Detecting Attackers on Smartphones and Tablets [Part 2]

Author
Sandro Bachmann
Published
11. June 2024

Have you ever wondered how secure your smartphone really is? With SMS as a gateway for zero-click exploits and the secret installation of spyware such as Pegasus via iMessages, the danger is real. Find out how our toolset detects attacks along the cyber kill chain and minimises the risks of digital threats.

The increase in attacks on mobile devices shows that we are not adequately protecting our mobile phones and tablets against malware and stalkerware. And this is true despite the fact that we carry sensitive data such as payment details, emails and photos around with these devices everywhere we go. Effective cyber defence is therefore absolutely essential. In the first part of this blog series, we put together various recommendations for you on how to deal with malicious apps and neglected libraries. In this second part, we analyse three different vulnerabilities that attackers use as popular gateways for their criminal activities on mobile devices. 

BLASTPASS - initial vector

A popular initial vector for infecting mobile devices is via SMS, synonymous with the iMessage app on Apple devices, which can process both SMS and iMessages. This standard feature means that a message can be received from any sender, which is then processed directly by the recipient’s smartphone.

 

Zero-click vulnerabilities

The SMS entry vector is particularly suitable for zero-click exploits. Infections can spread completely unnoticed as no user interaction is necessary for them to take hold on the devices.

 

If a mobile device has a vulnerability that can be exploited via iMessages, for example, then the risk is all the greater. It is fair to assume that these kind of vulnerabilities are specifically sought out to compromise mobile devices via the iMessage entry vector.

Due to the complexity of finding suitable vulnerabilities and developing exploits that meet specifications, an actor will be reluctant to deploy such exploits widely. Instead, they are used in a targeted manner in order to function as reliably as possible without being detected. Attackers are less likely to remain undetected for a longer period of time if they do not use the exploit unnecessarily:

 

An exploit is a piece of software that specifically exploits a security vulnerability to launch malicious code or install and execute malware.

 

infoguard-blog-csirt-mobile-forensik-T2-Abbildung 1

Figure 1: Check for indicators of the initial attack vector SMS with the InfoGuard toolset

 

One such vulnerability is BLASTPASS (CVE-2023-41064), which used malicious passkit files as SMS attachments (such as tickets and passes). This vulnerability was discovered by Citizen Lab during a scan of a smartphone belonging to an employee at an international organisation. The vulnerability was exploited with the aim of placing the spyware Pegasus on an employee’s smartphone.

Accordingly, InfoGuard recommends that a compromise assessment is run as a regular check of the smartphones is run as a regular check of the smartphones   belonging to particularly exposed employees with access to extremely business-critical information. 

Compromise Assessment

iShutdown – persistence

Attackers focus on persistence on the target device, which means that they try to infiltrate the system in such a way that a device restart can be survived, for example. However, persistence often leaves traces that are easy to recognise forensically by checking for known methods used to start processes.

What happens if persistence is more difficult to achieve due to the system architecture and the attacker deliberately chooses not to use this method? Spyware such as Pegasus, Reign and Predator usually need to reinfect their target after a restart, for example via vulnerabilities such as BLASTPASS, mentioned above. The exploit for this vulnerability should not be used more often than necessary due to the detection risk. The attacker, on the other hand, wants to be able to monitor their target at all times, which requires them to reinfect the device as quickly as possible after a restart.

Researchers from the security company Kaspersky have discovered a way of detecting indicators of spyware infection: on the iPhone, every restart of the device is recorded along with its characteristics. Delayed restarts caused by spyware can be detected in these characteristics based on the known system paths in these records.

blog-mobile-forensik-teil2-Abbildung 2 (2)Figure 2: Analysing shutdown cycles with the toolset

 

In addition to acquiring an encrypted iTunes backup, what’s known as a sysdiagnostic log file should first be created manually by pressing a special key combination. The archive file created can then be sent to InfoGuard for analysis either separately or together with the encrypted iTunes backup. Our customers can obtain detailed instructions via a compromise assessment. Of course, in some cases a smartphone may need to be physically handed over to our experts, depending on the granularity of the investigation.    

InfoGuard recommends regularly checking the system diagnostic information for the latest indicators of compromise. This also includes, for example, analysing the shutdown log, which is part of the system diagnostics information.

Compromise Assessment

Overprivileged applications – privilege escalation

Is there a simple way to obtain the desired authorisations for malware on mobile devices? Unfortunately, there is: by tricking users into installing and approving the requested authorisations. By forensically analysing the relevant databases, the app permissions granted in the past can be listed in detail, evaluated and subjected to a risk assessment.

infoguard-blog-csirt-mobile-forensik-T2-Abbildung 3

Figure 3: iPhone authorisations for applications

 

Once attackers have sufficiently high system privileges, no user interaction may be required for the corresponding authorisations.

infoguard-blog-csirt-mobile-forensik-T2-Abbildung 4

Figure 4: Overview of the different types of authorisations

 

We therefore recommend that you regularly check the authorisations of all applications. This enables overprivileged or even unknown applications to be detected, which may also be an indicator that the mobile device has been compromised.

infoguard-blog-csirt-mobile-forensik-T2-Abbildung 5

Figure 5: Analysis of the application authorisations (here: TCC database on iOS) with the toolset

Using backups to track attack traces

Creating regular encrypted backups of mobile devices is strongly recommended. The backups should also be stored for a longer period of time. This enables actions including the detection of compromises that occurred some time ago and a targeted comparison with more recent backups to be performed.


For companies, our experts from the Cyber Defence Center offer a compromise assessment for mobile devices. To this end, your business smartphones are checked for the following security vulnerabilities either once or at regular intervals:

  • Traces of past compromises
  • Current configuration for the necessary system hardening and security

We also provide you with appropriate measures to minimise the risks of a digital threat and prepare you as best possible for an incident involving a compromised smartphone.

Compromise Assessment

Want to stay informed on cyber defence and security? Subscribe to our blog updates now. You will then receive our blog articles directly in your inbox.

Subscribe to our blog updates now!

Share article