We study MITER ATT & CK. Mobile Matrices: Device Access. Part 3

Retrieving credentials (Credential Access)

Links to all parts:
Part 1. Initial access to a mobile device (Initial Access)
Part 2. Persistence and Privilege Escalation

To implement unauthorized access to mobile device resources by opponents, various methods are used to capture passwords, tokens, cryptographic keys and other credential items. Obtaining legitimate credentials by an adversary allows identifying and obtaining all the permissions of a compromised account in the system or network, which makes it difficult to detect malicious activity. With appropriate access, the enemy can also create legitimate accounts for their use in the attacked environment.

The author is not responsible for the possible consequences of the application of the information contained in the article, and also apologizes for any inaccuracies in some formulations and terms. The published information is a free retelling of the content of the ATT @ CK Mobile Matrices: Device Access .

Abuse Accessibility Features

Platform: Android
Description: Android Accessibility Features is a suite of tools for people with disabilities. Malicious apps can use Android’s accessibility features to retrieve sensitive data or perform malicious actions. The fact is that APIs that provide accessibility services allow you to access the contents of the interfaces with which the user interacts (for example, reading or creating an e-mail, editing a document, etc.). This functionality ensures the ability of people with disabilities to work with publicly available mobile applications. This functionality of the OS also attracts malware authors, but to activate the Android Accessibility Features services, the user must perform a number of unusual security warnings at the end.
')
Protection recommendations: The OS version of Android 7.0 and above includes additional protection from this technique. Before allowing installation of an application in a corporate environment, it is recommended to check it for the possibility of abuse of special features or implement Mobile App Reputation Service to detect known malicious applications.

Access sensitive data in device logs (Access Sensitive Data in Device Logs)

Platform: Android
Description: In Android up to version 4.1, an attacker can use a malicious application that owns the READ_LOGS permission to retrieve private keys, passwords, and other credential and confidential data stored in the device’s system log. In Android 4.1 and later, an attacker can access the log only after successful escalation of privileges in the OS.

Security Tips: If you are a mobile application developer, then you should not write sensitive data to the system log of production applications.
Starting with Android 4.1, applications cannot access the system log (except for those records that are added by the application itself). With physical access to the device, the system log can be accessed via USB using the Android Debug Bridge (adb) utility.

Access sensitive information or credentials in files (Access Sensitive Data or Credentials in Files)

Platform: Android, iOS
Description: An attacker may attempt to read files containing confidential or credentials (private keys, passwords, access tokens). This method requires either elevated privileges in the OS or the presence of a target application in the system that stores data in an insecure way (with unsafe access rights or in an unsafe place, for example, in an external storage directory).

Security Tips: Ensure that the applications you use do not store sensitive data with insecure rights or in an insecure place. Android and iOS provide hardware-based credential storage in an isolated location where they will not be compromised even if privilege escalation is successful. Android 7 provides a higher level of file permissions per default in the application’s internal directory, reducing the possibility of using insecure rights.

Target capture intentions (Android Intent Hijacking)

Platform: Android
Description: Android Intent or Intent is an interprocess messaging object with which one application can request an action to be taken from a component of another application. A malicious application can register to receive Intentions (intents) intended for other applications, and then receive confidential values, such as OAuth authorization codes.

Security Tips: The process of testing applications for potential flaws should include identifying insecure use of intentions (Intent). Mobile application developers should use methods to ensure that intentions are sent only to the appropriate destination (for example, use explicit intentions, check permissions, check the certificate of the target application, or use App Links (the function by which the user is redirected to the target application bypassing the application selection dialog box ) added in Android 6.0. For mobile applications using OAuth, it is recommended to follow best practices .

Clipboard Data Capture (Capture Clipboard Data)

Platform: Android, iOS
Description: Malicious applications may attempt to capture sensitive data stored in the device's clipboard, for example, passwords copied / pasted from the Password manager application.

Protection recommendations: In the corporate environment, it is recommended to implement application verification processes for vulnerabilities and unwanted actions, application installation restriction policies and Bring Your Own Device (BYOD) policies, which impose restrictions only on the part of the device controlled by the enterprise. EMM / MDM systems or other solutions for protecting mobile devices may detect the presence of unwanted or malicious applications on corporate devices.

Capture SMS Messages (Capture SMS Messages)

Platform: Android, iOS
Description: A malicious application may collect sensitive data sent in SMS messages, including authentication data. SMS messages are often used to transmit multifactor authentication codes.

The Android application must request and receive permission to receive SMS messages during installation or execution. Alternatively, a malicious application may try to elevate privileges in order to circumvent this protection. iOS applications cannot access SMS messages during normal operation, so the adversary will need to first perform a privilege elevation attack.

