ProHoster > Blog > Administration > Mobile antivirus not working

Mobile antivirus not working

Mobile antivirus not working
TL; DR if your corporate mobile devices need an antivirus, then you are doing everything wrong and the antivirus will not help you.

This post is the result of a heated debate on whether an antivirus is needed on a corporate mobile phone, in what cases it works, and in what cases it is useless. The article analyzes the threat models that, in theory, an antivirus should protect against.

Antivirus vendors often manage to convince corporate customers that an antivirus will greatly improve their security, but in most cases this is an illusory protection that only lowers the vigilance of both users and administrators.

The right corporate infrastructure

When a company has tens or even thousands of employees, it is impossible to manually configure each user device. Settings can change every day, new employees come in, their mobile phones and laptops break or are lost. As a result, all the work of admins would consist in the daily deployment of new settings on employees' devices.

On desktop computers, this problem began to be solved a long time ago. In the Windows world, such management is usually done through Active Directory, centralized authentication systems (Single Sign In), etc. But now all employees have smartphones added to their computers, on which a significant part of work processes takes place and important data is stored. Microsoft tried to integrate their Windows Phones into a single ecosystem with Windows, but this idea died with the official death of Windows Phone. Therefore, in a corporate environment, in any case, you have to choose between Android and iOS.

Now in a corporate environment, to manage employee devices, the UEM (Unified endpoint management) concept is in vogue. This is a centralized management system for mobile devices and desktop computers.
Mobile antivirus not working
Centralized management of user devices (Unified endpoint management)

The UEM system administrator can set different policies for user devices. For example, allowing the user more or less control over the device, installing applications from third-party sources, etc.

What UEM can do:

Manage all settings - the administrator can completely prohibit the user from changing the settings on the device and changing them remotely.

Control the software on the device — allow the ability to install applications on the device and automatically install applications without the user's knowledge. Also, the administrator can prevent or allow the installation of programs from the application store or from untrusted sources (from APK files in the case of Android).

Remote lock - in case the phone is lost, the administrator can lock the device or clear the data. Some systems also allow you to set automatic data deletion if the phone has not contacted the server for more than N hours, in order to exclude the possibility of offline hacking attempts when the attackers managed to pull out the SIM card before the data clear command was sent from the server.

Collect statistics - track user activity, application usage time, location, battery level, etc.

What are UEM

There are two fundamentally different approaches for centralized management of employee smartphones: in one case, a company purchases devices from one manufacturer for employees and usually chooses a control system from the same supplier. In another case, employees use their personal devices for work, and this is where the zoo of operating systems, versions, and platforms begins.

BYOD (Bring your own device, Bring your device) is a concept in which employees use their personal devices and accounts to work. Some centralized management systems allow you to add a second work account and completely separate personal and work data.

Mobile antivirus not working

Apple Business Manager Apple's native centralized management system. Can only control Apple devices, macOS computers and iOS phones. Supports BYOD, creates a second isolated environment with a different iCloud account.

Mobile antivirus not working

Google Cloud Endpoint Management - allows you to manage phones on Android and Apple iOS, as well as desktops on Windows 10. BYOD support is announced.

Mobile antivirus not working
Samsung Knox UEM - Supports only Samsung mobile devices. In this case, you can immediately use only Samsung Mobile Management.

In fact, there are many more UEM providers, but we will not analyze them all within the framework of this article. The main thing to keep in mind is that such systems already exist and allow the administrator to configure user devices adequately to the existing threat model.

Threat Model

Before choosing protection tools, you need to understand what we are protecting ourselves from, that the worst can happen in our particular case. Relatively speaking: our torso is easily vulnerable to a bullet and even a fork with a nail, but we don’t put on body armor when leaving the house. Therefore, our threat model does not include the risk of being shot on the way to work, although statistically this is not so improbable. At the same time, under certain conditions, wearing body armor is fully justified.

Threat models vary from company to company. Let's take, for example, a smartphone of a courier who is going to deliver a package to a client. In his smartphone, there is only the address of the current delivery and the route on the map. The worst thing that can happen to his data is the leakage of parcel delivery addresses.

