “The MTD solutions market is made up of products that protect organizations from threats on mobile platforms, including iOS, Android and Windows 10 Mobile. MTD solutions provide security at one or more of these four levels:

• Device behavioral anomalies — MTD tools provide behavioral anomaly detection by tracking expected and acceptable use patterns.
• Vulnerability assessments — MTD tools inspect devices for configuration weaknesses that will lead to malware execution.
• Network security — MTD tools monitor network traffic and disable suspicious connections to and from mobile devices.
• App scans — MTD tools identify “leaky” apps (meaning apps that can put enterprise data at risk) and malicious apps, through reputation scanning and code analysis.*”

While MARS solutions also detect malware, that is not their focus. Gartner explains, “Different from MTD, MARS products focus on identifying leaky apps — i.e., apps that can put enterprise data at risk*”

What organizations should look for is an MTD product that delivers a single solution for protecting against both malicious behaviors and sensitive behaviors (as in the graphic below).

The important nuance between malicious apps and those that exhibit sensitive behaviors is that non-malicious apps that exhibit sensitive behaviors present a data leakage risk through behaviors that include:

• Accessing sensitive data, such as calendar and notes
• Sending sensitive data that includes PII externally
• Communicating with cloud services

While such apps may not be explicitly malicious, these app behaviors present a significant risk because of their potential to cause an enterprise to be out of compliance with regulatory and/or internal policies.

Why MTD + MARS convergence is the right choice for protecting enterprise data

Achieving best in class mobile security in 2017 requires a comprehensive solution that includes the capabilities of both MTD and MARS. This is because neither MTD or MARS on their own deliver the holistic security that enterprises need.

As more data is increasingly accessed by mobile devices, attackers are targeting mobile as the way to steal sensitive data. Pegasus is a targeted device-level attack that proves this point, as does the rising sophistication of malware, and network attacks such as man-in-the-middle.

The risk from leaky apps stems from organizations not having any visibility into what the apps are actually doing (e.g., collecting and sending data, accessing different features such as the microphone, etc.) on their employees’ mobile devices. Employees often choose the apps they use in order to be productive and get their jobs done, but with this comes new risks that are often not addressed.

Enterprise security teams need a mobile security solution to protect their unique intellectual property from all four of these vectors, mitigate the risk of mobile attacks, and prevent data leakage on a global scale.

To achieve this complete protection, CISO teams can deploy Lookout Mobile Endpoint Security — or try several point solutions with the hope that it all works together.

Lookout is the only choice for complete protection of enterprise mobile data  

In the Predicts 2017: Endpoint and Mobile Security report Gartner recommends that, “Security and risk managers responsible for endpoint and mobile security must: Start now to evaluate MTD tools, and gradually implement these solutions in complement to EMM.**”

Lookout is the only comprehensive mobile security solution in the market and is the result of ten years of research and software development. Lookout is unique in our ability to deliver MTD with protection from all mobile threats and MARS for app risks in a single unified solution. Lookout integrates with all leading EMM solutions — including a unique deep integration with Microsoft EM+S that enables conditional access — and achieves a 95% self-remediation rate to limit helpdesk tickets.

At Lookout, we knew early on that mobile security would be best solved as a data problem. That’s why we’ve amassed the world’s largest mobile security dataset — a global network of over 100M sensors — due to the success of our consumer product. The size of this data set is critical because it enables our platform to be predictive by letting machine intelligence identify complex patterns that indicate risk. No other MTD product even comes close to this scale.

The bottom line is that enterprises have to protect themselves from a host of different threats and risks, and to do that, they need a comprehensive solution. The good news is that one is available.

*Gartner, Market Guide for Mobile Threat Defense Solutions, John Girard, Dionisio Zumerle, July 2016

** Gartner, Predicts 2017: Endpoint and Mobile Security,” John Girard, Dionisio Zumerle, Brian Reed, Peter Firstbrook, Bart Willemsen, November 2016.

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

The threat actors behind the ViperRAT surveillanceware collect a significant amount of sensitive information off of the device, and seem most interested in exfiltrating images and audio content. The attackers are also hijacking the device camera to take pictures.

Using data collected from the Lookout global sensor network, the Lookout research team was able to gain unique visibility into the ViperRAT malware, including 11 new, unreported applications. We also discovered and analyzed live, misconfigured malicious command and control servers (C2), from which we were able to identify how the attacker gets new, infected apps to secretly install and the types of activities they are monitoring. In addition, we uncovered the IMEIs of the targeted individuals (IMEIs will not be shared publicly for the privacy and safety of the victims) as well as the types of exfiltrated content.

