TMMS 9.8 with IBM Maas360 Integration

TMMS 9.8 with IBM MaaS360 Integration

November 1, 2018 Mobile Threat Landscape

Mostly distributed as pornography applications. Collects privacy information including phone number, device id, sim Shedun 37.49% serials number and so on. Install backdoor on the device and for device administrator privilege. Pretend as a porn player and download other malicious Rootnik 12.41% applications. It also gains root access to devices. Without user’s awareness or authorization, accept command from remote C&C server and execute related operation. Fobus 7.18% Intercept or abort SMS. Collects and leaks users privacy information including phone number, imei, device id etc. Automatically send out SMS without user's authorization or Smssender 4.31% knowledge. Collects user’s privacy information including phone number. Sends SMS to subscribe to premium services without user’s SmsPay 2.47% consents. Collects and leaks users privacy information

• Huge spike is caused by SLocker family. • SLocker locks screen or encrypts filesC Mobile Ransomware Types on Android

Lock Screen File Encryption PIN Hijack

Name Count Description Uploads device and app information to a malicious central XcodeGhost 18 server, creates fake iCloud password login prompts, read and write from the copy-and-paste clipboard

Setup a backdoor to attackers and executes malicious iBackDoor 17 command Abuses private APIs in order to collect more personal Youmi 2 information, including a list of installel apps, serial numbers and user's Apple ID email address etc.

Mobile App Reputation Service is a cloud- based technology that automatically identifies mobile threats based on app behaviour • Crawls & collects a huge number of Android and iOS apps from various markets • Identifies existing and brand new mobile malware • Identifies apps that may abuse privacy and device resources • App repack and vulnerability assessment

Sourcing Crawler Emulator

Smart/Heuristic Pattern SysCall Hooking

UI Trigger UI Behavior Logging Auto Scoring, Manual Analysis Spoofing Data Resource Usage Estimation Battery/Memory/Network/

MSA (Mobile Static Analyzer) Log Collector/Analyzer

Unpack/Decompiling/Un-Packer

MARS APIs/Report/Portal Repack Scanning Sensitive API Check RESTful APIs for Query/Submission Mobile Category Privacy Data Flow Analyzer Checking Comprehensive Report 3rd SDK (Adware) App Vulnerability Scanning Scanning MARS Portal for Partners/Customers Resource Usage Estimation Battery/Memory/Network

• Mathematical models to determine probability if an app is good OR bad • Works well on unknown executable malware • Extracts file features • Models are constantly trained and learn from good & bad app data to maintain their accuracy

Ransom-EncryptLock1 (Known sample) Ransom-EncryptLock2 (Unknown)

13 Copyright 2016 Trend Micro Inc. Machine Learning for Mobile Security Predicts Maliciousness When mobile ransomware features are looked at and compared Ransom-ScreenLock1 (Known sample) Ransom-ScreenLock2 (Unknown)

Example of 2 DEX Opcode – opcode distribution normalized machine learning in graph found to have similar characteristics

Important API call

14 Copyright 2016 Trend Micro Inc. AV-Comparatives Perfect Score Four Years in a Row: 2015 through 2018 TMMS 9.8 Security Features Security Features Description Android iOS • Detect malware infected apps √ √ • Real time scan of apps during installation √ Anti - Malware • Scheduled scan of apps from the management server √ √ • Manual scan of the apps from the devices √ √ App Privacy Leak Detection • Detect apps that are leaking privacy data and information √ • Identifies vulnerabilities in apps such as unauthorized access, weak App Vulnerability Detection data storage practice, poor password implementation, and poor SDK √ programming practice App Repack Detection • Detect apps that have been repacked √ √ • MITM detection √ √ Network Security • Malicious SSL certificate detection √ √ • Suspicious access point detection √ • Malicious iOS profile detection √ • Rooted or jailbroken device detection √ √ Device Vulnerability Protection • Development mode enablement detection √ • USB debugging detection √ • Prevent users from accessing malicious websites Web16 ThreatCopyright Protection 2015 Trend Micro Inc. √ • Android supports Chrome browser Integration with IBM MaaS360 • TMMS 9.8 feeds device security status to IBM MaaS360 • IBM MaaS360 now has the device security status visibility • IBM MaaS360 can now take compliance policy actions on devices with malicious apps installed

• Mobile Security Intelligence Articles http://www.trendmicro.com/vinfo/us/security/threat-intelligence-center/mobile-safety/