But the accountant's smartphone. He has access to the corporate network via VPN, a corporate client-bank application is installed, documents with valuable information are stored. Obviously, the value of the data on these two devices is significantly different and should be protected differently.

Antivirus will save us?

Unfortunately, behind marketing slogans, the real meaning of the tasks that antivirus performs on a mobile device is lost. Let's try to figure out in detail what the antivirus does on the phone.

Security audit

Most modern mobile antiviruses audit the security settings on the device. This audit is sometimes referred to as a "device reputation check". Antiviruses consider a device safe if four conditions are met:

  • The device is not hacked (root, jailbreak).
  • The device has a password set.
  • USB debugging is not enabled on the device.
  • The device is not allowed to install applications from untrusted sources (sideloading).

If, as a result of the check, the device is found unsafe, the antivirus will notify the owner and offer to disable the “dangerous” functionality or restore the factory firmware if there are signs of root or jailbreak.

According to corporate customs, it is not enough just to notify the user. Unsafe configurations must be excluded. To do this, using the UEM system, you need to configure security policies on mobile devices. And if a root / jailbreak is detected, you must quickly delete corporate data from the device and block its access to the corporate network. And this is also possible with the help of UEM. And only after these procedures can the mobile device be considered safe.

Search and removal of viruses

Contrary to popular belief that there are no viruses for iOS, this is not true. In the wild, there are still exploits for older versions of iOS that infect devices through the exploitation of vulnerabilities in the browser. At the same time, due to the architecture of iOS, the development of antiviruses for this platform is impossible. The main reason is that applications cannot access the list of installed applications and have many restrictions when accessing files. Only UEM can get the list of installed iOS apps, but even UEM can't access files.

With Android, the situation is different. Apps can get information about apps installed on the device. They can even access their distributions (eg Apk Extractor and its equivalents). Android applications also have the ability to access files (for example, Total Commander, etc.). Android applications can be decompiled.

With such capabilities, the following anti-virus algorithm looks logical:

  • Application check
  • Get a list of installed applications and checksums (CS) of their distributions.
  • Check applications and their CS first in the local and then in the global database.
  • If the application is unknown, transfer its distribution to the global database for analysis and decompilation.

  • Scanning files, searching for virus signatures
  • Check the CS of files in the local, then in the global database.
  • Check for unsafe content (scripts, exploits, etc.) in files using local and then global databases.
  • If malware is detected, notify the user and/or block the user's access to the malware and/or pass the information to the UEM. It is necessary to transfer information to UEM because the antivirus cannot remove malware from the device on its own.

The biggest concern is the possibility of transferring software distributions from a device to an external server. Without this, it is impossible to implement the “behavioral analysis” declared by antivirus manufacturers, since on the device, you cannot run the application in a separate “sandbox” or decompile it (how effective it is when using obfuscation is a separate difficult question). On the other hand, employees' mobile devices may have corporate applications installed that are unknown to the antivirus because they are not available on Google Play. These mobile apps may contain sensitive data that may prevent these apps from being placed on the public store. Transferring such distributions to the antivirus manufacturer seems to be incorrect from a security point of view. It makes sense to add them to the exceptions, but I don’t know about the existence of such a mechanism yet.

Malware without root privileges can

1. Draw your own invisible window over the application or implement your own keyboard to copy the data entered by the user - account settings, bank cards, etc. A recent example is the vulnerability CVE-2020-0096, with which it is possible to replace the active screen of the application and thereby gain access to the data entered by the user. For the user, this means the possibility of stealing a Google account with access to a device backup and bank card data. For the organization, in turn, it is important not to lose their data. If the data is in the application's private memory and is not in a Google backup, malware will not be able to access it.

2. Access data in public directories – downloads, documents, gallery. It is not recommended to store information of value to the company in these directories because any application can access them. And the user himself will always be able to share a confidential document using any available application.

3. Annoy the user with ads, mine bitcoins, be part of a botnet, etc.. This may adversely affect the performance of the user and/or device, but will not be a threat to corporate data.

