TMMS 9.8 with IBM MaaS360 Integration

November 1, 2018 Mobile Threat Landscape

Copyright 2013 Trend Micro Inc. 2 Over 29 Million Malicious Android App Detected by Trend Micro as of Sep. 2018

3 Copyright 2017 Trend Micro Inc. Top Five Android of 2018 (Jan. – Sep.) Name Percentage Description

Mostly distributed as pornography applications. Collects privacy information including phone number, device id, sim Shedun 37.49% serials number and so on. Install backdoor on the device and for device administrator privilege. Pretend as a porn player and download other malicious Rootnik 12.41% applications. It also gains root access to devices. Without user’s awareness or authorization, accept command from remote C&C server and execute related operation. Fobus 7.18% Intercept or abort SMS. Collects and leaks users privacy information including phone number, imei, device id etc. Automatically send out SMS without user's authorization or Smssender 4.31% knowledge. Collects user’s privacy information including phone number. Sends SMS to subscribe to premium services without user’s SmsPay 2.47% consents. Collects and leaks users privacy information

4 Copyright 2017 Trend Micro Inc. including phone number and location. Unique Mobile Ransomware Detected by Trend Micro

• Huge spike is caused by SLocker family. • SLocker locks screen or encrypts filesC Mobile Ransomware Types on Android

Lock Screen File Encryption PIN Hijack

Copyright 2013 Trend Micro Inc. 6 Mobile Ransomware Demand Payment iOS Malware Detected from Apple App Store (Jan. – Sep. 2018)

Name Count Description Uploads device and app information to a malicious central XcodeGhost 18 server, creates fake iCloud password login prompts, read and write from the copy-and-paste clipboard

Setup a backdoor to attackers and executes malicious iBackDoor 17 command Abuses private APIs in order to collect more personal Youmi 2 information, including a list of installel apps, serial numbers and user's Apple ID email address etc.

8 Copyright 2017 Trend Micro Inc. Introducing TMMS 9.8

Copyright 2013 Trend Micro Inc. 9 Security Powered by Cloud Based MARS

Mobile App Reputation Service is a cloud- based technology that automatically identifies mobile threats based on app behaviour • Crawls & collects a huge number of Android and iOS apps from various markets • Identifies existing and brand new • Identifies apps that may abuse privacy and device resources • App repack and vulnerability assessment

10 Copyright 2017 Trend Micro Inc. MDA (Mobile Dynamic Analyzer) MARS Core Malware Research App API Force Invoke

Sourcing Crawler Emulator

Smart/Heuristic Pattern SysCall Hooking

UI Trigger UI Behavior Logging Auto Scoring, Manual Analysis Spoofing Data Resource Usage Estimation Battery/Memory/Network/

MSA (Mobile Static Analyzer) Log Collector/Analyzer

Unpack/Decompiling/Un-Packer

MARS APIs/Report/Portal Repack Scanning Sensitive API Check RESTful APIs for Query/Submission Mobile Category Privacy Data Flow Analyzer Checking Comprehensive Report 3rd SDK () App Vulnerability Scanning Scanning MARS Portal for Partners/Customers Resource Usage Estimation Battery/Memory/Network

11 Copyright 2017 Trend Micro Inc. TMMS 9.8 with Machine Learning

• Mathematical models to determine probability if an app is good OR bad • Works well on unknown executable malware • Extracts file features • Models are constantly trained and learn from good & bad app data to maintain their accuracy

12 Copyright 2016 Trend Micro Inc. Why Machine Learning for Mobile Security Samples of Mobile Ransomware Look Different on the Surface

Ransom-EncryptLock1 (Known sample) Ransom-EncryptLock2 (Unknown)

13 Copyright 2016 Trend Micro Inc. Machine Learning for Mobile Security Predicts Maliciousness When mobile ransomware features are looked at and compared Ransom-ScreenLock1 (Known sample) Ransom-ScreenLock2 (Unknown)

Example of 2 DEX Opcode – opcode distribution normalized machine learning in graph found to have similar characteristics

Important API call

14 Copyright 2016 Trend Micro Inc. AV-Comparatives Perfect Score Four Years in a Row: 2015 through 2018 TMMS 9.8 Security Features Security Features Description Android iOS • Detect malware infected apps √ √ • Real time scan of apps during installation √ Anti - Malware • Scheduled scan of apps from the management server √ √ • Manual scan of the apps from the devices √ √ App Privacy Leak Detection • Detect apps that are leaking privacy data and information √ • Identifies vulnerabilities in apps such as unauthorized access, weak App Vulnerability Detection data storage practice, poor password implementation, and poor SDK √ programming practice App Repack Detection • Detect apps that have been repacked √ √ • MITM detection √ √ Network Security • Malicious SSL certificate detection √ √ • Suspicious access point detection √ • Malicious iOS profile detection √ • Rooted or jailbroken device detection √ √ Device Vulnerability Protection • Development mode enablement detection √ • USB debugging detection √ • Prevent users from accessing malicious websites Web16 ThreatCopyright Protection 2015 Trend Micro Inc. √ • Android supports Chrome browser Integration with IBM MaaS360 • TMMS 9.8 feeds device security status to IBM MaaS360 • IBM MaaS360 now has the device security status visibility • IBM MaaS360 can now take compliance policy actions on devices with malicious apps installed

Copyright 2013 Trend Micro Inc. 17 TMMS 9.8 Console for the IBM MaaS360 Integration

Copyright 2013 Trend Micro Inc. 18 Add TMMS agents and configure enrollment information

Copyright 2013 Trend Micro Inc. 19 Distribute TMMS agents to devices

Copyright 2013 Trend Micro Inc. 20 Create three TMMS Device Groups with Custom Attributes

Copyright 2013 Trend Micro Inc. 21 Admin can create device compliance policies for dangerous devices

Copyright 2013 Trend Micro Inc. 22 Mobile Security Thought Leadership • Mobile Security Blogs http://blog.trendmicro.com/trendlabs-security-intelligence/category/mobile/

• Mobile Security Intelligence Articles http://www.trendmicro.com/vinfo/us/security/threat-intelligence-center/mobile-safety/

23 Copyright 2015 Trend Micro Inc.