In aggregate, the type of information stolen could let an attacker know where a person is, with whom they are associated (including contacts’ profile photos), the messages they are sending, the websites they visit and search history, screenshots that reveal data from other apps on the device, the conversations they have in the presence of the device, and a myriad of images including anything at which device’s camera is pointed.

Lookout has determined ViperRAT is a very sophisticated threat that adds to the mounting evidence that targeted mobile attacks against governments and business is a real problem.

Lookout researchers have been tracking this threat for the last month. Given that this is an active threat, we’ve been working behind-the-scenes with our customers to ensure both personal and enterprise customers are protected from this threat and only decided to come forward with this information after the research team at Kaspersky released a report earlier today.

Additionally, we have determined that though original reports of this story attribute this surveillanceware tool to Hamas, this may not be the case, as we demonstrate below.

The increasing sophistication of surveillanceware

The structure of the surveillanceware indicates it is very sophisticated. Analysis indicates there are currently two distinct variants of ViperRAT. The first variant is a “first stage application,” that performs basic profiling of a device, and under certain conditions attempts to download and install a much more comprehensive surveillanceware component, which is the second variant.

The first variant involves social engineering the target into downloading a trojanized app. Previous reports alleged this surveillanceware tool was deployed using ‘honey traps’ where the actor behind it would reach out to targets via fake social media profiles of young women. After building an initial rapport with targets, the actors behind these social media accounts would instruct victims to install an additional app for easier communication. Specifically, Lookout determined these were trojanized versions of the apps SR Chat and YeeCall Pro. We also uncovered ViperRAT in a billiards game, an Israeli Love Songs player, and a Move To iOS app.

The second stage

The second stage apps contain the surveillanceware capabilities. Lookout uncovered nine secondary payload applications:

* These apps have not been previously reported and were discovered using data from the Lookout global sensor network, which collects app and device information from over 100 million sensors to provide researchers and customers with a holistic look at the mobile threat ecosystem today.

Naming additional payload applications as system updates is a clever technique used by malware authors to trick victims into believing a threat isn’t present on their device. ViperRAT takes this one step further by using its dropper app to identify an appropriate second stage ‘update’ that may go unnoticed. For example, if a victim has Viber on their device, it will choose to retrieve the Viber Update second stage. If he doesn’t have Viber, the generically-named System Updates app gets downloaded and installed instead.

What was taken

The actors behind ViperRAT seem to be particularly interested in image data. We were able to identify that 8,929 files had been exfiltrated from compromised devices and that the overwhelming majority of these, 97 percent, were highly likely encrypted images taken using the device camera. We also observed automatically generated files on the C2, indicating the actor behind this campaign also issues commands to search for and exfiltrate PDF and Office documents. This should be highly alarming to any government agency or enterprise.

We observed legitimate exfiltrated files of the following types of data:

• Contact information
• Compressed recorded audio in the Adaptive Multi-Rate (amr) file format
• Images captured from the device camera
• Images stored on both internal device and SDCard storage that are listed in the MediaStore
• Device geolocation information
• SMS content
• Chrome browser search history and bookmarks
• Call log information
• Cell tower information
• Device network metadata; such as phone number, device software version, network country, network operator, SIM country, SIM operator, SIM serial, IMSI, voice mail number, phone type, network type, data state, data activity, call state, SIM state, whether device is roaming, and if SMS is supported.
• Standard browser search history
• Standard browser bookmarks
• Device handset metadata; such as brand, display, hardware, manufacturer, product, serial, radio version, and SDK.

Command and control API calls

ViperRAT samples are capable of communicating to C2 servers through an exposed API as well as websockets. Below is a collection of API methods and a brief description around their purpose.

On attribution

Media reporting on ViperRAT thus far attributes this surveillanceware tool to Hamas. Israeli media published the first reports about the social networking and social engineering aspects of this campaign. However it’s unclear whether organizations that later reported on ViperRAT performed their own independent research or simply based their content on the original Israeli report. Hamas is not widely known for having a sophisticated mobile capability, which makes it unlikely they are directly responsible for ViperRAT.  

ViperRAT has been operational for quite some time, with what appears to be a test application that surfaced in late 2015. Many of the default strings in this application are in Arabic, including the name. It is unclear whether this means early samples were targeting Arabic speakers or if the developers behind it are fluent in Arabic.

This leads us to believe this is another actor.