Malware with root privileges can potentially do anything. They are rare, because hacking modern Android devices using an application is almost impossible. The last time such a vulnerability was discovered was in 2016. It's the acclaimed Dirty COW that's been assigned a number CVE-2016-5195. The key here is that when it detects signs of a UEM breach, the client will wipe all corporate information from the device, so the likelihood of successful data theft using such malware in the corporate world is low.

Malicious files can harm both the mobile device and the corporate systems it has access to. Let's examine these scenarios in more detail.

Damage to a mobile device can be done, for example, if you download a picture to it, which, when opened or when you try to set the wallpaper, will turn the device into a “brick” or reboot it. This will most likely harm the device or user, but will not affect data privacy. Although there are exceptions.

Vulnerability discussed recently CVE-2020-8899. It was claimed that it can be used to access the console of Samsung mobile devices using an infected picture sent by e-mail, instant messenger or MMS. While console access means only accessing data in public directories, where sensitive information should not be, the privacy of users' personal data is at risk, and this has frightened users. Although, in fact, it is only possible to attack devices using MMS. And for a successful attack, you need to send from 75 to 450 (!) messages. Anti-virus, alas, will not help here, because it does not have access to the message log. To protect against this, there are only two options. Update OS or block MMS. You can wait a long time for the first option and not wait, because. Device manufacturers do not release updates for all devices. Disabling MMS reception in this case is much easier.

Files transferred from mobile devices can harm corporate systems. For example, there is an infected file on a mobile device that cannot harm the device, but can infect a Windows computer. The user emails such a file to a colleague. He opens it on a PC and, thereby, can infect it. But at least two antiviruses stand in the way of this attack vector - one on the email server, the other on the recipient's PC. Adding a third antivirus on a mobile device to this chain seems completely paranoid.

As you can see, the biggest threat in the corporate digital world is malware without root privileges. Where can they come from on a mobile device?

Most often they are installed using sideloading, adb or third-party stores, which should be prohibited on mobile devices with access to the corporate network. There are two options for getting malware - from Google Play or from UEM.

Before being published on Google Play, all applications undergo a mandatory review. But for applications with a small number of installations, checks are most often performed without human intervention, only in automatic mode. Therefore, sometimes malware gets into Google Play, but still not often. Anti-virus, whose databases are updated in a timely manner, will be able to detect applications with malware on the device before Google Play Protect, which is still behind in terms of the speed of updating anti-virus databases.

UEM can put any application on a mobile device, incl. malware, so any application needs to be checked first. Applications can be checked both during their development using static and dynamic analysis tools, and immediately before they are distributed using specialized sandboxes and/or anti-virus solutions. It is important that the application is checked once before being uploaded to UEM. Therefore, in this case, an antivirus on a mobile device is not needed.

Network protection

Depending on the manufacturer of the antivirus, one or more of the following functions may be offered as part of network protection.

URL filtering is used to:

  • Traffic blocking by resource categories. For example, to prohibit watching news or other non-corporate content before lunch, when the employee is most efficient. In practice, blocking most often works with many restrictions - antivirus manufacturers do not always manage to update resource category directories in a timely manner, taking into account the presence of many “mirrors”. Plus, there are anonymizers and Opera VPN, to which blocking most often does not apply.
  • Protection against phishing or target host spoofing. To do this, the URLs accessed by the device are preliminarily checked against the anti-virus database. Links, as well as the resources they lead to (including possible multiple redirects), are checked against a database of known phishing sites. It also checks the domain name, certificate and IP address between the mobile device and the trusted server. If the client and server receive different data, then this is either MITM (“man in the middle”, man in the middle), or traffic blocking using the same antivirus or various kinds of proxy and web filters on the network to which the mobile device is connected. It is difficult to say with certainty that there is someone in the middle.

To gain access to mobile traffic, the antivirus either builds a VPN or uses the Accessibility API (API for applications designed for people with disabilities). Simultaneous operation of several VPNs on a mobile device is impossible, so network protection against antiviruses that build their own VPN is not applicable in the corporate world. An antivirus VPN simply will not work with a corporate VPN that is used to access the corporate network.

