Mobile enterprise management tools are targeted by spyphones, researchers warn

iOS devices are targeted the most, they said

Enterprises that use mobile device management (MDM) systems to protect their corporate data on employees' mobile phones are not safe from attacks from spyphones, researchers warned at BlackHat Europe on Thursday.

Over the next five years, 65 percent of enterprises will adopt a mobile device management (MDM) system for corporate users, technology research company Gartner predicted last October. Companies will use the systems to manage network traffic and corporate data on smartphones and tablets, which nowadays are often owned by employees and used for both private and corporate tasks.

Companies are using MDM systems to protect their data, but they must be aware that while the systems are useful, they don't provide full security and can be targeted by so-called spyphones, warned Daniel Brodie, senior security researcher at the Israeli security company Lacoon Security, and Michael Shaulov, CEO and co-founder of the company, at the BlackHat conference in Amsterdam.

MDM systems try to tackle security issues by providing a "secure container" on mobile devices, encrypting the part of the mobile device that handles business data, as well as offering the possibility to remotely wipe or lock that section if a phone is stolen or an employee quits. However, common MDM security offerings can be circumvented by planting surveillance tools without the users knowledge on a phone, turning it into a spyphone, Brodie told a crowd of conference attendees.

A survey conducted by Lacoon in cooperation with global cellular network providers showed that about one in 1,000 phones was a spyphone, according to Brodie's research paper. Of 175 compromised devices found, 52 percent was attributed to Apple's iOS, 35 percent to Android phones, 7 percent to Nokia phones and 6 percent to other devices, he said.

"This is a very alarming number," Brodie said. The problem with spyphones is that while the software is installed on a single device, it is used to target whole organizations for espionage purposes, Brodie said. And as such, the impact of a spyphone attack on an organization can be "extremely high," he added.

Most spyphones are used for recording confidential phone calls and board meetings, tracking locations, extracting call logs as well as text messages and voice memos, and snooping on corporate emails and application data, Brodie said.

Secure containers of MDM systems can be bypassed in order to install spyphone software. On Android devices this can be done by publishing a seemingly innocent application in an Android market. Once the victim has installed the app, the app refers to the malicious code, which is then downloaded, the researchers said. After this, the spyphone creates a hidden binary and uses it for privileged operations, such as reading mobile logs.

iOS devices are much harder to crack but are probably more appealing to spyphone makers since a lot of companies are standardizing on iOS, Brodie said. An attacker has to install a signed application on the targeted device using an enterprise- developer certificate. The attacker then uses a jailbreak exploit -- removing limitations and protections to gain root access to iOS -- to inject container-bypass code into the secure container. After that, the attacker removes every source of the jailbreak.

"If you're looking at the phone you're not going to see if it's jailbroken," said Brodie, adding that he and Shalouv had several times tried to jailbreak an iPhone that was already jailbroken. They simply did not notice it already was, they said.

Once the jailbreak is removed, the spyphone places hooks in the secure container using Objective-C hooking mechanisms. The spyphone is than alerted when an email is read, is able to pull the email and subsequently sends every loaded email to a command and control (C&C) server that is controlled by the attackers, according to Brodie.

While mobile OSes try to protect themselves by protecting the OS from attackers and users, jailbreaking and rooting methods are rendering this security mechanism irrelevant, according to Brodie.

"Infection is inevitable," Brodie said. This however doesn't mean that MDMs are not useful. They are useful for separating personal and business data and also can be very useful when use for remote-wipe operations, the researchers said.

Companies need to be aware though that MDMs cannot provide absolute security, the researchers said. The security industry therefore should try to find a way to solve this problem, they added. Solutions could for instance look at different network parameters and abnormal behavior to signify an infected device. Those parameters for example could consist of behavioral analysis to signify strange behavior, traffic to well known C&C servers, and data intrusion detection, they said.

Loek is Amsterdam Correspondent and covers online privacy, intellectual property, open-source and online payment issues for the IDG News Service. Follow him on Twitter at @loekessers or email tips and comments to

Join the CSO newsletter!

Error: Please check your email address.

Tags securitymobileLacoon SecurityBLACK HAT EUROPE

More about AppleGartnerIDGInc.Nokia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Loek Essers

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place