What this means for you

All Lookout customers are protected from this threat. However, the existence of threats like ViperRAT and Pegasus, the most sophisticated piece of mobile surveillanceware we’ve seen to date, are evidence that attackers are targeting mobile devices.

Mobile devices are at the frontier of cyber espionage, and other criminal motives. Enterprise and government employees all use these devices in their day-to-day work, which means IT and security leaders within these organizations must prioritize mobile in their security strategies.

Interested in learning more about threats like ViperRAT? Contact Lookout today to get details about our Threat Advisory Service and Lookout Mobile Endpoint Security.

Cyber war is a term the U.S. government is intimately familiar with, but woefully unprepared for when it comes to mobile.

Government employee mobile devices are a relatively new attack surface, and a particularly valuable one for espionage missions and other criminal intent. Mobile devices access confidential, classified, and other protected data classes. At this point, that’s just a fact. Both CSIS and the Presidential Cyber Commision acknowledge that mobile is no longer a fringe technology, but a central instrument that allows employees to get their jobs done.

Protecting data on mobile is non-negotiable and the responsibility of federal technology and security leaders across the entire government.

There are five principles any federal agency or organization must use to build a mobile security strategy. To forego such a strategy directly puts sensitive government data at risk.

Defense in depth is a necessary standard in protecting mobile

Agencies should look for mobile security solutions that defend data beyond the surface. Wrapping a mobile device in a management solution may let an IT manager set blacklists or whitelists, but it is not a solution that provides actionable data regarding apps on the device, network threats, exploits of known vulnerabilities, or employee actions that may cause data leakage. A security solution should be holistic.

Don’t fool yourself into thinking mobile security is a “one-and-done”

“Checkbox mentality,” or the belief that deploying a solution relieves a technology or security leader of the burden of protecting data, is a pitfall that should be avoided. Instead, this requires leaders to take inventory of their technology status asking themselves the following questions:

• What kind of data are we handling?
• What types of data would be crippling to my organization if they were leaked?
• How many devices access data? What types of devices?
• Which employees need to access what kinds of data?
• What kinds of threats to this data exist out there?
• Who in my organization could be targeted?

Then, the technology or security department can properly vet solutions the appropriate solutions and choose one to engage.

Treat “hygiene” as a four-letter word

The term “hygiene” needs to be deleted from the security dictionary. It’s not about cleaning up issues every once in a while; it’s about having an always-on strategy and technology solution that provides continuous and automated operations, maintenance, and security.

“Hygiene” makes you think about brushing your teeth three times a day to stay safe from cavities. You don’t set your alarm three times at night to alert you to burglars. Instead, you rely on the alarm to stay on, working in the background.

Security technology should not hinge on the lowest bidder

Agencies must treat IT infrastructure, which includes mobile devices, as a critical component of the agency, seeking out the best technology to support security aims. In cases like these, settling for the lowest bidder is not the best strategy.

Keep it simple

Make your strategy short, concise, and achievable.

Agencies have specific needs, but these principles transcend even those nuances

Today, the U.S. government is divided into three very different communities that have very different aims:

1. Civilian agencies that have citizen-facing functions, such as the IRS, Department of Education, and the Department of Commerce.
2. Homeland defense agencies that focus on the protection of our country at home, including law enforcement, DHS, FBI, and the Secret Service.
3. National security organizations, that protect us from adversaries abroad, such as the Department of Defense, and the Intelligence community.

Each of these agencies and organizations require different standards as it comes to securing data, but they all have two things in common: they must regulate who can access what and they must protect sensitive data from unauthorized consumption.

According to the Presidential Commission on Enhancing National Cybersecurity, “Mobile technologies are heavily used by almost every organization’s employees, yet security for mobile devices is often not considered as high a priority as security for other computing platforms.”

While each agency might have specific security needs, it’s critical that all prioritize mobile security and act to protect data now.

You’re up against more than you think

We’ve known for years that cyber war is real, but the risk extends to mobile devices as well.

Threats like Pegasus, one of the largest threat discoveries in mobile security to date, are highly sophisticated and targeted. Pegasus specifically was capable of accessing messages, calls, emails, logs, and more from apps. This could be extremely damaging to a government agency.

No federal organization or agency is exempt. Yet employee mobile devices are flying under the radar when 40 percent of employees at agencies with rules prohibiting personal smartphone use at work say the rules have little to no impact on their behavior.

Take control of mobile infrastructure now lest your agency or employees become the entry point for an OPM-size (or bigger) breach.