Giving antivirus access to the Accessibility API is another danger. Access to the Accessibility API actually means the permission to do anything for the user - see what the user sees, perform actions with applications instead of the user, etc. Taking into account the fact that the user must explicitly grant such access to the antivirus, he will most likely refuse to do so. Or, if forced, he will buy himself another phone without antivirus.

Firewall

Three functions are hidden under this general name:

  • Collection of statistics on network usage, divided by application and network type (Wi-Fi, cellular operator). Most Android device manufacturers provide this data in the Settings app. Duplicating it in the mobile antivirus interface seems redundant. Aggregate information across all devices may be of interest. It is successfully collected and analyzed by UEM systems.
  • Mobile traffic limit - setting the limit, notification when it is reached. For most Android users, these features are available in the Settings app. Centralized configuration of restrictions is the task of UEM, not antivirus.
  • Actually, firewalling (firewall). Or, in other words, blocking access to certain IP addresses and ports. Taking into account DDNS on all popular resources and the need to enable VPN for these purposes, which, as described above, cannot work together with the main VPN, the function seems inapplicable in corporate practice.

Wi-Fi Proxy Verification

Mobile antiviruses can assess the security of Wi-Fi networks to which a mobile device connects. It can be assumed that the presence and strength of encryption are checked. At the same time, all modern programs use encryption to transfer sensitive data. Therefore, if some program is vulnerable at the data link level, then it is also dangerous to use it through any Internet channels, and not just through public Wi-Fi.
Therefore, public Wi-Fi, including without encryption, is no more dangerous and no less secure than any other untrusted data transmission channels without encryption.

Spam protection

Protection, as a rule, comes down to filtering incoming calls according to the list specified by the user, or according to the database of known spammers, endlessly annoying with insurance, loans and invitations to the theater. Although they do not call in self-isolation, they will soon start again. Only calls are filtered. Messages on current Android are not filtered. Taking into account the regular change of their numbers by spammers, the impossibility of protecting text channels (SMS, instant messengers), the functionality is more of a marketing rather than a practical nature.

Anti-theft protection

Perform remote actions with a mobile device in case of loss or theft. An alternative to Find My iPhone and Find My Device services from Apple and Google, respectively. Unlike their counterparts, the services of antivirus vendors cannot block the device if the attacker managed to reset it to factory settings. But if this has not happened yet, you can remotely do the following with the device:

  • Block. Protection from a nearby thief, because it is easy to do by resetting the device to factory settings via recovery.
  • Get device coordinates. Useful when the device has been lost recently.
  • Turn on a loud beep to find the device if it is on silent mode.
  • Reset device to factory settings. It makes sense when the user has recognized the device as irretrievably lost, but does not want the data stored on it to be disclosed.
  • To make a photo. Take a picture of the intruder if he is holding the phone in his hands. The most dubious functionality - the likelihood that an attacker admires the phone in good light is low. But the presence on the device of an application that can discreetly control the smartphone’s camera, take photos and send them to its server, causes reasonable alarm.

Remote command execution is basic in any UEM system. They lack only remote photography. This is a sure way to ensure that users remove batteries from their phones and put them in a Faraday bag after the end of the working day.

Anti-theft features in mobile antiviruses are only available for Android. For iOS, only UEM can perform such actions. There can be only one UEM on an iOS device - this is an architectural feature of iOS.

Conclusions

  1. A situation in which a user can install malware on a phone is UNACCEPTABLE.
  2. A properly configured UEM on a corporate device eliminates the need for antivirus.
  3. In the case of using 0-day vulnerabilities in the operating system, the antivirus is useless. It can only indicate to the administrator that the device is vulnerable.
  4. The antivirus cannot determine whether a vulnerability is being exploited. As well as releasing an update for a device for which the manufacturer no longer releases security updates. On the strength - it's a year or two.
  5. If we abstract from the requirements of regulators and marketing, then corporate mobile antiviruses are needed only on Android devices, where users can access Google Play and install programs from third-party sources. In other cases, the effectiveness of using antiviruses is nothing more than a placebo.

Mobile antivirus not working

Source: habr.com

Add a comment