Security Tips : In a corporate environment, it is recommended that applications be pre-checked for the RECEIVE_SMS permission. If such permission is detected, the application requires a detailed analysis.

Exploiting TEE Vulnerability Vulnerability

Platform: Android
Description: Malicious applications or another attack vector can be used to exploit code vulnerabilities executed in the Trusted Execution Environment (TEE). The adversary can then receive the privileges that the TEE has, including the ability to access cryptographic keys or other sensitive data. To attack a TEE opponent, you may first need elevated privileges in the OS. If not, TEE privileges can be used to exploit OS vulnerabilities.

Protection recommendations: Check the application for known vulnerabilities. Security updates. Using the latest OS versions.

Malicious Third Party Keyboard (Malicious Third Party Keyboard App)

Platform: Android, iOS
Description: A malicious application can register as a device keypad and intercept keystrokes as the user enters sensitive data, such as a username and password.

Security Tips: Applications are rarely registered as a keyboard, so those applications that do this should be carefully analyzed during the pre-testing process. Both iOS and Android require user explicit permission to use third-party software keyboards. Users are advised to take extreme care before granting such permission (when requested).

Capture or redirect network traffic (Network Traffic Capture or Redirection)

Platform: Android, iOS
Description: An attacker can capture inbound and outbound traffic or redirect network traffic to pass through an enemy-controlled gateway for receiving credentials and other confidential data.

A malicious application can register as a VPN client on Android or iOS in order to gain access to network packets. However, on both platforms, the user must give consent to the application to perform the functions of the VPN client, and on iOS, the application requires special permission from Apple.

Alternatively, a malicious application may try to elevate privileges in order to gain access to network traffic. An adversary can redirect network traffic to a gateway controlled by it, by establishing a VPN connection or by changing the proxy settings on the attacked device. An example of this is the ability to redirect network traffic by installing a malicious iOS configuration profile ( link to the source ).

Security Tips : Carefully read the application that requests VPN access before allowing it. Encrypting traffic is not always effective, because the adversary can intercept traffic before encrypting it. Both iOS and Android visualize the setup of the VPN connection in the top status bar of the device.

URL Schema Interception (URL Scheme Hijacking)

Platform: iOS
Description: URL schemes (as Apple calls them) are URL handlers that can be called by Safari or can be used by an application to call another application. For example, the tel: scheme can be used to launch the Phone application and dial a specific number by placing the corresponding HTML code on the target page:

<iframe src="tel:"></iframe> 

Scheme skype: will launch a Skype call ":

 <iframe src="skype:user?call"></iframe> 

iOS allows applications of different developers to share the same URL schemes. A malicious application can maliciously register using the URL scheme of another application, which will allow it to intercept a legitimate application call and obtain user credentials or OAuth authorization codes using a phishing interface.

Security Tips : When analyzing an application’s security, check for potentially dangerous URL schemes. Give preference to programs that, as an alternative to URL schemes, use universal links (this is a link when moving to which the user is redirected to a specific installed application).

User Interface Spoofing

Platform: Android, iOS
Description: User interface spoofing is used to trick a user into providing confidential information, including credentials, bank details, or personal data.

Substitution UI legitimate applications or functions of the device

On both Android and iOS, an adversary can impersonate the user interface of a legitimate application or device function, forcing the user to enter confidential information. The limited display size of mobile devices (as compared to PCs) can degrade the ability to provide the user with contextual information (for example, displaying the full website address), which could warn the user about the danger. An attacker can also use this technique without having a presence on a mobile device, for example, through a fake webpage.

The substitution of a legitimate application

A malicious application can completely repeat the target application — use the same name, icon and be installed on the device through an authorized app store or delivered by other means ( see application delivery techniques ), and then request the user to enter confidential information.

Abuse of OS capabilities to interfere with a legitimate application

In older versions of Android, a malicious application can use the regular functions of the OS to interfere with a running application. This is the outdated ActivityManager.getRunnigTasks method (available in Android prior to version 5.1.1), which allowed getting a list of OS processes and defining a foreground application, for example, to launch a fake double interface.

Security Tips: In a corporate environment, it is recommended to organize application checks for vulnerabilities and undesirable actions (malicious or violating confidentiality), implementing application installation restriction policies or “Bring Your Own Device (BYOD)” policies (bring your own device). only on the part of the device controlled by the company. Training, training, and user guides will help support a specific configuration of corporate devices, and sometimes even prevent specific user risky actions.

EMM / MDM systems or other solutions for protecting mobile devices can automatically detect the presence of unwanted or malicious applications on corporate devices. Software developers typically have the ability to scan app stores for unauthorized apps that were sent using their developer ID.

It is recommended to use only the latest versions of mobile OS, which, as a rule, contain not only fixes, but also have an improved security architecture that provides resistance to previously undetected vulnerabilities.